Issue
I am currently working on a project where each micro-service has it's own tls certificate.
I am thinking of using spring gateway to address a cross concerns like csrf (using the double submit pattern).
I would like the gateway to validate the csrf before proxying to micro-services and to create a new csrf value after each response of micro-service and mutate the response to include new csrf values.
Since each micro-service (that the gateway is proxying to) has it's own tls certificate is it possible to read and mutate the request before and after sending it to the micro-services?
I guess I am a little confused on how the gateway would work if it does not have the certificate to read the request.
Solution
The gateway will establish it's own tls connection. After which the gateway will then apply it's filters then proxy to a micro-service establishing another tls connection. In this senario we will have 2 different tls connections (from client browser to gateway, from gateway to service).
In my senario, I had micro-services with self signed certificates. The gateway settings will need to include the public keys for each service to establish a tls connection (since it will not be able to validate the certificate from a certificate authority). Spring gateway allows us to do this within the application properties file
spring:
cloud:
gateway:
httpclient:
ssl:
trustedX509Certificates:
- cert1.pem
- cert2.pem
Lastly, I was able to validate csrf value within the gateway before proxying to micro-services by creating a filter to do this. I have decided against changing the csrf value every request. For my use case I only needed to generate the csrf once for the user's session (I generated the csrf once after the user signs in).
Answered By - Dan