Client certificates (mTLS) in Caddy plugin

[nsky]

Hi,

am I right, that the Caddy reverse proxy plugin (https://github.com/opnsense/plugins/tree/master/www/caddy) currently has no possibility to configure TLS client certificates through the GUI?

If yes, my approach would be to add a custom config file since the generated Caddyfile imports anything from

Code Select Expand

/usr/local/etc/caddy/caddy.d/*.conf.

But for this, I need to know where OPNsense stores the generated CAs and certificates when using System --> Security to create them. Can someone tell me where they are stored? I need the file path to provide them in the Caddy config...

Thanks and best regards

[Monviech (Cedrik)]

https://github.com/opnsense/plugins/issues/4089

PRs welcome, all the framework is there. It should be very easy to add to the GUI.

There is a script that will automatically extract certificates from System - Trust for caddy here:

https://github.com/opnsense/plugins/blob/bb69d4653746320c0bf4363eb42f63906b5584e8/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php#L35

It runs automatically when caddy reloads or starts so the certs are all there.

[millie75]

Hi did anyone get this working.

It would be great to have the option to use mtls with self hosting apps like Immich and Home Assistant and on mobile devices.

Having it as an option in the caddy plug in along with access lists and http authentication would be great to have that option. Lots of mobile apps don't have option to use http authentication either

[Monviech (Cedrik)]

It can be added to the plugin if somebody spends the time to implement and test it. PRs still welcome.

I could implement it too, but I dont have a reason for my own use and the priority is low.