1. Introduction

1. Introduction

A fairly common deployment pattern for HTTPS applications is to have the origin HTTP application servers sit behind a reverse proxy that terminates TLS connections from clients. The proxy is accessible to the Internet and dispatches client requests to the appropriate origin server within a private or protected network. The origin servers are not directly accessible by clients and are only reachable through the reverse proxy. The backend details of this type of deployment are typically opaque to clients who make requests to the proxy server and see responses as though they originated from the proxy server itself. Although HTTPS is also usually employed between the proxy and the origin server, the TLS connection that the client establishes for HTTPS is only between itself and the reverse proxy server.

The deployment pattern is found in a number of varieties such as n-tier architectures, content delivery networks, application load-balancing services, and ingress controllers.

Although not exceedingly prevalent, TLS client certificate authentication is sometimes employed, and in such cases the origin server often requires information about the client certificate for its application logic. Such logic might include access control decisions, audit logging, and binding issued tokens or cookies to a certificate, including the respective validation of such bindings. The specific details needed from the certificate also vary with the application requirements. In order for these types of application deployments to work in practice, the reverse proxy needs to convey information about the client certificate to the origin application server. At the time of writing, a common way this information is conveyed is by using non-standard fields to carry the certificate (in some encoding) or individual parts thereof in the HTTP request that is dispatched to the origin server. This solution works, but interoperability between independently developed components can be cumbersome or even impossible depending on the implementation choices respectively made (like what field names are used or are configurable, which parts of the certificate are exposed, or how the certificate is encoded). A well-known predictable approach to this commonly occurring functionality could improve and simplify interoperability between independent implementations.

The scope of this document is to describe existing practice while codifying specific details sufficient to facilitate improved and lower-touch interoperability. As such, this document describes two HTTP header fields, "Client-Cert" and "Client-Cert-Chain", which a TLS terminating reverse proxy (TTRP) adds to requests sent to the backend origin servers. The Client-Cert field value contains the end-entity client certificate from the mutually authenticated TLS connection between the originating client and the TTRP. Optionally, the Client-Cert-Chain field value contains the certificate chain used for validation of the end-entity certificate. This enables the backend origin server to utilize the client certificate information in its application logic. While there may be additional proxies or hops between the TTRP and the origin server (potentially even with mutually authenticated TLS connections between them), the scope of the Client-Cert header field is intentionally limited to exposing to the origin server the certificate that was presented by the originating client in its connection to the TTRP.