Skip to content

Mtls app #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Sarthak160 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Mtls app #211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions mtls-app/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
FROM golang:1.22-alpine AS builder

WORKDIR /src

COPY go.mod ./
COPY cmd ./cmd

RUN go build -o /out/mtls-server ./cmd/server && \
go build -o /out/mtls-client ./cmd/client

FROM alpine:3.20

RUN apk add --no-cache ca-certificates

WORKDIR /app

COPY --from=builder /out/mtls-server /usr/local/bin/mtls-server
COPY --from=builder /out/mtls-client /usr/local/bin/mtls-client

ENV APP_BIN=mtls-server

ENTRYPOINT ["/bin/sh", "-c", "exec /usr/local/bin/${APP_BIN}"]
Comment on lines +20 to +22
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ENTRYPOINT uses "/bin/sh -c" with an env-expanded APP_BIN, which allows shell injection if APP_BIN is ever influenced externally and makes the image harder to reason about. Prefer an exec-form ENTRYPOINT/CMD (and use Compose command: to select the binary) to avoid invoking a shell.

Suggested change
ENV APP_BIN=mtls-server
ENTRYPOINT ["/bin/sh", "-c", "exec /usr/local/bin/${APP_BIN}"]
# Default to running the mtls-server; override the command at runtime if needed.
ENTRYPOINT ["/usr/local/bin/mtls-server"]

Copilot uses AI. Check for mistakes.
11 changes: 11 additions & 0 deletions mtls-app/Dockerfile.certs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
FROM alpine:3.20

RUN apk add --no-cache openssl

WORKDIR /work

COPY certs/generate-certs.sh /usr/local/bin/generate-certs.sh

RUN chmod +x /usr/local/bin/generate-certs.sh

ENTRYPOINT ["/usr/local/bin/generate-certs.sh"]
117 changes: 117 additions & 0 deletions mtls-app/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
# mTLS Go Sample

This sample demonstrates mutual TLS between a Go HTTPS server and a Go client. The server only accepts requests from clients that present a certificate signed by the shared demo CA, and the client verifies the server certificate before sending the request.

## Run with Docker Compose

```bash
docker compose up --build
```

What happens:

1. `cert-generator` creates a demo CA plus server and client certificates in a shared Docker volume.
2. `mtls-server` starts on `https://localhost:8443` and requires a valid client certificate.
3. `mtls-client` starts an API on `http://localhost:8080`.
4. Hitting `GET /hello` on the client API makes an mTLS request to `mtls-server` and returns the upstream response.

Try it:

```bash
curl http://localhost:8080/hello
```

## Run locally without Compose

Generate demo certificates:

```bash
docker build -t mtls-certs -f Dockerfile.certs .
docker run --rm \
-e HOST_UID="$(id -u)" \
-e HOST_GID="$(id -g)" \
-v "$(pwd)/certs-local:/certs" \
mtls-certs
```

Start the server:

```bash
SERVER_CERT_FILE="$(pwd)/certs-local/server.crt" \
SERVER_KEY_FILE="$(pwd)/certs-local/server.key" \
CA_CERT_FILE="$(pwd)/certs-local/ca.crt" \
go run ./cmd/server
```

In another terminal, run the client in API mode:

```bash
CLIENT_CERT_FILE="$(pwd)/certs-local/client.crt" \
CLIENT_KEY_FILE="$(pwd)/certs-local/client.key" \
CA_CERT_FILE="$(pwd)/certs-local/ca.crt" \
CLIENT_API_ADDR=":8080" \
SERVER_URL="https://localhost:8443/hello" \
go run ./cmd/client
```

Call the client API:

```bash
curl http://localhost:8080/hello
```

Optional: one-shot client mode (no API server) is still available by omitting `CLIENT_API_ADDR`.

## Big Payload Mode (50KB to 3MB)

Run the client in big payload mode:

```bash
CLIENT_CERT_FILE="$(pwd)/certs-local/client.crt" \
CLIENT_KEY_FILE="$(pwd)/certs-local/client.key" \
CA_CERT_FILE="$(pwd)/certs-local/ca.crt" \
CLIENT_API_ADDR=":8080" \
CLIENT_MODE="bigpayload" \
BIGPAYLOAD_SERVER_URL="https://localhost:8443/payload" \
go run ./cmd/client
```

The client exposes:

- `POST /bigpayload` for large payload testing
- request and response sizes must be between `51200` bytes (50KB) and `3145728` bytes (3MB)
- response size defaults to request size, but can be overridden with header `X-Response-Size-Bytes` or query `response_size_bytes`

Examples:

```bash
# 50KB request, 50KB response
head -c 51200 /dev/zero | curl -sS \
-X POST http://localhost:8080/bigpayload \
-H "Content-Type: application/octet-stream" \
--data-binary @- \
-o /tmp/resp-50kb.bin
wc -c /tmp/resp-50kb.bin
```

```bash
# 1MB request, 2MB response
head -c 1048576 /dev/zero | curl -sS \
-X POST "http://localhost:8080/bigpayload?response_size_bytes=2097152" \
-H "Content-Type: application/octet-stream" \
--data-binary @- \
-o /tmp/resp-2mb.bin
wc -c /tmp/resp-2mb.bin
```

```bash
# 3MB request, 3MB response
head -c 3145728 /dev/zero | curl -sS \
-X POST http://localhost:8080/bigpayload \
-H "Content-Type: application/octet-stream" \
--data-binary @- \
-o /tmp/resp-3mb.bin
wc -c /tmp/resp-3mb.bin
```

The client logs upstream payload sizes after every request, and the server logs the handled request/response sizes too.
19 changes: 19 additions & 0 deletions mtls-app/certs-local/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIUc39uWKH5kmEpI+Cx7lktYRB2LP0wDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMbXRscy1kZW1vLWNhMB4XDTI2MDMxODEwNDgxM1oXDTM2
MDMxNTEwNDgxM1owFzEVMBMGA1UEAwwMbXRscy1kZW1vLWNhMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlbIK4npEc4acCjLfZvMe3rNddEeSxOFF9YFT
D5ZxD2VJK2jSnPGlaHQc4pZwPzkW4wYON0CIDHw8nRKzlZ8OgrH30QJkChK8BVz2
6Zy1ZfkSRmBNdpCW4mi5rGfZPkTSxEQEugghJwwrlIMouJNZFuaQmg9QX30aJVpl
msXjCZOIJmAat4M1xM7hn2v3ZN/Cfz65nQdtXep3ml/IUFASZwt6z4tV/hWYJCv2
WBqCfUhNeDOaOLe49QaARQtuJks6IzCBnU6FMd6JQiLQ57Eksp4T+fkpFC0OMl2/
SRV92lRmO6Mr23mLdVUv14yIfgbhYDeXQJxkXLH7bYAbDgj5twIDAQABo1MwUTAd
BgNVHQ4EFgQUrnCiQeBzuCmF8FKUH0+UGOQwqtwwHwYDVR0jBBgwFoAUrnCiQeBz
uCmF8FKUH0+UGOQwqtwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEARb9GI1us9AsTJgebct6mg6/vfdae4ucpM038Wex9sHfppgrA6+DK3y9mn53a
rfreGbTXG4Daz55iapS8uoyaKTHFHUK5hUVqtqvnk4BB2H1Kmr5/yYc/Emzw07UI
uaGWz++4iY/hKQS7ha1+AJq1wEaUk0ZB7I5JM/gpgSYjjnkW4uce24EJO29CMnP1
v49NfFRw/CJzJW1RLfASOrWugYXfXprbAxESFNXfeR1JA/BfuOVvTzBfcrcgjeRe
5QhpNCv46BzPV+ANKk5ImOPJZsOjn7wj8xGi4/0SCn0hS5QM0K6a1IkmlWwYoWuX
cIFhaiW8nD3+QPfXcpF6D1c2Iw==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions mtls-app/certs-local/ca.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCVsgriekRzhpwK
Mt9m8x7es110R5LE4UX1gVMPlnEPZUkraNKc8aVodBzilnA/ORbjBg43QIgMfDyd
ErOVnw6CsffRAmQKErwFXPbpnLVl+RJGYE12kJbiaLmsZ9k+RNLERAS6CCEnDCuU
gyi4k1kW5pCaD1BffRolWmWaxeMJk4gmYBq3gzXEzuGfa/dk38J/PrmdB21d6nea
X8hQUBJnC3rPi1X+FZgkK/ZYGoJ9SE14M5o4t7j1BoBFC24mSzojMIGdToUx3olC
ItDnsSSynhP5+SkULQ4yXb9JFX3aVGY7oyvbeYt1VS/XjIh+BuFgN5dAnGRcsftt
gBsOCPm3AgMBAAECggEACF/yGPKTMs1knHN1KSrP3tC1GUTJ0sbxpYcLMROPFrfp
bIrMQaiJQvtABHM7K2ZTv/a+Q9wR4HTw5S6/Kk9APhKb1S8njqK2rywgyjgQs/hH
y/UmUExNjLQkMx+KOWAbVIyjoQ7EYA1fwMrHs+/Wa6ARlfTmX7k9hbp1db+9cHMh
Hb+lruu3HoAvX3A3Xr84y77Oacgze2mwnsthFUlvbuPE54QcPkUV9Txe2yaPH7bQ
FrM5o36O7ZCGu+5SwC5JHBxSho+kRIpv2dspmOeGx8CcxSf+Own6066M8KnrDCAS
1YDw4q/ukGRoRzOg5eJRUCtEy7wk4aW3PmbidmQ+sQKBgQDMUooPGRnQJW5ySN1Y
/wLVHfo0zh/MD5qWXPcyLFyuF6h5A8jKp5fO2cndLZneEvwRg/T9LOvw3oKHtkiH
kahLY55jMMjRZFzFOkeW9qSu41GFcz+nv01750BowV/ef8ZUdSjEOLf4h2aLAaSm
XLf0MrifaQ6QVmOXaNMvCCv4UQKBgQC7joUgj3ody9Tn4EYElYJ4gFS9vcpkNEqk
E9R4Ehwv4vCnbVxF1szO44NufHqMcoqHU0jRkkIZa9ckaJCmzGvSwdg+sIQ/gKd6
EcUhkbvfmsQW3l3xQMAFhbQJ9L7S+8yHCO3K18xYAzHetbmD1eLdOXbw7e+a2wKb
cr1oxj3XhwKBgQCZ3CHYgrdcdYN5DgOYy9ePMpbCguGQ4cMwLWt8Xcmg03HrRv1C
FfgMLRaEtp0ijLtCWVL3/4bgiD5VAeAWLopD0w1ndkoS2/e8EUntlWenxsgRrRqn
MDih8B8hg1S1ERUBboQ3Vtq6jQOb863QFQv1GOjMKelsqZEvaCF3TjkGMQKBgQCk
j9Hi1cCRsCxoHvGQSBYn4IF50bJo5TCwce20RD+TDI2WeW/Cn0soI5tIL9Peswk0
3zA/IRL59xLXkR+KGkZor0grCPmgNiO8CSdr4tByyvpODmFisitJLRzgt2tO9ztn
J8Bsf5d9iaASBmR1dg8Nh8QCdOIMfyj0d2IVMgtEtQKBgQCVyEthJe3TFOqx+Odt
vrZkSucRTNiFY1DfuQsPlTHx7xhrvyNQqjfY8Bf3iMXyg1Ja0t/XeF1x7J3GHEAC
mP4e2otQDTos/xyEVIOeL6AMfb+zYahE93ileO1+L25aY8XtndpwxRH6i8saPQ2/
5wASOQS0jdFswkQ1MRkkdJq05A==
-----END PRIVATE KEY-----
Comment on lines +1 to +28
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These files contain a private key committed to the repository. Even for a demo, committing private keys is a security risk and encourages copying insecure patterns. Remove this key from version control and generate it at runtime (Docker volume) or via the provided cert generator; also ensure the local output directory is git-ignored.

Suggested change
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCVsgriekRzhpwK
Mt9m8x7es110R5LE4UX1gVMPlnEPZUkraNKc8aVodBzilnA/ORbjBg43QIgMfDyd
ErOVnw6CsffRAmQKErwFXPbpnLVl+RJGYE12kJbiaLmsZ9k+RNLERAS6CCEnDCuU
gyi4k1kW5pCaD1BffRolWmWaxeMJk4gmYBq3gzXEzuGfa/dk38J/PrmdB21d6nea
X8hQUBJnC3rPi1X+FZgkK/ZYGoJ9SE14M5o4t7j1BoBFC24mSzojMIGdToUx3olC
ItDnsSSynhP5+SkULQ4yXb9JFX3aVGY7oyvbeYt1VS/XjIh+BuFgN5dAnGRcsftt
gBsOCPm3AgMBAAECggEACF/yGPKTMs1knHN1KSrP3tC1GUTJ0sbxpYcLMROPFrfp
bIrMQaiJQvtABHM7K2ZTv/a+Q9wR4HTw5S6/Kk9APhKb1S8njqK2rywgyjgQs/hH
y/UmUExNjLQkMx+KOWAbVIyjoQ7EYA1fwMrHs+/Wa6ARlfTmX7k9hbp1db+9cHMh
Hb+lruu3HoAvX3A3Xr84y77Oacgze2mwnsthFUlvbuPE54QcPkUV9Txe2yaPH7bQ
FrM5o36O7ZCGu+5SwC5JHBxSho+kRIpv2dspmOeGx8CcxSf+Own6066M8KnrDCAS
1YDw4q/ukGRoRzOg5eJRUCtEy7wk4aW3PmbidmQ+sQKBgQDMUooPGRnQJW5ySN1Y
/wLVHfo0zh/MD5qWXPcyLFyuF6h5A8jKp5fO2cndLZneEvwRg/T9LOvw3oKHtkiH
kahLY55jMMjRZFzFOkeW9qSu41GFcz+nv01750BowV/ef8ZUdSjEOLf4h2aLAaSm
XLf0MrifaQ6QVmOXaNMvCCv4UQKBgQC7joUgj3ody9Tn4EYElYJ4gFS9vcpkNEqk
E9R4Ehwv4vCnbVxF1szO44NufHqMcoqHU0jRkkIZa9ckaJCmzGvSwdg+sIQ/gKd6
EcUhkbvfmsQW3l3xQMAFhbQJ9L7S+8yHCO3K18xYAzHetbmD1eLdOXbw7e+a2wKb
cr1oxj3XhwKBgQCZ3CHYgrdcdYN5DgOYy9ePMpbCguGQ4cMwLWt8Xcmg03HrRv1C
FfgMLRaEtp0ijLtCWVL3/4bgiD5VAeAWLopD0w1ndkoS2/e8EUntlWenxsgRrRqn
MDih8B8hg1S1ERUBboQ3Vtq6jQOb863QFQv1GOjMKelsqZEvaCF3TjkGMQKBgQCk
j9Hi1cCRsCxoHvGQSBYn4IF50bJo5TCwce20RD+TDI2WeW/Cn0soI5tIL9Peswk0
3zA/IRL59xLXkR+KGkZor0grCPmgNiO8CSdr4tByyvpODmFisitJLRzgt2tO9ztn
J8Bsf5d9iaASBmR1dg8Nh8QCdOIMfyj0d2IVMgtEtQKBgQCVyEthJe3TFOqx+Odt
vrZkSucRTNiFY1DfuQsPlTHx7xhrvyNQqjfY8Bf3iMXyg1Ja0t/XeF1x7J3GHEAC
mP4e2otQDTos/xyEVIOeL6AMfb+zYahE93ileO1+L25aY8XtndpwxRH6i8saPQ2/
5wASOQS0jdFswkQ1MRkkdJq05A==
-----END PRIVATE KEY-----
# ca.key
#
# This file intentionally does not contain a private key.
#
# A CA private key for local development should be generated at runtime
# (for example, into a Docker volume) or via the project's certificate
# generation tooling, and written to this path. Ensure that the directory
# containing the generated key is listed in .gitignore so the key is not
# added to version control.
#
# If you see errors about a missing CA key, run the local cert generator
# or follow the project's documentation to create a new key and certificate.

Copilot uses AI. Check for mistakes.
19 changes: 19 additions & 0 deletions mtls-app/certs-local/client.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDEjCCAfqgAwIBAgIUKYCVBJIMLyrpaoxa+swIZSW2LNYwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMbXRscy1kZW1vLWNhMB4XDTI2MDMxODEwNDgxNFoXDTM2
MDMxNTEwNDgxNFowFjEUMBIGA1UEAwwLbXRscy1jbGllbnQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCnPd1wuhc8S92VzqqyJnRs4kWyiblsqdcroUKx
rJd/+4WFA0nB65OwySf7+LAU1zHEI7NH05WWxENb278huay5m4KkeA/kSADKtN3m
gk1wGRQ+ATMw5xqz3R94kXuP6pXGOj/RrtvtmwQutssOvvl/ZtnMYJ3mHafvGecS
vt44ASfSepT9drqZ8jkhKDqoKtk4qC32WtK6ijvgTLaKyPxHNGEet4H0/j4cGI5X
ri28Ngqg3nSL2F3vZGVOnHrJQAcjkVAWHKnyu5iMqtNN8Pm51mX1wleFP7gwaoXk
my4xMk7bW3ppxM27LBRqvhlR6+WOEb/cvHY5afT09acqtL8zAgMBAAGjVzBVMBMG
A1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSDzYTdSVbnT3PXieRdXSOaLEM3
UjAfBgNVHSMEGDAWgBSucKJB4HO4KYXwUpQfT5QY5DCq3DANBgkqhkiG9w0BAQsF
AAOCAQEAgbQFAtnBeCE4JMktbXp0yE4W1A3NK9XCP74/LNnzya9Ft9gkQhsd2O1P
q26OCAsgsxLf8HQRUDOP6v8Pnd45tAuGa/cet60zbsBwRXy9iLGziysSBG4yT35/
4aa92zyuLGlxRFe3u8TM0QPDMWkn7RzltBMKFYZSXkn0/MiT9oO5BRnyMOyanq3w
wRE+8YaNRKQ+zM2M0bMW0N9leo3mnVaJ1FeFvwHiSxtsZHJlUSAULPGDm/zcWJYa
VZRZ/GOSiY3puSAYvS3xNkwYS+2fIAXX7DxqvxKZmCd8+7pVPeO/yE2kzhWeWJ0Z
t+AgI3x3nFeaTtenUGmyD24f+ZQ+Yg==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions mtls-app/certs-local/client.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnPd1wuhc8S92V
zqqyJnRs4kWyiblsqdcroUKxrJd/+4WFA0nB65OwySf7+LAU1zHEI7NH05WWxENb
278huay5m4KkeA/kSADKtN3mgk1wGRQ+ATMw5xqz3R94kXuP6pXGOj/RrtvtmwQu
tssOvvl/ZtnMYJ3mHafvGecSvt44ASfSepT9drqZ8jkhKDqoKtk4qC32WtK6ijvg
TLaKyPxHNGEet4H0/j4cGI5Xri28Ngqg3nSL2F3vZGVOnHrJQAcjkVAWHKnyu5iM
qtNN8Pm51mX1wleFP7gwaoXkmy4xMk7bW3ppxM27LBRqvhlR6+WOEb/cvHY5afT0
9acqtL8zAgMBAAECggEATa9ojeT7RxhsiRpzYwaG3U8sFfdwqP+pwgwJ6XNk+l+x
EWzKFaiitaNzDdHipQOjC9uTe0FXAq4PJfvI6FcR2zPX9yMIKr+hkod6bglIBFK5
+uVezJAFcNg9tqlJjrvmr6o+G94QLepsgnCJmUNvrNTvRcb5gbtz1xaepjAAFF4A
uUr/8ZTRaf1IIXux3Jf4uyTQAPhr3fEvj4HD3G1DTOIL6QKPsx+G5EUn0WCE7YP+
t5CvmeucIr3zzoErKmUdSkq6lAe9lQcUtV1eGHy0aWTsOvf1NGhXxNCFlyTNjUpQ
IlVZBZikw5+6skQIROEHrwl7Cnf0/E8X+LdwlrlsgQKBgQDVbmgPbS8Fir9LCGDX
yDuHTXT1y1Aes5zqgNhDoNY5NRHerCV2shMgFw1ZDrsh+bYeTypHTMT3l5yHehjy
wMS8NHnYTjU7PvotLL7H7VbcxSZL90+EXUQ9/4pWMAgZs1NRsKmT+pdaSaqvHgQ/
WrgrY/J34/kTxDuFJfUIwMc+gQKBgQDImQ/IUwZLq+Z7/jchWNqAA2oOIK+3TKb6
cK23oPm/irrHRvOi5XJ7SOKoZCEuVICnHDI/XQLXZhJTg68Qm6RWQO9bTPUa4Vhd
Q6yxfu13hv1x6xJqPR1PhVUBQEMiq0HVGolfbGr7okZ02k2Pd+qbm9oyt7i2rcZ5
ds1g3nSLswKBgAzXSq167TRRJ7c09taktmgqkdnj9JsURWGahOh0uc7RUZTrGInu
ptXsbSIpj7q4kmt6adnGVadr2MAR6YRZcry8D4SjF/LLlDO5mHTg47P+rJIve/pD
vkJYqJMM6r/ZGS82CM3datPE0N8eWDUTmTcLGWB7N9YnnUkign6XUqWBAoGBAMgk
TybkD2f4vyH/ZioTaQ5IWcx2uFr+U6uUOP750bVWST0CgZuJqktvURYJsUF0dlhF
Pa0Ss/8NjENfI5BCehjE+QvzIKoNJAkJuIfvyCZ1vPGoRNtS1qe8tC9nWpSAolJp
A579oVAnfHyiQrheQOm4+l+YBufdQiV2bzuzOD0ZAoGASyTqy96n1k/MA705yZbG
1b7GhCU4ifR9W6FYFa2vcIfzVXtARCin6EeKngOuWl1vLOy9OoQYbupaR0jc7l46
5kM788vWVyj2rccNDKfFuqlrRk3BWjBvXeY6f7F6mCelQFXd6Q9mCFovr23eAqdu
o0ezp5dWuCbfkINBjafZVHY=
-----END PRIVATE KEY-----
Comment on lines +1 to +28
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains a private key committed to the repository. Please remove it from version control and generate client keys/certs locally or in Docker volumes instead; ensure the generated directory is git-ignored.

Suggested change
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnPd1wuhc8S92V
zqqyJnRs4kWyiblsqdcroUKxrJd/+4WFA0nB65OwySf7+LAU1zHEI7NH05WWxENb
278huay5m4KkeA/kSADKtN3mgk1wGRQ+ATMw5xqz3R94kXuP6pXGOj/RrtvtmwQu
tssOvvl/ZtnMYJ3mHafvGecSvt44ASfSepT9drqZ8jkhKDqoKtk4qC32WtK6ijvg
TLaKyPxHNGEet4H0/j4cGI5Xri28Ngqg3nSL2F3vZGVOnHrJQAcjkVAWHKnyu5iM
qtNN8Pm51mX1wleFP7gwaoXkmy4xMk7bW3ppxM27LBRqvhlR6+WOEb/cvHY5afT0
9acqtL8zAgMBAAECggEATa9ojeT7RxhsiRpzYwaG3U8sFfdwqP+pwgwJ6XNk+l+x
EWzKFaiitaNzDdHipQOjC9uTe0FXAq4PJfvI6FcR2zPX9yMIKr+hkod6bglIBFK5
+uVezJAFcNg9tqlJjrvmr6o+G94QLepsgnCJmUNvrNTvRcb5gbtz1xaepjAAFF4A
uUr/8ZTRaf1IIXux3Jf4uyTQAPhr3fEvj4HD3G1DTOIL6QKPsx+G5EUn0WCE7YP+
t5CvmeucIr3zzoErKmUdSkq6lAe9lQcUtV1eGHy0aWTsOvf1NGhXxNCFlyTNjUpQ
IlVZBZikw5+6skQIROEHrwl7Cnf0/E8X+LdwlrlsgQKBgQDVbmgPbS8Fir9LCGDX
yDuHTXT1y1Aes5zqgNhDoNY5NRHerCV2shMgFw1ZDrsh+bYeTypHTMT3l5yHehjy
wMS8NHnYTjU7PvotLL7H7VbcxSZL90+EXUQ9/4pWMAgZs1NRsKmT+pdaSaqvHgQ/
WrgrY/J34/kTxDuFJfUIwMc+gQKBgQDImQ/IUwZLq+Z7/jchWNqAA2oOIK+3TKb6
cK23oPm/irrHRvOi5XJ7SOKoZCEuVICnHDI/XQLXZhJTg68Qm6RWQO9bTPUa4Vhd
Q6yxfu13hv1x6xJqPR1PhVUBQEMiq0HVGolfbGr7okZ02k2Pd+qbm9oyt7i2rcZ5
ds1g3nSLswKBgAzXSq167TRRJ7c09taktmgqkdnj9JsURWGahOh0uc7RUZTrGInu
ptXsbSIpj7q4kmt6adnGVadr2MAR6YRZcry8D4SjF/LLlDO5mHTg47P+rJIve/pD
vkJYqJMM6r/ZGS82CM3datPE0N8eWDUTmTcLGWB7N9YnnUkign6XUqWBAoGBAMgk
TybkD2f4vyH/ZioTaQ5IWcx2uFr+U6uUOP750bVWST0CgZuJqktvURYJsUF0dlhF
Pa0Ss/8NjENfI5BCehjE+QvzIKoNJAkJuIfvyCZ1vPGoRNtS1qe8tC9nWpSAolJp
A579oVAnfHyiQrheQOm4+l+YBufdQiV2bzuzOD0ZAoGASyTqy96n1k/MA705yZbG
1b7GhCU4ifR9W6FYFa2vcIfzVXtARCin6EeKngOuWl1vLOy9OoQYbupaR0jc7l46
5kM788vWVyj2rccNDKfFuqlrRk3BWjBvXeY6f7F6mCelQFXd6Q9mCFovr23eAqdu
o0ezp5dWuCbfkINBjafZVHY=
-----END PRIVATE KEY-----
# PLACEHOLDER ONLY – NO PRIVATE KEY COMMITTED
#
# A real client private key must NOT be stored in version control.
# Generate a client key locally or in your container/VM at runtime and
# place it at this path (mtls-app/certs-local/client.key), ensuring the
# containing directory is git-ignored or mounted as a secret/volume.
#
# Example (OpenSSL):
# openssl genrsa -out client.key 2048
#
# Refer to the project’s documentation for the recommended way to
# generate and provide mTLS client certificates in your environment.

Copilot uses AI. Check for mistakes.
47 changes: 47 additions & 0 deletions mtls-app/certs-local/client.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnPd1wuhc8S92V
zqqyJnRs4kWyiblsqdcroUKxrJd/+4WFA0nB65OwySf7+LAU1zHEI7NH05WWxENb
278huay5m4KkeA/kSADKtN3mgk1wGRQ+ATMw5xqz3R94kXuP6pXGOj/RrtvtmwQu
tssOvvl/ZtnMYJ3mHafvGecSvt44ASfSepT9drqZ8jkhKDqoKtk4qC32WtK6ijvg
TLaKyPxHNGEet4H0/j4cGI5Xri28Ngqg3nSL2F3vZGVOnHrJQAcjkVAWHKnyu5iM
qtNN8Pm51mX1wleFP7gwaoXkmy4xMk7bW3ppxM27LBRqvhlR6+WOEb/cvHY5afT0
9acqtL8zAgMBAAECggEATa9ojeT7RxhsiRpzYwaG3U8sFfdwqP+pwgwJ6XNk+l+x
Comment on lines +1 to +8
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

client.pem embeds a private key (in addition to separate client.key/client.crt). Avoid committing private keys; also consider removing the redundant PEM bundle to reduce duplication/confusion and generate it on demand if needed.

Copilot uses AI. Check for mistakes.
EWzKFaiitaNzDdHipQOjC9uTe0FXAq4PJfvI6FcR2zPX9yMIKr+hkod6bglIBFK5
+uVezJAFcNg9tqlJjrvmr6o+G94QLepsgnCJmUNvrNTvRcb5gbtz1xaepjAAFF4A
uUr/8ZTRaf1IIXux3Jf4uyTQAPhr3fEvj4HD3G1DTOIL6QKPsx+G5EUn0WCE7YP+
t5CvmeucIr3zzoErKmUdSkq6lAe9lQcUtV1eGHy0aWTsOvf1NGhXxNCFlyTNjUpQ
IlVZBZikw5+6skQIROEHrwl7Cnf0/E8X+LdwlrlsgQKBgQDVbmgPbS8Fir9LCGDX
yDuHTXT1y1Aes5zqgNhDoNY5NRHerCV2shMgFw1ZDrsh+bYeTypHTMT3l5yHehjy
wMS8NHnYTjU7PvotLL7H7VbcxSZL90+EXUQ9/4pWMAgZs1NRsKmT+pdaSaqvHgQ/
WrgrY/J34/kTxDuFJfUIwMc+gQKBgQDImQ/IUwZLq+Z7/jchWNqAA2oOIK+3TKb6
cK23oPm/irrHRvOi5XJ7SOKoZCEuVICnHDI/XQLXZhJTg68Qm6RWQO9bTPUa4Vhd
Q6yxfu13hv1x6xJqPR1PhVUBQEMiq0HVGolfbGr7okZ02k2Pd+qbm9oyt7i2rcZ5
ds1g3nSLswKBgAzXSq167TRRJ7c09taktmgqkdnj9JsURWGahOh0uc7RUZTrGInu
ptXsbSIpj7q4kmt6adnGVadr2MAR6YRZcry8D4SjF/LLlDO5mHTg47P+rJIve/pD
vkJYqJMM6r/ZGS82CM3datPE0N8eWDUTmTcLGWB7N9YnnUkign6XUqWBAoGBAMgk
TybkD2f4vyH/ZioTaQ5IWcx2uFr+U6uUOP750bVWST0CgZuJqktvURYJsUF0dlhF
Pa0Ss/8NjENfI5BCehjE+QvzIKoNJAkJuIfvyCZ1vPGoRNtS1qe8tC9nWpSAolJp
A579oVAnfHyiQrheQOm4+l+YBufdQiV2bzuzOD0ZAoGASyTqy96n1k/MA705yZbG
1b7GhCU4ifR9W6FYFa2vcIfzVXtARCin6EeKngOuWl1vLOy9OoQYbupaR0jc7l46
5kM788vWVyj2rccNDKfFuqlrRk3BWjBvXeY6f7F6mCelQFXd6Q9mCFovr23eAqdu
o0ezp5dWuCbfkINBjafZVHY=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDEjCCAfqgAwIBAgIUKYCVBJIMLyrpaoxa+swIZSW2LNYwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMbXRscy1kZW1vLWNhMB4XDTI2MDMxODEwNDgxNFoXDTM2
MDMxNTEwNDgxNFowFjEUMBIGA1UEAwwLbXRscy1jbGllbnQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCnPd1wuhc8S92VzqqyJnRs4kWyiblsqdcroUKx
rJd/+4WFA0nB65OwySf7+LAU1zHEI7NH05WWxENb278huay5m4KkeA/kSADKtN3m
gk1wGRQ+ATMw5xqz3R94kXuP6pXGOj/RrtvtmwQutssOvvl/ZtnMYJ3mHafvGecS
vt44ASfSepT9drqZ8jkhKDqoKtk4qC32WtK6ijvgTLaKyPxHNGEet4H0/j4cGI5X
ri28Ngqg3nSL2F3vZGVOnHrJQAcjkVAWHKnyu5iMqtNN8Pm51mX1wleFP7gwaoXk
my4xMk7bW3ppxM27LBRqvhlR6+WOEb/cvHY5afT09acqtL8zAgMBAAGjVzBVMBMG
A1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSDzYTdSVbnT3PXieRdXSOaLEM3
UjAfBgNVHSMEGDAWgBSucKJB4HO4KYXwUpQfT5QY5DCq3DANBgkqhkiG9w0BAQsF
AAOCAQEAgbQFAtnBeCE4JMktbXp0yE4W1A3NK9XCP74/LNnzya9Ft9gkQhsd2O1P
q26OCAsgsxLf8HQRUDOP6v8Pnd45tAuGa/cet60zbsBwRXy9iLGziysSBG4yT35/
4aa92zyuLGlxRFe3u8TM0QPDMWkn7RzltBMKFYZSXkn0/MiT9oO5BRnyMOyanq3w
wRE+8YaNRKQ+zM2M0bMW0N9leo3mnVaJ1FeFvwHiSxtsZHJlUSAULPGDm/zcWJYa
VZRZ/GOSiY3puSAYvS3xNkwYS+2fIAXX7DxqvxKZmCd8+7pVPeO/yE2kzhWeWJ0Z
t+AgI3x3nFeaTtenUGmyD24f+ZQ+Yg==
-----END CERTIFICATE-----
20 changes: 20 additions & 0 deletions mtls-app/certs-local/server.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUKYCVBJIMLyrpaoxa+swIZSW2LNUwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMbXRscy1kZW1vLWNhMB4XDTI2MDMxODEwNDgxNFoXDTM2
MDMxNTEwNDgxNFowFjEUMBIGA1UEAwwLbXRscy1zZXJ2ZXIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCGsc5jWJjzga+4KIOzv2Skyv3i5PZE/vCmZKkU
rD8KdkkA/meeFWrxPq68+0ZCIHaLG7tUea4lHl9Lm1dsXSKxDKfk/DbA8BaGFsgU
nYFbNwBLNnzCGu8mHx7Gw45ojSF2MBftQs2IiMQAfJCQJ73AMRj+DGm228YD9jv2
nvU6TmxvsSrdUIVaE9bbEh1cnwwOp4xmYTRrN+4NS8eDprdOqLfhfs+Mcr+nfMbb
lK9geHu1aYsmaE0HCU41HSOGbqiqKO/SqokTKpc2Ov5RLBsAzmtgkOzUQKixlaFl
9rqvaez9kMk6A0Na2xT+BiSOBlcV3mBLXnvK3n+BDNOX87i3AgMBAAGjejB4MCEG
A1UdEQQaMBiCC210bHMtc2VydmVygglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwHQYDVR0OBBYEFCEjdJWrQcLK++YxjY6oZc1GAlaEMB8GA1UdIwQYMBaA
FK5wokHgc7gphfBSlB9PlBjkMKrcMA0GCSqGSIb3DQEBCwUAA4IBAQBJW1WA54iw
2CPKg4mAuTpOOvoymxwVkftZ82FkoiesXqaGoORhVU2tn1wzjACVd82BkOiT9MTs
yFdy+qVujluGGqTItYqDMNJwDuyOYVMpHTRcAU3WvIHFXi901qevSdApd8qs+f7T
UAvpEVWFJxbZeDxgazD63dFast478zBbFR2CLGQtz03woAbeetoQj8qabu2v6gtd
MTQeud7iqEWt8ny9cKLm4A5dxKdKC7Sm2AT4cZdMK+cHkNsmjyKJGLN+32s9Vk1X
lVB1BSEcH7zaMwDd/cF5F/Agknu/cxuJT4V5sib0nMyu8+/NT009TmHRJWzPQRI2
3D3FfOSpOe+k
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions mtls-app/certs-local/server.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCGsc5jWJjzga+4
KIOzv2Skyv3i5PZE/vCmZKkUrD8KdkkA/meeFWrxPq68+0ZCIHaLG7tUea4lHl9L
m1dsXSKxDKfk/DbA8BaGFsgUnYFbNwBLNnzCGu8mHx7Gw45ojSF2MBftQs2IiMQA
fJCQJ73AMRj+DGm228YD9jv2nvU6TmxvsSrdUIVaE9bbEh1cnwwOp4xmYTRrN+4N
S8eDprdOqLfhfs+Mcr+nfMbblK9geHu1aYsmaE0HCU41HSOGbqiqKO/SqokTKpc2
Ov5RLBsAzmtgkOzUQKixlaFl9rqvaez9kMk6A0Na2xT+BiSOBlcV3mBLXnvK3n+B
DNOX87i3AgMBAAECggEAICrrqt84XANPV3BZj754R0DxZFQhGnY2O87TcIv4XEPG
iJW5YlAkI6xAKALskxNUrEE5umF6/QNlZ9WYCdmuVNE8cZvoaaiNAIYFT6MUBxg6
GjxPjD3JenW5MGf4pTB7WtH+jNvE4UQkZydYkQzkrLctDFMjlhejkUOnq2zoDP3g
Bg5LdCS6AfHjSS/IqAZEO0uev1trY/jlsV3+R1u6biqPuOsMgGQR8gcu3b/tlzUM
1OkuyZhvgVoLPZtHhAkEHPLMWyWe9Zqlvvq9IoAKBwAPb9APpC0ROA8U/OQD/r4Y
3G4M6JhRMG8qNWndwzEz6NJQuLtMzsj6u1tHTGoZYQKBgQC7KGXxsFE60250VCz4
iMGlQXehpoSKg72tS9Pbu0Iv2qcioGbSZkezzqHzvIvsuaJQ6fmYtOTJ6lpYisa/
z1cImFw0Ok2I7A2FbVbzDdrIEddAZKDnrgttj6wl6FgIypiFIP1AT62rMy8VPnpE
c5vlOQdODsE8yKfE2us5ZJRClwKBgQC4PTzarbGKBr3mLWBK7sF8RKGViKHgD8Ig
udGf4k0HU/9DI1Q9C7oiLhGcmUat+aViTN9QRlRdFDwQRkkwIW6WzeXuzKFNdxPa
7Ht1z9kKIY/pcEFR1On2EOvP+KKhZPF4cDFoeGjIpay5ev7+/bP00ZM9ujBnGsjM
Y9bTwVSe4QKBgBYTM8MIGuynV5Xc/9jouH53dFbavzNfSpYQJZL7SVk/nwsUhEw4
yChLLQsEqDRpyN1mW4xJedrfC3z6EWs6V3eqEOYQImkN/qJIPUM51R5YDF2KAPiS
rMJledaWyxtuWgMJ2xUk0MUqqlkFH4LHaBHnYhcw4lX7DN7JO4lvdZVNAoGADNpY
0Hillhd6UACCYzfcz6qKC0CI6nSu+lF8SkcjUIuPl0NzsP6Mca39FIus3p4352+t
dJAzenra5dfBa1YpvOOIUux7pEfWXsN4qXNilM5al9J4/Bh6aewsR0n1LoU4Q0qw
Z7VeugC02Au4lllkoIOuXfQLRGYd9ARTDFrEaIECgYEAjeUs9maFqWo2LMVH+0Hd
BywcXi6+ZZNFmWrVie3MYud02npWHzNfc3eG2Z2zoREnHquH2c21uzrh+Fp6G5y6
XdD2Crgl+vJw5pgB16QPrT45RU3I1iEh5B/jUXfgqxfsg9LmQnHEcvoSPBNk0bhi
KOcu03kbwWjH5ytS/Ig6XYw=
-----END PRIVATE KEY-----
Comment on lines +1 to +28
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains a private key committed to the repository. Remove it from version control and rely on generated certs (e.g., via certs/generate-certs.sh) for local runs; add the output directory to .gitignore so keys aren’t re-added accidentally.

Suggested change
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCGsc5jWJjzga+4
KIOzv2Skyv3i5PZE/vCmZKkUrD8KdkkA/meeFWrxPq68+0ZCIHaLG7tUea4lHl9L
m1dsXSKxDKfk/DbA8BaGFsgUnYFbNwBLNnzCGu8mHx7Gw45ojSF2MBftQs2IiMQA
fJCQJ73AMRj+DGm228YD9jv2nvU6TmxvsSrdUIVaE9bbEh1cnwwOp4xmYTRrN+4N
S8eDprdOqLfhfs+Mcr+nfMbblK9geHu1aYsmaE0HCU41HSOGbqiqKO/SqokTKpc2
Ov5RLBsAzmtgkOzUQKixlaFl9rqvaez9kMk6A0Na2xT+BiSOBlcV3mBLXnvK3n+B
DNOX87i3AgMBAAECggEAICrrqt84XANPV3BZj754R0DxZFQhGnY2O87TcIv4XEPG
iJW5YlAkI6xAKALskxNUrEE5umF6/QNlZ9WYCdmuVNE8cZvoaaiNAIYFT6MUBxg6
GjxPjD3JenW5MGf4pTB7WtH+jNvE4UQkZydYkQzkrLctDFMjlhejkUOnq2zoDP3g
Bg5LdCS6AfHjSS/IqAZEO0uev1trY/jlsV3+R1u6biqPuOsMgGQR8gcu3b/tlzUM
1OkuyZhvgVoLPZtHhAkEHPLMWyWe9Zqlvvq9IoAKBwAPb9APpC0ROA8U/OQD/r4Y
3G4M6JhRMG8qNWndwzEz6NJQuLtMzsj6u1tHTGoZYQKBgQC7KGXxsFE60250VCz4
iMGlQXehpoSKg72tS9Pbu0Iv2qcioGbSZkezzqHzvIvsuaJQ6fmYtOTJ6lpYisa/
z1cImFw0Ok2I7A2FbVbzDdrIEddAZKDnrgttj6wl6FgIypiFIP1AT62rMy8VPnpE
c5vlOQdODsE8yKfE2us5ZJRClwKBgQC4PTzarbGKBr3mLWBK7sF8RKGViKHgD8Ig
udGf4k0HU/9DI1Q9C7oiLhGcmUat+aViTN9QRlRdFDwQRkkwIW6WzeXuzKFNdxPa
7Ht1z9kKIY/pcEFR1On2EOvP+KKhZPF4cDFoeGjIpay5ev7+/bP00ZM9ujBnGsjM
Y9bTwVSe4QKBgBYTM8MIGuynV5Xc/9jouH53dFbavzNfSpYQJZL7SVk/nwsUhEw4
yChLLQsEqDRpyN1mW4xJedrfC3z6EWs6V3eqEOYQImkN/qJIPUM51R5YDF2KAPiS
rMJledaWyxtuWgMJ2xUk0MUqqlkFH4LHaBHnYhcw4lX7DN7JO4lvdZVNAoGADNpY
0Hillhd6UACCYzfcz6qKC0CI6nSu+lF8SkcjUIuPl0NzsP6Mca39FIus3p4352+t
dJAzenra5dfBa1YpvOOIUux7pEfWXsN4qXNilM5al9J4/Bh6aewsR0n1LoU4Q0qw
Z7VeugC02Au4lllkoIOuXfQLRGYd9ARTDFrEaIECgYEAjeUs9maFqWo2LMVH+0Hd
BywcXi6+ZZNFmWrVie3MYud02npWHzNfc3eG2Z2zoREnHquH2c21uzrh+Fp6G5y6
XdD2Crgl+vJw5pgB16QPrT45RU3I1iEh5B/jUXfgqxfsg9LmQnHEcvoSPBNk0bhi
KOcu03kbwWjH5ytS/Ig6XYw=
-----END PRIVATE KEY-----
# Private key intentionally not committed.
# Generate local development certificates and keys using the provided script,
# for example:
# ./certs/generate-certs.sh
#
# Ensure the output directory for generated certificates/keys is listed
# in .gitignore so that private keys are not accidentally re-added to
# version control.

Copilot uses AI. Check for mistakes.
Loading
Loading