I’m trying to move an existing backend over to Google Cloud Run. Some of the endpoints (under a specific subdomain) require SSL Client Authentication. The way this is handled at the moment is on Nginx configuration level:
server {
listen 443 ssl http2;
server_name secure.subdomain.example.com;
[...]
# SSL Client Certificate:
ssl_client_certificate xxx.pem;
ssl_verify_client on;
[...]
location / {
if ($ssl_client_verify != "SUCCESS") { return 403 $ssl_client_verify; }
[...]
}
}
What would be the best approach to handle SSL client certificate authentication with Google Cloud Run? I assume this would need some sort of load balancer on the correct network layer and with support for cloud run?
Of course there is always the option to authenticate in the ExpressJS app, but if possible I would prefer it to happen before even reaching Cloud Run.
2
Answers
You can’t achieve that with Cloud Run. The SSL connection is terminated at the load balancer side (On an HTTPS load balancer, or on the Cloud Run built-in load balancer). You only receive HTTP traffic to your service.
Indeed, you can add additional security information, in the request header, but you lost the SSL flavor.
Cloud Run does not support SSL Client Certificate Authentication. The GFE (Google Front End) proxies requests for Cloud Run applications and does not pass-through requests. The only Google Cloud load balancers that support SSL client certificates are based on Google Maglev.
None of the Google Cloud managed compute services support SSL client certificate authentication (mutual TLS authentication).
Consider using Compute Engine instead of Cloud Run.Then configure Nginx to handle client authentication. For load balancing, use a pass-through load balancer such as External TCP/UDP Network Load Balancer