feat(entrypoint): add inbound mTLS profiles for HTTPS

Add root-level inbound_mtls_profiles combining optional system CAs with PEM CA files, and entrypoint.inbound_mtls_profile to require client certificates on every HTTPS connection. Route-level inbound_mtls_profile is allowed only without a global profile; per-handshake TLS picks ClientCAs from SNI, and requests fail with 421 when Host and SNI would select different mTLS routes. Compile pools at init (SetInboundMTLSProfiles from state.initEntrypoint) and reject unknown profile refs or mixed global-plus-route configuration. Extend config.example.yml and package READMEs; add entrypoint and config tests for TLS mutation, handshakes, and validation.
2026-04-14 12:39:40 +02:00 · 2026-04-09 17:51:18 +08:00
parent 6cafbcf669
commit 2a3823091d
18 changed files with 886 additions and 17 deletions
--- a/config.example.yml
+++ b/config.example.yml
@@ -19,6 +19,17 @@

 # 3. other providers, see https://docs.godoxy.dev/DNS-01-Providers

+# Inbound mTLS profiles (optional)
+#
+# Reusable named profiles for inbound HTTPS client-certificate validation.
+# A profile must trust either the system CA store, one or more CA files, or both.
+#
+# inbound_mtls_profiles:
+#   corp:
+#     use_system_cas: true
+#     ca_files:
+#       - /app/certs/corp-ca.pem
+
 # Access Control
 # When enabled, it will be applied globally at connection level,
 # all incoming connections (web, tcp and udp) will be checked against the ACL rules.