Mutual TLS to origin

Store your client certificate in a Fastly secret store to enable mTLS on backend requests.

Compute

Use this solution in your Compute service:

Rust

Cargo.toml

Rust

[dependencies]
fastly = "0.9.2"

main.rs

Rust

use fastly::backend::Backend;
use fastly::secret_store::{LookupError, SecretStore};
use fastly::{Error, Request, Response};

#[fastly::main]
fn main(req: Request) -> Result<Response, Error> {
    // Fetch the certificate from a secret store
    let store = SecretStore::open("my_credentials_store")?;

    // This is not actually a secret, but it's convenient to store it in
    // the secret store, paired with the key.
    let certificate_bytes = store
        .get("fastly-certificate")
        .ok_or_else(|| LookupError::InvalidSecretName("fastly_certificate".to_string()))?
        .plaintext()
        .to_vec();
    let certificate = String::from_utf8(certificate_bytes)?;

    // This is definitely a secret
    let certificate_key = store
        .get("fastly-key")
        .ok_or_else(|| LookupError::InvalidSecretName("fastly_key".to_string()))?;

    // mTLS is currently only supported on dynamic backends
    let backend = Backend::builder("origin_0", "http-me.glitch.me")
        .enable_ssl()
        .override_host("http-me.glitch.me")
        .provide_client_certificate(certificate, certificate_key)
        .finish()?;

    Ok(req.send(backend)?)
}

Network services

Security

Compute

Quick start

Building blocks

Mutual TLS to origin

Compute