Check client certificate's Common Name to authorize access in mTLS

Hi Traefik Community!

I had mTLS in my configuration, and it's a success so far. We have every client providing a client certificate issued from the trusted CA acceding successfuly to our API through Traefik.

But we want more for the security check: we want to authorize only a list of client certificate. I did this with Apache HTTPD truststore, checking the CommonName (CN) of the received client certificate and checking if it is in the trustore. If not, the request didn't pass through.

I want to do the same with Traefik. I haven't seen the possibility in the Traefik configuration. I've maybe found a plugin but it restricts the check to domain-only, and not checking the CN.

Do some of you managed to handle this kind of configuration?

Thank you in advance for your answers.

Have a great day!

Note: this topic is similar to Filter the request based on Common Name from Client Certificate and Traefik Client Certificate CN verification but they stay unanswered so far (and from 2019).

Have you checked the long list of Traefik plugins on Github? There are some about cert auth, like this one.


Thank you for your answer. I tried the plugin you linked, but it does not fit all the requirement: it does not check the CN but only the SAN. I opened an issue on the repo for this.

But, thanks to you, I looked at the long list of plugin and found this one which seems promising: GitHub - safing/tlsauth: Traefik plugin to authenticate users based on the Common Name, DNS Names and Email Addresses of their TLS client certificate. Optionally add the username as a request header for the upstream service..

I will try it and keep you updated.

Have a nice day!