Client TLS authentication

  • Client TLS authentication filter architecture overview

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.network.client_ssl_auth.v3.ClientSSLAuth.

  • v3 API reference

Statistics

Every configured client TLS authentication filter has statistics rooted at auth.clientssl.<stat_prefix>. with the following statistics:

Name

Type

Description

update_success

Counter

Total principal update successes

update_failure

Counter

Total principal update failures

auth_no_ssl

Counter

Total connections ignored due to no TLS

auth_ip_allowlist

Counter

Total connections allowed due to the IP allowlist

auth_digest_match

Counter

Total connections allowed due to certificate match

auth_digest_no_match

Counter

Total connections denied due to no certificate match

total_principals

Gauge

Total loaded principals

REST API

GET /v1/certs/list/approved

The authentication filter will call this API every refresh interval to fetch the current list of approved certificates/principals. The expected JSON response looks like:

{
  "certificates": []
}
certificates

(required, array) list of approved certificates/principals.

Each certificate object is defined as:

{
  "fingerprint_sha256": "...",
}
fingerprint_sha256

(required, string) The SHA256 hash of the approved client certificate. Envoy will match this hash to the presented client certificate to determine whether there is a digest match.