Can we configure northbound mutual TLS for a specific Microgateway proxy?

For Microgateway, I'm assuming that using the following config we can configure mutual TLS and require a client certificate for northbound calls for all MG proxies on the MG instance:

         key: <absolute path to the SSL key file>
         cert: <absolute path to the SSL cert file>
         passphrase: admin123
         rejectUnauthorized: true
         requestCert: true 
         ca: <absolute path to the file containing a list of
              trusted certificates in PEM format.>

However, it would be great if we could specify mutual TLS only for specific proxies like this!

  - edgemicro_proxy-1
        requestCert: true 
        ca: <absolute path to the file containing a list of
             trusted certificates in PEM format.>

Technically this posting isn't a question -- so let's make one out of it. is it possible to do it?

0 2 554

Former Community Member
Not applicable
@Robert Johnson

I think this feature is not possible to implement. TLS negotiation happens much before proxies, basePaths. I suspect even http servers like nginx will force you to create different ports for mTLS vs. TLS.

I also ran into this issue. I came up with a couple of solutions:

  • Option 1: You can spawn multiple EMG instances with different configuration files that include proxy filters and MTLS settings.
  • Option 2: You can enable SNI in EMG by modifying a little bit the gateway source code. Exactly here. Your changes should look similar to this (also include requestCert and rejectUnauthorized flags). Then, you can create (or modify) a plugin so that it validates the incoming client CN and Host header and then "allows" the transaction depending on a configuration map (e.g.>edgemicro_petstore_v1;safe_client_1,safe_client_2).

Option 2 resembles a little bit to vhosts on Edge. It's not really advisable to modify the source code, however it was fun to play around with it.