This is for a private, internal microservice. I want to enforce client authentication with X.509 certs and I don't care -- at the moment -- whether or not the client wants to verify the server (the called microservice).
- puma
- sinatra
- ruby 2.7 base image
- docker-compose
In the CMD
instruction of my Dockerfile
, I used:
CMD ["bundle", "exec", "puma" "-b", "ssl://0.0.0.0:1234?key=/path/to/key&cert=/path/to/cert&verify_mode=peer&ca=/path/to/ca"]
The cert is then available at
request.env['puma.socket']
as well as:
ENV['puma.peercert']
The key to getting this to work was verify_mode=peer
and ca=...
.
Without the verify_mode
setting, ENV['puma.peercert']
was blank.
- Initial version