commit 7169f55ac28e24dc24f8f45cdfcc87b262f163d3
parent 794568f15551270dbee810c3bebb74423ddf7480
Author: Joris Vink <joris@coders.se>
Date: Tue, 2 Feb 2021 10:42:10 +0100
Add client authentication
Diffstat:
2 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -11,6 +11,7 @@
* [Routes](applications/routes.md)
* [Filemaps](applications/filemap.md)
* [Automatic HTTPs](applications/acme.md)
+ * [Client authentication](applications/clientauth.md)
* [API](api/README.md)
* [Buffers](api/buffers.md)
* [Curl](api/curl.md)
diff --git a/applications/clientauth.md b/applications/clientauth.md
@@ -0,0 +1,42 @@
+# Client Authentication
+
+Kore supports client authentication if turned on for a given domain.
+
+If turned on Kore will request an X509 certificate from the client
+and verify it against the configured list of trusted certificate authorities.
+
+## Enabling client authentication (via config)
+
+In order to turn on client authentication add the **client_verify** and
+**client_verify_depth** configuration directives to the domain you wish
+to enable it on.
+
+```
+domain needsauth.example.com {
+ certfile cert/example.com/server.pem
+ certkey cert/example.com/key.pem
+
+ # Bundle of trusted certificate authorities and an optional CRL
+ client_verify cert/cabundle.pem cert/crloptional.pem
+
+ # The verification depth
+ client_verify_depth 1
+}
+```
+
+## Enabling client authentication (via Python API)
+
+You can enable client authentication via the Python API as well by
+passing the **client_verify** and **verify_depth** keyword to the domain setup.
+
+```
+dom = kore.domain("needsauth.example.com",
+ attach="server",
+ cert="cert/example.com/server.pem",
+ key="cert/example.com/key.pem",
+ client_verify="cert/cabundle.pem",
+ verify_depth=1
+)
+```
+
+You currently cannot set CRLs via the Python API.
