Expand authentication with mTLS

.github/secret_scanning.yml

@@ -0,0 +1,4 @@
+paths-ignore:
+  - "quickstart/exampledata/config/credentials.yml"
+  - "quickstart/exampledata/config/nginx/mtls.conf.d/*.key"
+  - "quickstart/exampledata/config/nginx/mtls.conf.d/*.crt"

CHANGELOG.md

@@ -4,8 +4,9 @@
 ### Breaking
 ### Features
 
-* retrieve oauth token automatically from different oauth endpoints by introducing an additional file to 
-  define the credentials for every configuration source
+* introducing an additional file to define the credentials for every configuration source
+* retrieve oauth token automatically from different oauth endpoints
+* retrieve configruation with mTLS authentication
 
 #### Improvements
 ### Bugfix

doc/source/getting_started.rst

@@ -124,6 +124,23 @@ Run with getting config from http server with basic authentication
       logprep run http://localhost:8081/config/pipeline.yml
 
 
+Run with getting config from http server with mTLS authentication
+-----------------------------------------------------------------
+
+  * Run from within the `quickstart` directory:
+
+    .. code-block:: bash
+
+      docker compose --profile mtls up -d
+
+  * Run within the project root directory:
+
+    .. code-block:: bash
+
+      export LOGPREP_CREDENTIALS_FILE="quickstart/exampledata/config/credentials.yml"
+      logprep run https://localhost:8082/config/pipeline.yml
+
+
 Run with getting config from FDA with oauth2 authentication
 -----------------------------------------------------------
 
@@ -159,7 +176,8 @@ Opensearch:            `localhost:9200`  /        /
 Opensearch Dashboards: `localhost:5601`  /        /       
 Grafana Dashboards:    `localhost:3000`  admin    admin   
 Prometheus:            `localhost:9090`  /        /       
-Nginx:                 `localhost:8081`  user     password
+Nginx Basic Auth:      `localhost:8081`  user     password
+Nginx mTLS:            `localhost:8082`
 Keycloak:              `localhost:8080`  admin    admin   
 Keycloak Postgres:     `localhost:5432`  keycloak bitnami 
 FDA:                   `localhost:8002`  logprep  logprep 

logprep/util/credentials.py

@@ -53,6 +53,15 @@
         # example for Basic Authentication with inline password
         username: <username>
         password: <plaintext password> # will be overwritten if 'password_file' is given
+    "http://target.url":
+        # example for mTLS authentication
+        client_key: <path/to/client/key/file>
+        cert: <path/to/certificate/file>
+    "http://target.url":
+        # example for mTLS authentication with ca cert given
+        client_key: <path/to/client/key/file>
+        cert: <path/to/certificate/file>
+        ca_cert: <path/to/ca/cert>
 
 Options for the credentials file are:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -66,6 +75,9 @@
 .. autoclass:: logprep.util.credentials.OAuth2PasswordFlowCredentials
    :members: endpoint, client_id, client_secret, username, password
    :no-index:
+.. autoclass:: logprep.util.credentials.MTLSCredentials
+   :members: client_key, cert, ca_cert
+   :no-index:
 
 Authentication Process:
 ^^^^^^^^^^^^^^^^^^^^^^^
@@ -197,7 +209,8 @@ def _resolve_secret_content(credential_mapping: dict):
 
     @classmethod
     def from_dict(cls, credential_mapping: dict) -> "Credentials":
-        """matches the given credentials of the credentials mapping with the expected credential object"""
+        """matches the given credentials of the credentials mapping
+        with the expected credential object"""
         if credential_mapping:
             cls._resolve_secret_content(credential_mapping)
         try:
@@ -229,6 +242,29 @@ def _match_credentials(cls, credential_mapping: dict) -> "Credentials":
                         extra_params.keys(),
                     )
                 return OAuth2TokenCredentials(token=token)
+            case {
+                "client_key": client_key,
+                "cert": cert,
+                "ca_cert": ca_cert,
+                **extra_params,
+            }:
+                if extra_params:
+                    cls._logger.warning(
+                        "Other parameters were given: %s but OAuth token authorization was chosen",
+                        extra_params.keys(),
+                    )
+                return MTLSCredentials(client_key=client_key, cert=cert, ca_cert=ca_cert)
+            case {
+                "client_key": client_key,
+                "cert": cert,
+                **extra_params,
+            }:
+                if extra_params:
+                    cls._logger.warning(
+                        "Other parameters were given: %s but OAuth token authorization was chosen",
+                        extra_params.keys(),
+                    )
+                return MTLSCredentials(client_key=client_key, cert=cert)
             case {
                 "endpoint": endpoint,
                 "client_id": client_id,
@@ -333,6 +369,7 @@ class Credentials:
     _session: Session = field(validator=validators.instance_of((Session, type(None))), default=None)
 
     def get_session(self):
+        """returns session with retry configuration"""
         if self._session is None:
             self._session = Session()
             max_retries = 3
@@ -438,7 +475,8 @@ class OAuth2PasswordFlowCredentials(Credentials):
     client_secret: str = field(
         validator=validators.instance_of((str, type(None))), default=None, repr=False
     )
-    """The client secret for the token request. This is used to authenticate the client. (Optional)"""
+    """The client secret for the token request. 
+    This is used to authenticate the client. (Optional)"""
     _token: AccessToken = field(
         validator=validators.instance_of((AccessToken, type(None))),
         init=False,
@@ -574,3 +612,25 @@ def _get_token(self) -> AccessToken:
         expires_in = token_response.get("expires_in")
         self._token = AccessToken(token=access_token, expires_in=expires_in)
         return self._token
+
+
+@define(kw_only=True)
+class MTLSCredentials(Credentials):
+    """class for mTLS authentification"""
+
+    client_key: str = field(validator=validators.instance_of(str))
+    """path to the client key"""
+    cert: str = field(validator=validators.instance_of(str))
+    """path to the client cretificate"""
+    ca_cert: str = field(validator=validators.instance_of((str, type(None))), default=None)
+    """path to a certification authority certificate"""
+
+    def get_session(self):
+        session = super().get_session()
+        if session.cert is None:
+            cert = (self.cert, self.client_key)
+            session.cert = cert
+            if self.ca_cert:
+                session.verify = self.ca_cert
+
+        return session

quickstart/docker-compose.yml

@@ -122,6 +122,18 @@ services:
       - ../quickstart/exampledata:/usr/share/nginx/html:ro
       - ../quickstart/exampledata/config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - ../quickstart/exampledata/config/nginx/conf.d:/etc/nginx/conf.d:ro
+  mtls-config:
+    image: nginx:latest
+    container_name: mtls-config
+    profiles:
+      - mtls
+    network_mode: host
+    expose:
+      - 8082
+    volumes:
+      - ../quickstart/exampledata:/usr/share/nginx/html:ro
+      - ../quickstart/exampledata/config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ../quickstart/exampledata/config/nginx/mtls.conf.d:/etc/nginx/conf.d:ro
   keycloak:
     image: bitnami/keycloak:latest
     container_name: keycloak

quickstart/exampledata/config/credentials.yml

@@ -7,3 +7,7 @@
 "http://localhost:8081":
   username: user
   password: password
+"https://localhost:8082":
+  client_key: quickstart/exampledata/config/nginx/mtls.conf.d/client.key
+  cert: quickstart/exampledata/config/nginx/mtls.conf.d/client.crt
+  ca_cert: quickstart/exampledata/config/nginx/mtls.conf.d/ca.crt

quickstart/exampledata/config/nginx/mtls.conf.d/ca.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoOgAwIBAgIUCyRRwwUOd0iw1In+yHn9aoqozVcwDQYJKoZIhvcNAQEL
+BQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMY2EubG9jYWxob3N0
+MCAXDTI0MDMyODA4NDIwOVoYDzIwNTEwODEzMDg0MjA5WjBcMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRUwEwYDVQQDDAxjYS5sb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCQAh2nl9w6qFngBVkpZixI2u2IPHuqxaSnm2AkBqcy
+4OyDqEC463czZPQUS0Yv0RpzDVFYjq0ii21q0ywCiWxt4DwobqyDXTn68lcwvNTY
+qLLlviqC0xuSv2/eqWJZ1QJ8yJhx3QzdpXbLb7MnkVFaiLucebUK205Gs+i1wKw0
+tniC3+BpUCynowZSge095HwGINvwSKrpweGDoYI5woRjsl8Ksn7/0OXn6ueKKJYu
+R1dXT5JgbOaY22WBe96b5HUpLxamqbO+M6TJJdVv0H3G/rAgnxrhrYHgJBs/IF8/
+mBgahH2EazGw2BI2SrmOYmayKXs4rmWAX34P/zq3rNLHAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRQqo42nJN4uerAY9k2IdECI0922TAfBgNVHSMEGDAWgBRQqo42nJN4uerA
+Y9k2IdECI0922TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5
+JX7Q05yueUtWZK1Gx41jxojj8fi3nq0VUbNLATEJT1OFMSRGrBFlm+ayJw7GhnvO
+wPuy3fxA+Ixhw68rzB8JAl9gtLm1Rv4biBbTrlrbCq4S4Ne2qHSZJTzeLLFgpkZ1
+VwneCEjjXNNnIOMvxFT4TequlEzGAUQjIFKxOj0AjeLucnZnktCge2oxNaUr/s4+
+b7LqIvEZUZPup+XTk79rCIfhNN7ML/9yeNZbxneoz2GKn5KU5NoBOLmyHEd6HEGC
+/6PAOFNLO9OR2b4zsIEorSTXCP5NkRDuA8DAAKoaYkK8P4pYuFbmvSvQixSLVcVu
+gXNBmnx+ej6lKVn5yuo2
+-----END CERTIFICATE-----

quickstart/exampledata/config/nginx/mtls.conf.d/ca.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI+VMpvN/v7YkCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECApOwJBfoRwqBIIEyDAZ5NMr2h3x
+eOPsu4rmjiICNQ2GyRpo8bGOSgn4SDwEGzw7NfMwx6n1tSLzfD8lKkI54QQ9LS8i
+Tviki02htW57lpd09yNv17x0Lt8e5A1iN40UK7c6UWo5khcvoMOvjv+JPNgSheXt
+dm0AF0co49j3PmqNjJO37uNmrzcq32S925d02gQ4kBDYri6VNMh4s46s5Wli6tpP
+/yvj07x1a0nNVI+EtOyYswtJCh/OGtpidM1wdkvBjIivzcBBbeVjQkgCaa/P/+Wu
+qZKJpAarpJgW/HIxGinzFmN6cAerpnG7ARb/+CBNUV3GT2EB8mNh1qRxTK590aN4
+7nhL4x48I8TCBT9xcZ/SE/Zgj3qAnoAa4U/tYJazMG7q69v3Cs/I+Tu5TQoaPH9W
+ccFxbwiooBiHOQrYclciDUF6nL3hN1v5XxBzVhmE4qsLzswYN82wwDb1J3cmR2Gb
+0orDRoI++jBqOGPwSZ5glYZyE6+epcQSEhaT27F4lzlUk3nrN1b43JED0UPtFgb5
+wpcl4cld8e3Ofl2D+BlKQ1/JlkZ/K55JBb9Khc7HTjtpV3MwPefHs5Zy8zoNgiae
+8utHfYegImEFFo1sdcU/cooA1b6c1mWMevM+8Yz32rfLcnmyWK+pCIgU48/sLPmu
+Q5oSg+uLhcQaKUj3fpl4AuYz/Q3Owm11zXqSjQLMJX15DPVahv3vIRvpUQN73bAk
+TquZ1hoFxDxwmFCX8EnkmK+g7amvFNzIJkX5xJ9KW4U2lHelGNImt6+XfOJmqoxQ
+x1Yz6f1I7cv9la9hLHp7SYozEeEjrgDRXEULPYhXCfTHn20do1WDn/VK7HN3ESpm
+Rd8cfBsSFvHjBSk1MWW/kFKMPfQRh7+AZY6qvWTZ78pivE6JJDEHcT93gL2X3/Xn
+jgyAbtFvBGiIAj46U316tT4/vmCk1xaC8X7UDX+YpgGXMPMJ7QGKRKpG4OCBHYfd
+R+Hw7xMxBCtZKI8tq8ghOo9OAs0UulGffv0Wh+1EzBQFpFBlFzVLm5u11XJL4Rs7
+HgoDC7rDX3Nv2JtEsK47WHLWCIw6fswjKbjbUgECm7y0Z/rWjozaooXa6WUm3GzB
+d4uvPG/AesjqX4zdFebz0joLYvYvZt03gjGfhjxpcVGGRkv60glNxpK3oAUGaYhf
+TKrVOMTL9NKfuOrvuPBSgKVeT6jTFoTC9MfGgfPwrPkAeRdU0fnO/2oAby94B2hB
+4mOn69SCBImivPmJSTfytJJ81AzmDKQitEgiKeMS4nyXcWDHGRG4Wj5JavvKlm9Q
+rxI3HzwZGfMOaO9i7NN/ML2z6uXjHO/ufupxy63ukkoaAcTbYAOwxk4dte9WXTeG
+JrDryj4WDYqdLuET99o+LFqfjUX+YngSwnSZxpDWLs2iLWopkV7s+iIsI/UViqXb
+rPVD8kR0FPbMqbtNSm9lySMLdI5hXYw8msflRUAlp9RZnDp6psLNheqJTCRbzw5d
+ChKbUx9u/MpZbci9GXdgbE9pq9nFJV4hJWILSQs47ADtuVS6jNoTCY21IMTDp5Ux
+aia2Gi1qKAtF1aX5Cfk83F0RTDDV4sQTqCS0quE6qffPjB2Jbq4eoabVRlPp30r4
+gyijUXilVZPCyVTEyPzF8A==
+-----END ENCRYPTED PRIVATE KEY-----

quickstart/exampledata/config/nginx/mtls.conf.d/client.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEPDCCAyQCFA9Zylday8XeecLLAXbNHTvh2x4dMA0GCSqGSIb3DQEBCwUAMFwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxFTATBgNVBAMMDGNhLmxvY2FsaG9zdDAgFw0y
+NDAzMjgwODQ2MjZaGA8yMDUxMDgxMzA4NDYyNlowVzELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDEQMA4GA1UEAwwHbG9ncHJlcDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAMSlbR3LnON+6gszAoyBVCdKc98sbSvzKfQfYeKPj0Pklvo5t59UN9cg
++EpYH+GyAr/OxhywzD/K1Q0G/VZQpAglibwmRoZHCd2D9uqYKb1cNL7rJ/9MtyJs
+0w8c7efV6S9gCbu/tbnH93yhPfWotjTxTciHK87SkG/NCcJ0D4pSt2m4KIEotp71
+DeRh9Le+D4JLCpDtTd41jp86tBFOtQUOzHzCJNSqijXuJqPBzNHjV7Jks/PR6Y4f
+DymxGcqPne3O1j6LRAvPgkYuw9ikcuUVKcZOUM7gt2qOOlEImGbeYB0u7cxRyyvZ
+ZNgscokm9X3cAVcVhlPJwTXiOsBv+dWJK9DMvl37RtpCUj9KqoER06xHvHz0prxq
+Tl+1Xqqlk2uEG3ykqrUhDgj4WcY/ahY/oUAVH8scYA+dva5LzChHZOl24eOHF0D2
+Rbn7Ja9Vuw6yMCBaH5GIMwqQep0hmJbVfWi4Gife0+nuYOko9Wi+caU2znKb2HC9
++wE93lWpcgJ/fVsMEDQxB1KggKeM7iHPw8QQ5UiDwThTgQ1nbTGJ11MKoM21lngZ
+JpBDn50dPAkF3UbKhKtepf1vTbnJJZBdPdF99pHNB49O5xUPOVnrog8dAL71RlNu
+HNxxCYH3APpuLZflqf1sE4+ZpqQeYLdYEk8qGFe/cu/YQcQcDLdjAgMBAAEwDQYJ
+KoZIhvcNAQELBQADggEBAFzodmqOES3FZAZdpKNjB55VOtNCKHChqQtMnMmV7RcB
+2knn0501ML1/mpryR+cIZqBCkkKkj39WzJn8M9uSiSoJ+16woi3gUKA/5x0p1EOB
+v7xLy78EvDnADYMJfsbdTPzejdIoMvJpHKpvv1Jnw7ZkgUThiXbCWRSwYeVi9HPy
+U3wxtTovr2aPfzPC2BEp1u8fHFafEdSXOACqo1fRnnmFkFHTNVcstkxprmr0sPBB
+o5I0VGElWbTY1B/OUhCCGFwmpv5P+L/3L7D3NSRSqGrlK4iWYuUgQGNvqAvPF2PJ
+NSi//I2aCJuKV0cNyV6CX8sTQgxg53MGZLWZTSyLxHM=
+-----END CERTIFICATE-----

quickstart/exampledata/config/nginx/mtls.conf.d/client.csr

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEnDCCAoQCAQAwVzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHbG9n
+cHJlcDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMSlbR3LnON+6gsz
+AoyBVCdKc98sbSvzKfQfYeKPj0Pklvo5t59UN9cg+EpYH+GyAr/OxhywzD/K1Q0G
+/VZQpAglibwmRoZHCd2D9uqYKb1cNL7rJ/9MtyJs0w8c7efV6S9gCbu/tbnH93yh
+PfWotjTxTciHK87SkG/NCcJ0D4pSt2m4KIEotp71DeRh9Le+D4JLCpDtTd41jp86
+tBFOtQUOzHzCJNSqijXuJqPBzNHjV7Jks/PR6Y4fDymxGcqPne3O1j6LRAvPgkYu
+w9ikcuUVKcZOUM7gt2qOOlEImGbeYB0u7cxRyyvZZNgscokm9X3cAVcVhlPJwTXi
+OsBv+dWJK9DMvl37RtpCUj9KqoER06xHvHz0prxqTl+1Xqqlk2uEG3ykqrUhDgj4
+WcY/ahY/oUAVH8scYA+dva5LzChHZOl24eOHF0D2Rbn7Ja9Vuw6yMCBaH5GIMwqQ
+ep0hmJbVfWi4Gife0+nuYOko9Wi+caU2znKb2HC9+wE93lWpcgJ/fVsMEDQxB1Kg
+gKeM7iHPw8QQ5UiDwThTgQ1nbTGJ11MKoM21lngZJpBDn50dPAkF3UbKhKtepf1v
+TbnJJZBdPdF99pHNB49O5xUPOVnrog8dAL71RlNuHNxxCYH3APpuLZflqf1sE4+Z
+pqQeYLdYEk8qGFe/cu/YQcQcDLdjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEA
+dwTgDIU9fPfvsEYmljDWJpRlfvnmqgwaRT+2GC8VhdjAJcsKqtRSjfXZlIagcAfw
+JyqR2vgxRlISBXNhcnBzubgAyu//RCIV5g72QZZADj87p9IWBGJTRs1qPd3BhFRF
+gTVtGlUmLp2HYFHBRCKngJgMthkftwooErrWo6FbNXoGs0TKh3fcjrbBqSu94yjl
+Z4yr+Lgtk1y6DTfNyFhyC43qHAsz2CL9jXuVvMCPo+PZGnTDfJnbeqCGp3jVE497
+A4MFa/tJu5rQbJ1CY5/XprB7XH2GkyYMlmIg30gSDyFdAbaHuC832xN05SP14FA+
+YDJ+zDkGr7IvaNNX6CnOVEaYL8K24tRFpvcXCFlunOu55pr+JkUp23oSQnPFTCfu
+FIKY4mn7oVQ3HgckRSGAQsdVbchMPq5p2Qfvr/MuLuV1CAa5CJZKhIORYKGvlyoQ
+cOD0jDaxImg9jl08+YWa7QYqodhGoaxK+IE6Xo45Xf4Rt9oGB6SnI24W6P1oG70+
+JULLND75A7lDqUBr1eSOt1TXnzuu4b80b3a/wzMpz202rrrGNuiXGwNKc+b52PJY
+XrMo8+CcwbrDPGzOlYM2d0tbLPpKSgM3UGWcm0VwkX2O+9NyHMd1zN6mkcGmfELQ
+BwzP5I66kCtEecYEnS3f0d/b4Wl57QE00NrGxq96cxo=
+-----END CERTIFICATE REQUEST-----

quickstart/exampledata/config/nginx/mtls.conf.d/client.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDEpW0dy5zjfuoL
+MwKMgVQnSnPfLG0r8yn0H2Hij49D5Jb6ObefVDfXIPhKWB/hsgK/zsYcsMw/ytUN
+Bv1WUKQIJYm8JkaGRwndg/bqmCm9XDS+6yf/TLcibNMPHO3n1ekvYAm7v7W5x/d8
+oT31qLY08U3IhyvO0pBvzQnCdA+KUrdpuCiBKLae9Q3kYfS3vg+CSwqQ7U3eNY6f
+OrQRTrUFDsx8wiTUqoo17iajwczR41eyZLPz0emOHw8psRnKj53tztY+i0QLz4JG
+LsPYpHLlFSnGTlDO4LdqjjpRCJhm3mAdLu3MUcsr2WTYLHKJJvV93AFXFYZTycE1
+4jrAb/nViSvQzL5d+0baQlI/SqqBEdOsR7x89Ka8ak5ftV6qpZNrhBt8pKq1IQ4I
++FnGP2oWP6FAFR/LHGAPnb2uS8woR2TpduHjhxdA9kW5+yWvVbsOsjAgWh+RiDMK
+kHqdIZiW1X1ouBon3tPp7mDpKPVovnGlNs5ym9hwvfsBPd5VqXICf31bDBA0MQdS
+oICnjO4hz8PEEOVIg8E4U4ENZ20xiddTCqDNtZZ4GSaQQ5+dHTwJBd1GyoSrXqX9
+b025ySWQXT3RffaRzQePTucVDzlZ66IPHQC+9UZTbhzccQmB9wD6bi2X5an9bBOP
+maakHmC3WBJPKhhXv3Lv2EHEHAy3YwIDAQABAoICAErvdytZggm3PVzTLW95gSYP
+2yP6fAe5fA1JQDXj2wZWP6pPAEg5AaZ7K+K4vj11ZlLNavVX8h2FH7b9KOERjdCE
+7X3DYDCfNYUyWo9/OLiuQHNYjT9ebpMxwSQLNCWagGfLQypGneuT5h2aHFBW4EhA
+hBGcYPdJijzwd32gWKOvbbFduiGt8BmW7JpRMb4rMSHHktkzdO7undDTv/awdY7d
+2tLX8M0Rx+VRQWw51+FLrwmOEn0hSs0bzN1oXZmxLM+IeGARFfciNlSkUYFm+VmO
+vQKSqXyMaZizZkmm6tyYdSvpzDiGGtQ03Zb7KRJWxEoX4nLbAvs+8N+lvBnFEgDA
+HGMF8sbIf4FGoKmxhJoqeanNuMw9C955TM8JN/WVWEWGAk0rAtAVBsYQt29oYs/V
+ppiYXWxCRwBY1vlPndg9pA5uBIbgwmraGOzT9r8SAYM3241rVdSxaU4ykrlJ6QmQ
+nCTBFTri/vbb1XsrULEY70TYv/p4i8azf4pK5riv3/IQHDAbgL2uFTTSHU2+J1VH
+kDeUA+sHAdHJDABMCJPMgadssX/xU3p5YwiautmB/nG9lpvHVpt5Mq3IC04tiOoI
+aBbJ4FioI4UswuhGmFsXVwyVocS+DsIeDg1ToF/NZEQd8f7BC5Ho43zX4/sQL9ZH
+eoKinDOQU7OGuepkoP8BAoIBAQDuLK5Dd/wWYB6W+PPiEXALlj20R4SgvulSbney
+vNCaQiSTdi/rTJj6qZUTUXsDsn0mxPjUpXhXp25TsPink3Vq4O2GYQYLmd206VR+
+kqiARjKCdQJeUHfRhs/k453ACwQ8Fjpv7ZnxMqGxaGhMXNzMUMTS2a49BzIkjJ5T
+/RTIhWrkopd+AyTMRxBP7OKh29VEpQHlqeaEEbcq0/CTGz7npIvTMEnpLy5W8qJC
+x4vg1CWLR01By3W0QyzAmSIYJ6VkyFZkuTtrJ6kFY0meD1HbvlW0KW5bQ9hYOma3
+nc7GhaP4KR8rIOlx6rVhEKnFzXCh6/qEUwnNRCDLk3vl7+SjAoIBAQDTXRSxxGBC
+8BrAyzeU+vFruSeQ05rC5gu/NrnXTYBGq5jXBVYZqZrpSiio9/k61VfbbyB0GZd4
+sHwPe/053okLQWpmWw0yPuyWoNIC8cCw6sqqDe3rX+anDP/abQhlKGys5x2UzuJZ
+saoKsq+jNtAI1xLyTxAYzYVgmVv6yHi31UMozZmNBGq9L0Ox/4vOoAfLFuUPSzg6
+ZIXoBGn5ud7mc+6d1YnwvNzYwmS6l3HZnEWuCmNCiyKE8vMtwvDyDUccRgIPJC1F
+rvhOELXMOX4h3iYPPyZz4eHErVjnGchUIgS9liBWOBvIkrQYTu5Z248hE5deK+ls
+MZk1bDHhPk5BAoIBAG/JuOEh58f4xWLG5nEtDhHiKoP7LVzlPk3aW4Qg6yf7837i
+8grWoNbF0ZqHm91YYTVZLhFguOMrSrUtUwgURgAsIk/4KgY36b+H5Iij/UJ3sC1b
+DgmGazaEt/8OdnQ0t4AcTsFKG/8BbLL/9jQhQeED592vHgC25+oPtiBloOOc+1bk
+mYYjo5ndoOJipNyjea4GZKWO4QsL5ZTMdRYWq6e9q4MsHwS7iFx29YGydwzHhfeh
+N7mx7UT2YoLjXQVJVm+/OA1+g00ACGzm9R6iwiEJbOBqsclURq7iemOkRfEXuKY5
+Zs+vWuKE7yznzUdx7XOSdrq03tzhJSNnzbdWqVECggEBAIh6CNvELlfqi4vDbC9R
+XcOt+YNFbx+7xQgBwTvpehOnx3fHpVHKtxE95kU8YPyBN0qkVbNBtxGh+2lQKTFN
+pPXUlmxjDIFOKhwU2aY3DbHu2U+20NJzyQ5CkY4rawlOceWvEeW9NGCwHFjuCgT8
+ZpXesggtzvoE8sNuIvsqqPAiz0uwfh6VJIrl0vNDS7XulTmond0jN7pUoDYxa3Bp
+eSka4I+fi4MboAqCcuIc2dGmW0PGx1L3XiG0chsxTb0tn6X8+mVmeakOEpzto0Ws
+NeqOc8rSfvTCfLIvMEGA316b3K3CGz0w25fGSm2LwdHZuHCmIs4W0pEe8YuSQh7r
+yUECggEAaj12P3dX51UURYecvclsGnR1Jnm2vioN2F+VkknGA7oOc2++LmHqrMW2
+WwslTJdGXoGe53/vbpQCzFtGk2vq8Qa2DoRh1OPTwOALcHFy049b3Be5S0hEgQEo
+3ZecqV7Q7F/KSYp2KtHugUSLshbEgIRZMeHC7QoaovXSznr/xFc5DoU2hTXvFlno
+RVIXKWm5xbMSMiYMsvu/l2UL8d/QN4SyW22+3OlstUNdijiVBbTsEY1N6ViKTuQ5
+DeWFgkwXplXMHh/dOmFyl4B5LHN3yHQZeJWrKKleZK7SPPJtLQ/i2VPldVF+m4eL
+N0a9jiPNbuK+xhk0g8ptwOO6kYIsDg==
+-----END PRIVATE KEY-----

quickstart/exampledata/config/nginx/mtls.conf.d/default.conf

@@ -0,0 +1,21 @@
+server {
+    listen       8082 ssl;
+    listen  [::]:8082 ssl;
+    server_name  localhost;
+    ssl_certificate conf.d/server.crt;
+    ssl_certificate_key conf.d/server.key;
+    ssl_client_certificate conf.d/ca.crt;
+    ssl_verify_client on;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+    # redirect server error pages to the static page /50x.html
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}
+

quickstart/exampledata/config/nginx/mtls.conf.d/server.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEPjCCAyYCFD1YFblwn/66le9qhiRXER5pWz5MMA0GCSqGSIb3DQEBCwUAMFwx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxFTATBgNVBAMMDGNhLmxvY2FsaG9zdDAgFw0y
+NDAzMjgwODQ0MDFaGA8yMDUxMDgxMzA4NDQwMVowWTELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAoPgys8nAUnml9hLj62i72tFBmVLUslP8piIc16gvhbi9TkCt9yH7
+65Ch2Oxgjp+WmTC+XggMsW3AA9vAgl+Y7XxThrKP9Zu0eF74OkFKwqQQk+FJQ1iu
+NYYXrbf7L7Ud2CtY1wp1zN4uEKvvyBlRhQS0BhwTy2AvcmsBVRr/OAkaQUOwPUFm
+ZH5siKRscc9sC/JSDlO6/3qVxC7UGozqtvzAhTyc3++liLu2zdvmk/v731Cs8fAi
+2KaXxaxFOOuX7wT0GGjZDJLcYm908CIH57lC5CCo+eunz+Zu7WCtUh5T4edGAzjA
+PN0EWvUh12itklcNnTECR3ztC76C4KpMbrtFmsbnO0ERz1XGVpJiUf39O952TfsH
+0r6Hifpb6s260qm8JVEZHYK1w22PABkClhlxKkyr2NRum4K5dpuQGno1dSo/kCsa
+HDDVDNN9bNC0SIQ60stuojbRurpO564X/Ah7dTopL65wLkclKNlpy7zHODJJqXX1
+tZuFT6lDXJB1Aqea635cBIqvHS6Ee1HBlxY/ko0sdFCZhyUu2K3NFg/SALqhN4dC
+oNUiwqxPIK8j9BgBAXTGSJEg7MrUdKIxXctIRh4EzD6xT1ooEOrJqTOF+j+7YM0d
+5OZ6RHsDGqZnfT/EJpfqBvuj5Y/7STzi/33a31vKrFpKE3ooQ19hH7kCAwEAATAN
+BgkqhkiG9w0BAQsFAAOCAQEAD47grs4Mi+5X0Ry+5zMYwK5f5enn9olbXhs+VcHG
+KY9DzVbyGkb2mR5fk9btafhe+Xc1X15nrz/uzX4s6BiklLWG72KMaQlGAObY4d2U
+9HITI+bZ3kyvKLbwjNic10IOlVhwzB4WTBCa/gzHuHcCKUf9UJhyjDYqeHZmu2yU
+NfXxP1B/pp2qK96K9xrhhXeBrhxKzRCCRY3EriAtDOBtjGPPzfzbgUuKILNk/o/t
+Z0tqwzU6Uv95MciGJtHErzNzlgLzoVOHBAP/TNPpAwh2oAE3PH5HSy88DjXRfO9Z
+TbTsFpzPNRbhbb5NPDmVhuenhjHOHjoIS+hoUuWcc7yWhg==
+-----END CERTIFICATE-----