Jetty

Documentation for Jetty

mTLS Client Certificates

Status: Implemented

Overview

Mutual TLS (mTLS) allows tunnel owners to require connecting clients to present a valid TLS client certificate signed by a trusted CA. This provides strong cryptographic authentication at the transport layer, complementing existing mechanisms such as basic auth and IP allowlists.

Design

Database

  • client_ca_cert (text, nullable) on tunnels -- PEM-encoded CA certificate.
  • mtls_enabled (boolean, default false) on tunnels.

Bridge (Laravel)

The TunnelVerifyController includes mtls_enabled and client_ca_cert in the verify response when mTLS is active. The edge server uses these to enforce client certificate verification.

Edge (Go)

  • cli/internal/edge/mtls.go -- parseCACert and verifyCert helpers.
  • The parsed CA pool is stored on the session struct (clientCAPool).
  • In handlePublicHTTP, when mtlsEnabled is true, the edge checks r.TLS.PeerCertificates against the session CA pool and returns 403 if verification fails.
  • Note: in production behind nginx, the TLS termination must be configured to either pass client certs via proxy_set_header X-Client-Cert or use TLS passthrough so the edge server sees the raw TLS handshake.

UI (Livewire)

  • ManageMtls component with enable/disable toggle and CA cert textarea.
  • PEM validation before saving.
  • Wired into the active tunnel monitor view.

Send feedback

Found an issue or have a suggestion? Let us know.