Mutual TLS to origin

Store your client certificate in a Fastly secret store to enable mTLS on backend requests.

Compute

Use this solution in your Compute service:

Rust

Cargo.toml

Rust

[dependencies]
fastly = "0.9.2"

main.rs

Rust

use fastly::backend::Backend;
use fastly::secret_store::{LookupError, SecretStore};
use fastly::{Error, Request, Response};

#[fastly::main]
fn main(req: Request) -> Result<Response, Error> {
    // Fetch the certificate from a secret store
    let store = SecretStore::open("my_credentials_store")?;

    // This is not actually a secret, but it's convenient to store it in
    // the secret store, paired with the key.
    let certificate_bytes = store
        .get("fastly-certificate")
        .ok_or_else(|| LookupError::InvalidSecretName("fastly_certificate".to_string()))?
        .plaintext()
        .to_vec();
    let certificate = String::from_utf8(certificate_bytes)?;

    // This is definitely a secret
    let certificate_key = store
        .get("fastly-key")
        .ok_or_else(|| LookupError::InvalidSecretName("fastly_key".to_string()))?;

    // mTLS is currently only supported on dynamic backends
    let backend = Backend::builder("origin_0", "http-me.glitch.me")
        .enable_ssl()
        .override_host("http-me.glitch.me")
        .provide_client_certificate(certificate, certificate_key)
        .finish()?;

    Ok(req.send(backend)?)
}

User contributed notes

BETA

Do you see an error in this page? Do have an interesting use case, example or edge case people should know about? Share your knowledge and help people who are reading this page! (Comments are moderated; for support, please contact support@fastly.com)