
Header Cert Authentication
Configuration
Hide Child Parameters
An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure 4xx
. Note that this value must refer to the consumer id
or username
attribute, and not its custom_id
.
Certificate property to use as the authenticated group. Valid values are CN
(Common Name) or DN
(Distinguished Name). Once skip_consumer_lookup
is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.
Allowed values:CNDN
Default:CN
A string representing a host name, such as example.com.
A string representing a host name, such as example.com.
Controls client certificate revocation check behavior. If set to SKIP
, no revocation check is performed. If set to IGNORE_CA_ERROR
, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn’t fail on network issues. If set to STRICT
, the plugin only treats the certificate as valid when it’s able to verify the revocation status.
Allowed values:IGNORE_CA_ERRORSKIPSTRICT
Default:IGNORE_CA_ERROR
If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.