Simple HTTP reverse proxy with support for mTLS connection.
Useful when your backend server requires TLS client certificates and your clients don't. This application can be used to close this gap.
Built and ready to use container image is available for amd64, arm64 and arm architectures:
ghcr.io/eplightning/mtls-proxy:v0.2
mtls-proxy has several configuration options that can be specified using environment variables.
The only required environment variable is TARGET_URL, used to specify URL of backend server where the proxied requests should be forwarded to.
By default, mtls-proxy will listen on HTTP connections on port 8080.
X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto headers will be set. X-Forwarded-For will be appended if it exists.
Host header will be set to TARGET_URL host.
TLS connections to backend server will be verified using system's root certificate pool.
LISTEN_ADDRESS - listening address (default :8080)
TARGET_URL - URL of backend server where the proxied requests should be forwarded to (required)
SET_FORWARDED_FOR - set X-Forwarded-For headers [true|false|1|0] (default true)
FORWARD_HOST - use original request's Host (takes precedence over OVERRIDE_HOST) [true|false|1|0] (default false)
OVERRIDE_HOST - Host header value to use (default none)
EXTRA_HEADERS - Additional headers to set in format HeaderName:HeaderValue separated by new lines (\n) (default none)
DISABLE_HTTP2 - Disable HTTP/2 support when using server TLS [true|false|1|0] (default false)
TLS_SERVER_NAME - Override TLS server name used for validation (default none)
TLS_SKIP_VERIFY - Don't verify server certificates [true|false|1|0] (default false)
TLS_SERVER_CA_PATH - Path to custom CA bundle to use for server certificate validation (default none)
TLS_CLIENT_CERT_PATH - Path to client certificate PEM to use (default none)
TLS_CLIENT_KEY_PATH - Path to client key PEM to use (default none)
TLS_LISTEN_CERT_PATH - Path to server certificate PEM to use (default none)
TLS_LISTEN_KEY_PATH - Path to server key PEM to use (default none)
Note that both TLS_CLIENT_CERT_PATH and TLS_CLIENT_KEY_PATH need to be specified in order to client certificate to be presented.
Files specified via TLS_CLIENT_CERT_PATH, TLS_CLIENT_KEY_PATH, TLS_LISTEN_CERT_PATH and TLS_LISTEN_KEY_PATH will be reloaded every 5 minutes.
At the moment TLS_SERVER_CA_PATH is only loaded once at the application start.