Skip to content

Commit db4c329

Browse files
danish-m-qureshipatriciasantaana
danish-m-qureshi
and
patriciasantaana
authored
Add Mutual TLS (mTLS) authentication section (#28113)
* Add Mutual TLS (mTLS) authentication section * Change Privacy Pass tokens privacy level to High * Update src/content/docs/privacy-proxy/concepts/authentication.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --------- Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com>
1 parent 2697ce6 commit db4c329

1 file changed

Lines changed: 19 additions & 2 deletions

File tree

src/content/docs/privacy-proxy/concepts/authentication.mdx

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,13 @@ Privacy Proxy requires clients to authenticate before proxying traffic. This pag
99

1010
## Authentication methods
1111

12-
Privacy Proxy supports two authentication methods:
12+
Privacy Proxy supports three authentication methods:
1313

1414
| Method | Use case | Privacy level |
1515
| -------- | ---------- | --------------- |
1616
| Pre-shared key (PSK) | Proof of concept, testing | Lower |
17-
| Privacy Pass tokens | Production deployments | Higher |
17+
| Privacy Pass tokens | Client to server | High |
18+
| mTLS | Server to server | Higher |
1819

1920
---
2021

@@ -134,6 +135,22 @@ For production deployments using Privacy Pass:
134135

135136
---
136137

138+
## Mutual TLS (mTLS)
139+
140+
[Mutual TLS (mTLS) authentication](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) ensures that traffic is both secure and trusted in both directions. The client presents a certificate to the proxy, and the proxy validates it before allowing the connection.
141+
142+
### How it works
143+
144+
The client includes a TLS client certificate during the TLS handshake. The proxy validates the certificate against a configured certificate authority (CA) and allows the connection if the certificate is trusted.
145+
146+
### Limitations
147+
148+
You must provision and manage certificates for each client or service. mTLS is designed for server-to-server communication, not for authenticating individual users. The proxy can identify the client by its certificate, which reduces privacy compared to Privacy Pass.
149+
150+
Use mTLS for server-to-server integrations where both parties are trusted services.
151+
152+
---
153+
137154
## Authentication in double-hop deployments
138155

139156
In [double-hop deployments](/privacy-proxy/concepts/deployment-models/#double-hop), authentication occurs at two levels:

0 commit comments

Comments
 (0)