client authentication by public keys

[simonsparks]

I am currently trying to set up a deployment on AWS where access to Fabio routes should be restricted to calls via AWS' API Gateway. For this I am aiming to verify a client certificate but as the docs state:

The API Gateway-generated SSL certificates are self-signed and only the public key of a certificate is visible in the API Gateway console or through the APIs.

so I don't appear to have access to the ca.crt to configure Fabio with. Is it possible to verify clients in Fabio by a list of keys rather than a ca certificate?

[magiconair]

@simonsparks you only need the public key to enable client certificate authentication. In the example from fabio.properties this is path/to/clientauth.pem.

proxy.addr = :443;path/to/cert.pem;path/to/key.pem;path/to/clientauth.pem

However, I haven't tried this myself yet but it is the only option I have for configuring client certificate authentication. Please note that you still have to provide TLS certificates for the fabio listener itself since client cert authentication only works via SSL AFAIK.

Let me know how this works out for you. If you continue to have problems then I can try this myself.

[simonsparks]

@magiconair Yes this did work for me; thanks for your response.
p.s. Really pleased with Fabio's capability on our platform, great work!

[magiconair]

@simonsparks Glad to hear and happy that it works. Let me know if there are other issues.