feat(entrypoint): add inbound mTLS profiles for HTTPS (#220)

Introduce reusable `inbound_mtls_profiles` in root config and support `entrypoint.inbound_mtls_profile` to require client certificates for all HTTPS traffic on an entrypoint. Profiles can trust the system CA store, custom PEM CA files, or both, and are compiled into TLS client-auth pools during entrypoint initialization. Also add route-scoped `inbound_mtls_profile` support for HTTP-based routes when no global entrypoint profile is configured. Route-level mTLS selection is driven by TLS SNI, preserves existing behavior for open and unmatched hosts, and returns the intended 421 response when secure requests omit SNI or when Host and SNI resolve to different routes. Add validation for missing profile references and unsupported non-HTTP route usage, update config and route documentation/examples, expand inbound mTLS handshake and routing regression coverage, and bump `goutils` for HTTPS listener test support.
2026-04-27 10:47:06 +02:00 · 2026-04-15 12:14:22 +08:00
parent 7b00a60f77
commit 31eea0a885
21 changed files with 1100 additions and 19 deletions
--- a/internal/route/provider/all_fields.yaml
+++ b/internal/route/provider/all_fields.yaml
@@ -10,6 +10,7 @@ example: # matching `example.y.z`
  no_tls_verify: true
  disable_compression: false
  response_header_timeout: 30s
+  inbound_mtls_profile: corp # optional, only supported when no global entrypoint inbound_mtls_profile is configured; selected by TLS SNI and Host/SNI must resolve to the same route
  ssl_server_name: "" # empty uses target hostname, "off" disables SNI
  ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
  ssl_certificate: /etc/ssl/client.crt