Using HTTP header to transmit client certificate for mTLS
My client says their API traffic must take the path WAF -> Custom Firewall -> Backend API. Also, mTLS must be terminated after the traffic has gone through the network appliance.
I have created an Envoy proxy that can perform mTLS behind the network appliance. That traffic takes the path GCP External Network Load Balancer -> Network Appliance -> GCP Internal Network Load Balancer -> Envoy (mTLS) -> Backend API. This works as expected when I call the endpoint using more traditional methods (not using a HTTP header).
However, the WAF can only send client certificate information in a HTTP header. I do not believe I can configure Envoy to work that way. I have looked at other tools such as Nginx, Apache, Netty, but that doesn’t look very promising to me at this point either. From what I can tell, those tools expect you to provide the path to the server private key, server public cert, and client certs to trust (typically in PEM format). Those tools use that configuration to perform the SSL/TLS handshake process under the hood.
I have implemented mTLS many times before, but I've never been asked to use client certificate information from a HTTP header to do it. This feels atypical to me, and I'm not even sure this is a secure approach.
I'm wondering:
- Is using a client cert in a HTTP header a viable and secure approach for implementing mTLS?
- If yes, do you have any recommendations on a tool/config that can accomplish this?
Thanks in advance for any guidance.
