Skip to content
This repository has been archived by the owner on May 28, 2024. It is now read-only.
/ gocd-tls-auth Public archive

Use TLS client certificates to authenticate with Go

License

Apache-2.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cnorthwood/gocd-tls-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
apache-config
apache-config
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Go.CD TLS Client Certificate Authenticator

Build Status

This plugin allows users to be authenticated by TLS client certificates, when GoCD is behind a reverse proxy which terminates TLS and passes through the certificate details in HTTP headers.

Deploying

The GoCD docs are a good intro to how authentication works: https://docs.gocd.org/current/configuration/dev_authentication.html

You'll also need to configure Apache or something to terminate your SSL connections and reverse proxy it through to Go. Apache will need to make the certificate CN available to the upstream server under the "SSL_CLIENT_S_DN" header. You will also need to pass the verify state through. Adding lines such as below to your Apache config file will allow this:

RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

The httpd.conf in the apache-config folder shows a complete sample configuration.

Then, you can download the plugin from the Releases section in GitHub, then drop it in your plugins folder in Go (e.g., /var/lib/go-server/plugins/external).

Once it's configured, and you've restarted Go, a new button should appear on the login screen. Select it and it'll use your certificate to authenticate you. You'll then need to log in to the server using the username/password in the passwords file, and add your user as an admin. Sadly Go doesn't yet support auth plugins for API access, so you'll need to still use the passwords file for any machine users that access the server using the API.

Developing

There's a Vagrant box which uses Apache for TLS termination and forwards to Go. It's currently configured to require a BBC Platform client certificate which is probably not useful for a wider audience. Replace ca.pem in the apache-config folder and the SSLRequire line in httpd.conf to develop using your CA.

Run vagrant up then you can access your Go server at https://localhost:7443.

For the dev server, you can configure the password file to be /vagrant/apache-config/htpasswd. The default username and password is "root" and "correct horse battery staple".

To build the plugin, run mvn install. The output should become available as a plugin in Go (you'll need to restart Go after compiling, vagrant ssh then sudo service go-server restart).

About

Use TLS client certificates to authenticate with Go

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 4

Update dependencies based on Dependabot Latest
Apr 27, 2021
+ 3 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages