mTLS support

[danhusan]

Requesting mTLS support to be able to do seamless client authentication.

Example (with CF): https://kcore.org/2024/06/28/using-cloudflare-zerotrust-and-mtls-with-home-assistant-via-the-internet/

[e-minguez]

perhaps via https://plugins.traefik.io/plugins/6637c92c3f17a1aeb061e27e/mtls-or-whitelist ?

[e-minguez]

Using this approach https://forum.hhf.technology/t/security-and-performance-enhancements-in-traefik-configuration-in-pangolin/478/1 will enable adding traefik plugins and tweaks. Didn't had the chance to try it but it feels it can be accomplished.

[Steffen-MLR]

i would love this feature. is there a way to contribute here?

[floco]

Thanks. Looks like it would be possible via https://forum.hhf.technology/t/installing-and-setting-up-pangolin-and-middleware-manager/2255 and adding a mtls traefik plugin ? Anyone tried that ? Would be great though if this was available directly in Pangolin.

[l3ztum]

@hhftechnology could you maybe post a cut down version of your config with mtls?

[hhftechnology]

@hhftechnology could you maybe post a cut down version of your config with mtls?

DM me on cord or ping me on pangolin cord.

[Steffen-MLR]

@hhftechnology i would be interested too. Can you share this online? Maybe there is a way to add this as a feature to pangolin

[Nexulo]

@hhftechnology can you please post your changes to make this work with mtls?

[oscarorange]

I'd use the hell out of this feature if it were added

Currently I need to choose between using Tailscale which limits me from using any other VPN on mobile devices, and using Cloudflare Tunnels with mTLS rules which I'm not a huge fan of because Cloudflare act as a MITM

Most of the services I use support mTLS on their clients, obviously the clients aren't able to auth with Pangolin and I'm not keen on creating bypass rules for paths because I feel as though that makes services just as vulnerable as they would be if I didn't use any auth at all

[Steffen-MLR]

Alright guys, I just tried this and it seems to work pretty good.

What I achieved so far:

• securing every request with mTLS
  What I did not:
• securing only one Domain
• error handling, if no mTLS Client Cert is provided

you can extend your dynamic conf stored in config/traefik/dynamic_config.yml like this:
I wrapped the added lines with "### NEW".

### NEW
tls:
  options:
    default:
      clientAuth:
        caFiles:
          - /etc/traefik/certs/rootCa.pem
        clientAuthType: RequireAndVerifyClientCert
### NEW

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https


  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`pangolin.domain.de`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`pangolin.domain.de`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
        ### NEW
        options: default
        ### NEW

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`pangolin.domain.de`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # WebSocket router
    ws-router:
      rule: "Host(`pangolin.domain.de`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"  # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server

you still need to create your own rootCa and clientCert, which i created using these commands:

# Create root CA private key
openssl genrsa -out rootCA.key 4096

# Create root CA certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

# Create client private key
openssl genrsa -out client.key 2048

# Create client CSR
openssl req -new -key client.key -out client.csr

# Create client certificate
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 365 -sha256

# Create client PFX file
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile rootCA.pem

the file rootCa.pem should be placed at config/traefik/certs/rootCa.pem and the client.pfx needs to be instaled on the Client PC.

Please test this and give me Feedback. If it works for you too, I will look into how to secure specific Domains/Urls only.

regards
Steffen

[Steffen-MLR]

let me reply to my own topic here: this will only work for all connections. if you are using newt you need to provide the pfx like newt --tls-client-cert client.pfx ... because it needs a tls cert in this scenario.

i think the best way would be to add the possibility to provide the config:

tls:
  options:
    mtls:
      clientAuth:
        caFiles:
          - /etc/traefik/certs/rootCa.pem
        clientAuthType: RequireAndVerifyClientCert

and the options: name: mtls via

pangolin/server/routers/traefik/getTraefikConfig.ts

Line 129 in 69b28b9

const config_output: any = {

Since you need to add a Config Field "Use mTLS" AND implement the above config, this would need more than an extended config file.
I don't know how to combine the two providers for traefik here and i am not sure how to add tls options via http, or if it is possible.

hope this helps
regards
Steffen