Client certificate support

[jpros]

Based on PR #2956, with Rebased code and tested.

--
Original PR:

This PR adds client-certificate support to nginx-proxy-manager. Closes #768. Relates to #622.

A new SSL certificate is defined - "client certificate authority" - which allows uploading client CA certificates. These can then be assigned to Access Lists via the UI or API, and finally the Access List assigned to a host, which will thus enable Client Certificate Authorization for mutual TLS connections to the host.

This includes a slight revamp of the access-list system to implement client IP checks as geo directives. This allows the "Drop Unauthorized" function to simply not respond to clients from the wrong IP address, as well as allowing "Satisfy All" and "Satisfy Any" to include Client CA functionality - namely, using Satisfy Any is it possible to selectively require client certificates from some networks but not others (in my household the primary use-case of this is for Home Assistant to require certificates from the internet but not the local network).

[jpros]

@jc21 looks like the Develop branch is breaking the CI. Let me know when it's fixed so I can rebase and update the PR.

[jpros]

@jc21 looks like there is something wrong with the SQLite test on the CI

[jpros]

@jc21 PR rebased.

[jc21]

CI is showing errors across multiple integration tests:

[Backend API] POST http://fullstack:81/api/nginx/certificates/1/upload
[Backend API] Axios Error: AxiosError: Request failed with status code 400

Error: Certificate is not valid (Could not determine subject from certificate: subject=O=mkcert development certificate, OU=root@616f8b34a315)

In testing, mkcert is used to create custom certs. It attempts to upload them via the api. Your changes to the subject extraction don't seem to work for different certs.

In addition to that, the Swagger schema is failing linting:

00:16:08  cypress-1  |  > results/swagger-schema.json
00:16:08  cypress-1  |  ----------------------------------------------------------------------------------------------------------
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:777:21   ▲           media type schema property `clientcas` is missing `examples` or `example`   
00:16:08  cypress-1  | $.paths['/nginx/access-lists'].get.responses['200'].content['application/json'].schema.properties['clientcas']
00:16:08  cypress-1  | rule: oas3-missing-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:1341:21  ▲           media type schema property `clientcas` is missing `examples` or `example`   
00:16:08  cypress-1  | $.paths['/nginx/access-lists'].post.responses['201'].content['application/json'].schema.properties['clientcas']
00:16:08  cypress-1  | rule: oas3-missing-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:1742:21  ▲           media type schema property `clientcas` is missing `examples` or `example`   
00:16:08  cypress-1  | $.paths['/nginx/access-lists/{listID}'].get.responses['200'].content['application/json'].schema.properties['clientcas']
00:16:08  cypress-1  | rule: oas3-missing-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:2317:21  ▲           media type schema property `clientcas` is missing `examples` or `example`   
00:16:08  cypress-1  | $.paths['/nginx/access-lists/{listID}'].put.responses['200'].content['application/json'].schema.properties['clientcas']
00:16:08  cypress-1  | rule: oas3-missing-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:4514:19  ▲           missing property 'drop_unauthorized'                                        
00:16:08  cypress-1  | $.paths['/nginx/proxy-hosts'].get.responses['200'].content['application/json'].examples['default']
00:16:08  cypress-1  | rule: oas3-valid-schema-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:5752:19  ▲           missing property 'drop_unauthorized'                                        
00:16:08  cypress-1  | $.paths['/nginx/proxy-hosts'].post.responses['201'].content['application/json'].examples['default']
00:16:08  cypress-1  | rule: oas3-valid-schema-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:6805:19  ▲           missing property 'drop_unauthorized'                                        
00:16:08  cypress-1  | $.paths['/nginx/proxy-hosts/{hostID}'].get.responses['200'].content['application/json'].examples['default']
00:16:08  cypress-1  | rule: oas3-valid-schema-example  category: Examples
00:16:08  cypress-1  | 
00:16:08  cypress-1  | results/swagger-schema.json:8050:19  ▲           missing property 'drop_unauthorized'                                        
00:16:08  cypress-1  | $.paths['/nginx/proxy-hosts/{hostID}'].put.responses['200'].content['application/json'].examples['default']
00:16:08  cypress-1  | rule: oas3-valid-schema-example  category: Examples

[jpros]

Awesome @jc21, for some reason I didn't see those errors on CI, only the SQLite one.

I'll check, fix those, and report back. Thanks for the feedback.

[nginxproxymanagerci]

Docker Image for build 5 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5563

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

[jpros]

@jc21 updated and fixed the issues 😃

[jc21]

This is going to need significant testing for all combinations of access lists options.