Traefik
Traefik can terminate TLS, request a client certificate, and forward the handshake certificate to Authup. Authup then owns realm-specific chain and client-identity validation.
This example uses Traefik's native passTLSClientCert.pem output and Authup's forwarded source:
CERTIFICATE_SOURCE=forwarded
MTLS_PUBLIC_URL=https://mtls.auth.example.com# Traefik dynamic configuration
http:
routers:
authup-mtls:
rule: Host(`mtls.auth.example.com`)
service: authup
middlewares:
- authup-client-certificate
tls:
options: authup-client-certificate
middlewares:
authup-client-certificate:
passTLSClientCert:
pem: true
services:
authup:
loadBalancer:
servers:
- url: http://authup:3001
tls:
options:
authup-client-certificate:
clientAuth:
# Request a certificate without making Traefik's CA store the
# authorization source. Authup validates TLS-authentication chains
# against the client's realm trust anchors.
clientAuthType: RequestClientCertUse RequireAnyClientCert on a dedicated router if every request through that hostname must carry a certificate. RequestClientCert is useful when the same host must also accept ordinary secret/public OAuth clients; Authup still fails closed when a particular client or token requires certificate evidence.
The middleware writes the URL-escaped PEM leaf to X-Forwarded-Tls-Client-Cert. Do not expose the Authup backend service outside the private container/Kubernetes network, and ensure no second route reaches it while preserving a caller-supplied certificate header.
Native forwarded mode has no intermediate chain
Traefik's PEM option forwards the leaf certificate, not the complete chain. With CERTIFICATE_SOURCE=forwarded, an auth_method: tls leaf must be signed directly by an enabled trust anchor in the client's realm.
If your PKI issues through intermediates, use a gateway that emits RFC 9440 Client-Cert plus Client-Cert-Chain and configure CERTIFICATE_SOURCE=standard.
Traefik should request, not authorize, the certificate. Do not duplicate every realm trust anchor into Traefik: that creates two trust stores with different reload and realm semantics. For the complete client configuration and token behavior, see OAuth Client Certificates.