Client TLS authentication¶
Client TLS authentication filter architecture overview
This filter should be configured with the name envoy.filters.network.client_ssl_auth.
Statistics¶
Every configured client TLS authentication filter has statistics rooted at auth.clientssl.<stat_prefix>. with the following statistics:
Name |
Type |
Description |
---|---|---|
update_success |
Counter |
Total principal update successes |
update_failure |
Counter |
Total principal update failures |
auth_no_ssl |
Counter |
Total connections ignored due to no TLS |
auth_ip_allowlist |
Counter |
Total connections allowed due to the IP allowlist |
auth_digest_match |
Counter |
Total connections allowed due to certificate match |
auth_digest_no_match |
Counter |
Total connections denied due to no certificate match |
total_principals |
Gauge |
Total loaded principals |
REST API¶
-
GET
/v1/certs/list/approved
¶ The authentication filter will call this API every refresh interval to fetch the current list of approved certificates/principals. The expected JSON response looks like:
{ "certificates": [] }
- certificates
(required, array) list of approved certificates/principals.
Each certificate object is defined as:
{ "fingerprint_sha256": "...", }
- fingerprint_sha256
(required, string) The SHA256 hash of the approved client certificate. Envoy will match this hash to the presented client certificate to determine whether there is a digest match.