Client TLS authentication


Every configured client TLS authentication filter has statistics rooted at auth.clientssl.<stat_prefix>. with the following statistics:

Name Type Description
update_success Counter Total principal update successes
update_failure Counter Total principal update failures
auth_no_ssl Counter Total connections ignored due to no TLS
auth_ip_white_list Counter Total connections allowed due to the IP white list
auth_digest_match Counter Total connections allowed due to certificate match
auth_digest_no_match Counter Total connections denied due to no certificate match
total_principals Gauge Total loaded principals


GET /v1/certs/list/approved

The authentication filter will call this API every refresh interval to fetch the current list of approved certificates/principals. The expected JSON response looks like:

  "certificates": []
(required, array) list of approved certificates/principals.

Each certificate object is defined as:

  "fingerprint_sha256": "...",
(required, string) The SHA256 hash of the approved client certificate. Envoy will match this hash to the presented client certificate to determine whether there is a digest match.