Skip to content

Instantly share code, notes, and snippets.

@kchien

kchien/puma_client_cert_auth.md

Last active August 30, 2022 19:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kchien/d834f6a93c4874643975404a652186bd to your computer and use it in GitHub Desktop.
Save kchien/d834f6a93c4874643975404a652186bd to your computer and use it in GitHub Desktop.
Download ZIP
Enforcing client cert authentication with Puma
Raw
puma_client_cert_auth.md

Purpose

This is for a private, internal microservice. I want to enforce client authentication with X.509 certs and I don't care -- at the moment -- whether or not the client wants to verify the server (the called microservice).

Stack for the internal microservice

  • puma
  • sinatra
  • ruby 2.7 base image
  • docker-compose

How

In the CMD instruction of my Dockerfile, I used:

CMD ["bundle", "exec", "puma" "-b", "ssl://0.0.0.0:1234?key=/path/to/key&cert=/path/to/cert&verify_mode=peer&ca=/path/to/ca"]

In my Sinatra app

The cert is then available at

request.env['puma.socket']

as well as:

ENV['puma.peercert']

The key to getting this to work was verify_mode=peer and ca=.... Without the verify_mode setting, ENV['puma.peercert'] was blank.

Changelog

[2022-08-30]

Added

  • Initial version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment