Forward TLS client certificates in Client-Cert header (RFC 9440)

[tommie]

The createDevProxy function creates a proxy for all(?) Nitro requests, and while it forwards non-TLS information, it doesn't allow client certificates:

cli/packages/nuxi/src/commands/dev.ts

Lines 203 to 220 in b4d7e69

	proxy.on('proxyReq', (proxyReq, req) => {
	if (!proxyReq.hasHeader('x-forwarded-for')) {
	const address = req.socket.remoteAddress
	if (address) {
	proxyReq.appendHeader('x-forwarded-for', address)
	}
	}
	if (!proxyReq.hasHeader('x-forwarded-port')) {
	const localPort = req?.socket?.localPort
	if (localPort) {
	proxyReq.setHeader('x-forwarded-port', req.socket.localPort)
	}
	}
	if (!proxyReq.hasHeader('x-forwarded-Proto')) {
	const encrypted = (req?.connection as TLSSocket)?.encrypted
	proxyReq.setHeader('x-forwarded-proto', encrypted ? 'https' : 'http')
	}
	})

It would be useful if this also allowed using peer certificates:

    if (!proxyReq.hasHeader("Client-Cert")) {
      // authorized is true if the TLS server was able to verify the client certificate against the CA bundle.
      if (req.socket.getPeerX509Certificate && req.socket.authorized) {
        const cert = req.socket.getPeerX509Certificate();
        if (cert) {
          proxyReq.setHeader("Client-Cert", cert.raw.toString('base64'));
        }
      }
    }

RFC 9440 defines this header as base64 of the DER encoding and requires the TLS server to perform verification. There's an optional Client-Cert-Chain it could also forward.

It would be even neater if the getPeerX509Certificate function was also made available on the Nitro side, so I don't have to treat this hidden proxying differently, but as long as the data is available, the rest is sugar.

Requires unjs/listhen#204

• Envoy uses x-forwarded-client-cert
• There are references to x-client-cert and x-client-certificate in various places on the Internet.

[tommie]

Oh, nice to get rid of the proxy. Thanks!