Add missing feature for mTLS (for everything or specific paths)

[savar]

I have the problem right now, that I need to be able to secure a specific path/endpoint with an mTLS certificate.

It would be nice if kamal-proxy would support something like that.

Not sure where/how to put the config though.

Maybe within the host/hosts setting or a new one like:

mTLS:
  - hosts: # optional, if left out, apply for all hosts specified in the 'host/hosts' section which already exists
      - foo.example.com
    path: # optional, if left out, apply to all path's for 'hosts'
      - type: exact # can also be 'prefix' or 'regex'
        pattern: /webhooks/callback
    certificate: |
       .... certificate ...

As it is possible in this example to match stuff multiple times, the logic would be: first match wins.

Disclaimer: I am not sure if there are things in kamal-proxy I just don't know about or not well enough (like roles or other features) which would not fit well with this approach, but as I tried to stick to the host/hosts feature, I hope it somehow would fit/work.

[savar]

I just realized that I just assumed a lot about how mTLS works.. so it might not be usable the way I was thinking but looking at https://smallstep.com/hello-mtls/doc/server/nginx as an example, it could work like that (giving 403 back if the configured path doesn't allow a non-authorized access).

Maybe it is not possible to have multiple certificates per host, so that might be a limitation which needs to come in as well.

[djmb]

The server doesn't know what the path is until after TLS negotiation has completed, so you can't serve different certs on different paths.

There is an issue at #1377 for allow custom certs, but there can only be one per host.

[savar]

Sorry, but why do you close this? The other ticket is about custom certificates to serve but mine is about the kamal proxy validating the _incoming_ certificate of someone so that you can ensure that the "connecting" client is valid. And yes, you can check this "afterwards" depending on the path as this is not required to be valid for the initial SSL setup if you don't enforce it. Am 21. April 2025 14:00:04 UTC schrieb Donal McBreen ***@***.***>:

…

djmb left a comment (basecamp/kamal#1484) The server doesn't know what the path is until after TLS negotiation has completed, so you can't serve different certs on different paths. There is an issue at #1377 for allow custom certs, but there can only be one per host. -- Reply to this email directly or view it on GitHub: #1484 (comment) You are receiving this because you authored the thread. Message ID: ***@***.***>

[djmb]

Ah sorry I misunderstood!

But I don't know if we'd want to add support for this.

In any case its best to create an issue on the kamal-proxy repo as that's where it would be implemented, if we did then we can update Kamal after to supply the config to the proxy.