Setting up mTLS requires you to first set up mTLS verification and certificate termination on your reverse proxy.For example, using Nginx should include something like this:
ssl_verify_client optional; ssl_verify_depth 2; ssl_client_certificate /path/to/client-ca.crt; ... proxy_set_header X-JFrog-Client-Cert ""; proxy_set_header X-JFrog-Client-Cert $ssl_client_escaped_cert;
Note
Theclient-ca.crt
above is an example of a single file with all trusted client CA certificates.
The reverse proxy should be responsible (by configuration) for:
Always removing the custom header from all incoming requests, to prevent a malicious user from adding such header on their own, tricking the platform to accept the header as an authentication and authorization mechanism
Adding to the request the custom header with the client certificate only for requests that were successfully mTLS-verified
After setting your reverse proxy, when a request is performed with mTLS, upon successful verification, the reverse proxy must add a custom header with the client certificate in PEM format (refer to the proxy_set_header X-JFrog-Client-Cert
in the code example above).
Note that you can also set up your own custom header instead ofX-JFrog-Client-Cert
.If you choose to do so, you will need to set the same header via theheader-namein the system.yaml
file (see configuration example below) for the JFrog Platform to use the same header.