[PR #26] [MERGED] Feat: mTLS support #83

New Issue

Closed

opened 2025-11-19 07:13:32 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-19 07:13:32 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/26
Author: @progressive-kiwi
Created: 3/30/2025
Status: ✅ Merged
Merged: 4/3/2025
Merged by: @oschwartz10612

Base: dev ← Head: feat-mtls-support

---

📝 Commits (7)

• 623be5e Merge pull request #20 from fosrl/dev
• f4e17a4 Merge pull request #22 from fosrl/dev
• 2ff8df9 Merge branch 'dev'
• 9b3c826 feat/mtls-support
• 435b638 feat/mtls-support-cert-script
• b41570e feat/mtls-support-cert: config support
• d28e3ca feat/mtls-support-cert: doc update, removing config.Endpoint loading duplicates, handling null-pointer case and some logging

📊 Changes

9 files changed (+290 additions, -31 deletions)

View changed files

📝 .gitignore (+4 -1)
📝 README.md (+35 -2)
📝 go.mod (+1 -0)
📝 go.sum (+2 -0)
📝 main.go (+25 -13)
➕ self-signed-certs-for-mtls.sh (+125 -0)
📝 websocket/client.go (+90 -11)
📝 websocket/config.go (+3 -0)
📝 websocket/types.go (+5 -4)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR adds basic support for connecting to servers requiring a client certificate, aka mTLS.
Some restrictions for now (all documented):

• only p12 and pfx formats
• key, cert and ca cert must all be present
• encryption is NOT supported ( because I couldn't find a go module to decrypt all formats without weird error messages that'd be difficult to debug for enduser

How to test?

I am planning on a PR against the pangolin repo too with similar contents, but first, newt :)
(This was tested only on macos so far)

Positive test

1. Have a pangolin deployment
2. Generate custom certs. If you want an example, check self-signed-certs-for-mtls.sh
3. Modify a pangolin server's Traefik dynamic_config.yaml by adding the following

http:
  routers:
    next-router:
     # ...
      tls:
        certResolver: letsencrypt
        options: mtlsConfig
    api-router:
      # ...
      tls:
        certResolver: letsencrypt
        options: mtlsConfig
    ws-router:
      # ...
      tls:
        certResolver: letsencrypt
        options: mtlsConfig

tls:
  options:
      mtlsConfig:
          clientAuth:
              clientAuthType: RequireAndVerifyClientCert
              caFiles:
                  - |
                      -----BEGIN CERTIFICATE-----
                      .... <content of the ca.cert>
                      -----END CERTIFICATE-----

1. Add the generated client cert, eg alice-at-example-com.eng.12 to your client

• On a mac
  1. double click, import to KeyChain, using the password. (You could also just import the non-encrypted version)
  2. Right click the imported item, Get Info
  3. Open Trust
  4. Set SSL to Always Trust
• (Sry, haven't tested this on Linux or Windows, so can't describe )

1. Visit your admin pangolin portal using a browser supporting mTLS, and select the proposed cert.
2. Create a new Site, and copy the newt cli command
3. Start newt with the copied command, with the extra arg: --tls-client-cert=./certs/clients/alice-at-example-com.p12
4. Verify both in terminal and both in pangolin admin that the site is connected

Negative test

1. Same as above but run newt without the --tls-client-cert=... arg.
2. Verify error in terminal, explaining TLS connectivity issue.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/26 **Author:** [@progressive-kiwi](https://github.com/progressive-kiwi) **Created:** 3/30/2025 **Status:** ✅ Merged **Merged:** 4/3/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `feat-mtls-support` --- ### 📝 Commits (7) - [`623be5e`](https://github.com/fosrl/newt/commit/623be5ea0d00f33720c9df0428aa5be974a1b877) Merge pull request #20 from fosrl/dev - [`f4e17a4`](https://github.com/fosrl/newt/commit/f4e17a4dd7cd754c2516f9d3b765056b0195657e) Merge pull request #22 from fosrl/dev - [`2ff8df9`](https://github.com/fosrl/newt/commit/2ff8df9a8d6a7a5778b6af4b9100b59006c9e791) Merge branch 'dev' - [`9b3c826`](https://github.com/fosrl/newt/commit/9b3c82648b1daa452423de3bb67e04e1f1612ba2) feat/mtls-support - [`435b638`](https://github.com/fosrl/newt/commit/435b6387017ede59b3ab7423cefc7a3ec13ba4a7) feat/mtls-support-cert-script - [`b41570e`](https://github.com/fosrl/newt/commit/b41570eb2ca5ac28ae30c929d885d556e7992744) feat/mtls-support-cert: config support - [`d28e3ca`](https://github.com/fosrl/newt/commit/d28e3ca5e8ae3e15f67902c1dd0eda9d56670fb1) feat/mtls-support-cert: doc update, removing config.Endpoint loading duplicates, handling null-pointer case and some logging ### 📊 Changes **9 files changed** (+290 additions, -31 deletions) <details> <summary>View changed files</summary> 📝 `.gitignore` (+4 -1) 📝 `README.md` (+35 -2) 📝 `go.mod` (+1 -0) 📝 `go.sum` (+2 -0) 📝 `main.go` (+25 -13) ➕ `self-signed-certs-for-mtls.sh` (+125 -0) 📝 `websocket/client.go` (+90 -11) 📝 `websocket/config.go` (+3 -0) 📝 `websocket/types.go` (+5 -4) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description This PR adds basic support for connecting to servers requiring a client certificate, aka mTLS. Some restrictions for now (all documented): * only p12 and pfx formats * key, cert and ca cert must all be present * encryption is NOT supported ( because I couldn't find a go module to decrypt all formats without weird error messages that'd be difficult to debug for enduser ## How to test? I am planning on a PR against the pangolin repo too with similar contents, but first, `newt` :) (This was tested only on macos so far) ### Positive test 1. Have a pangolin deployment 1. Generate custom certs. If you want an example, check `self-signed-certs-for-mtls.sh` 1. Modify a pangolin server's Traefik `dynamic_config.yaml` by adding the following ```yaml http: routers: next-router: # ... tls: certResolver: letsencrypt options: mtlsConfig api-router: # ... tls: certResolver: letsencrypt options: mtlsConfig ws-router: # ... tls: certResolver: letsencrypt options: mtlsConfig tls: options: mtlsConfig: clientAuth: clientAuthType: RequireAndVerifyClientCert caFiles: - | -----BEGIN CERTIFICATE----- .... <content of the ca.cert> -----END CERTIFICATE----- ``` 1. Add the generated client cert, eg `alice-at-example-com.eng.12` to your client * On a **mac** 1. double click, import to KeyChain, using the password. (You could also just import the non-encrypted version) 2. Right click the imported item, `Get Info` 3. Open `Trust` 4. Set `SSL` to `Always Trust` * (Sry, haven't tested this on Linux or Windows, so can't describe ) 1. Visit your admin pangolin portal using a browser supporting mTLS, and select the proposed cert. 1. Create a new Site, and copy the newt cli command 2. Start newt with the copied command, with the extra arg: `--tls-client-cert=./certs/clients/alice-at-example-com.p12` 3. Verify both in terminal and both in pangolin admin that the site is connected ### Negative test 1. Same as above but run newt without the `--tls-client-cert=...` arg. 2. Verify error in terminal, explaining TLS connectivity issue. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2025-11-19 07:13:32 -06:00

GiteaMirror closed this issue 2025-11-19 07:13:32 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

msg-opt

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/docker/minor-updates-1134f52710

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#83