www/caddy: Add client certificate authentication for domains and subdomains

[bob4os]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe.
I would like to use client certificates for authentication on certain domains.

Describe the solution you'd like
A dropdown for choosing the client authentication mode and another dropdown for choosing one or more certificate authorities provided by OPNsense (https://caddyserver.com/docs/caddyfile/directives/tls#client_auth).
Probably placed in the Trust or Access part in domains or subdomains?

Describe alternatives you've considered
Using NGINX but I like the simplicity of caddy.

Additional context
Adding the (non-standard) verifier module for revoked certificates would be the icing on the cake but a lot of extra work...?

[bob4os]

@Monviech Would you be willing to help me out with this request?

[Monviech]

I'm not sure.

There's already:

• Access Lists
• Basic Auth
• Forward Auth

So already 3 ways to control access. Is a 4th method really needed?

Client Certificate Authentication seems more like a business related feature for me.

The os-OPNWAF has client certificate authentication built in and also supplies automatic Let's Encrypt certificates: https://docs.opnsense.org/vendor/deciso/opnwaf.html#protect-a-local-server-with-certificates

EDIT: Of course - PRs are welcome.

[bob4os]

Well it probably is a business feature but it is also available in HAProxy and NGINX.
The OPNWAF plugin is based on Apache as far as I can see, I have never warmed up to it.

I wanted to benefit from automatic certificates without the need for the ACME plugin (nothing wrong with it), probably even OCSP for client certificates, HTTP3...

I will give it a try.

[Monviech]

If you want to give it a try, the backend scripts already take care of the certificate extraction.

You would only need to add things to the model, form controller, reverse_proxy view and the Caddyfile template.

Shouldn't be too hard if you keep the scope of it simple. All the certificate logic has already been implemented at multiple points so its probably just some copy pasting.

The hardest part is the template. The authentication methods like basic auth and access lists kaskade into each other with uuid handles. Its that multiple authentication methods can coexist at the same time in a specific order. Thats the most conplex part to get right.

[bob4os]

I did a bit of research last week, but didn't have time this week.
But it does seem managable, yes.

Do you have a preference as were to put the ui elements?
In the Caddyfile it is placed in the tls directive, so I would place it in the Trust collapsible.

[Monviech]

Since its more of an access control feature I would put it under Access in domains and subdomains. In Trust it might confuse people.

Thanks for giving it a try :)