I have a Docker infrastructure that uses Nginx 1.27 to serve static files and act as reverse proxy for several related services. Access to different locations is straightforward and is controlled by ensuring the mTLS-provided client certificate passes CA validation and that the metadata in the certificate meets certain requirements.
Everything works fine in development or on cloud VMs using ssl_verify_client and friends. A challenge is arising trying to migrate these containers to Azure Container Apps which uses Envoy Proxy to terminate TLS connections. Very few configuration options for Envoy Proxy are exposed to end users. It's possible pass connections through Envoy to Nginx so it can handle TLS termination as desired, but they explicitly block this pass-through behavior for ports 80 and 443. I'm trying to run basically everything over 443. Azure provides an option to pass an X-Forwarded-Client-Cert to the target container (Nginx) if mTLS is used.
I've looked into several options to try to overcome this including an additional proxy, adding load balancers etc., but everything involving the deployment of additional infrastructure looks increasingly complex and kludgy, and invalidates some of the benefits of a managed container service. The Azure docs say to update your applications to read and process the X-Forwarded-Client-Cert HTTP header.
Reading through the nginx documents, I can't find a good way to validate a client certificate that comes through the X-Forwarded-Client-Cert HTTP header for cases like this where Nginx isn't allowed to terminate the TLS connection itself.
One approach that comes up is installing the lua-nginx-module and writing a Lua script to perform the client certificate validation. I've not written Lua before and this seems rather error-prone process for an issue that seems like it should be fairly common.
Is there a better way to handle this than preparing a Lua module. If not, is there something I can use that has already been tested and vetted?