Add template support for all host types to do client CA authorization

When an access list contains client CAs, the combined CA auth file is
added to all location blocks via an `if` statement. This allows
LetsEncrypt and other support paths to work, while correctly denying
access to the protected resources.

backend/internal/access-list.js

@@ -264,7 +264,6 @@ const internalAccessList = {
 				}, true /* <- skip masking */);
 			})
 			.then((row) => {
-				console.log(row);
 				return internalAccessList.build(row)
 					.then(() => {
 						if (row.proxy_host_count) {
@@ -603,7 +602,6 @@ const internalAccessList = {
 			});
 
 		const caCertificateBuild =  new Promise((resolve, reject) => {
-			// TODO: we need to ensure this rebuild is run if any certificates change
 			logger.info('Building Client CA file #' + list.id + ' for: ' + list.name);
 			let clientca_file = internalAccessList.getClientCAFilename(list);
 

backend/internal/proxy-host.js

@@ -74,7 +74,7 @@ const internalProxyHost = {
 				// re-fetch with cert
 				return internalProxyHost.get(access, {
 					id:     row.id,
-					expand: ['certificate', 'owner', 'access_list.[clients,items]']
+					expand: ['certificate', 'owner', 'access_list.[clientcas.certificate,clients,items]']
 				});
 			})
 			.then((row) => {
@@ -188,7 +188,7 @@ const internalProxyHost = {
 			.then(() => {
 				return internalProxyHost.get(access, {
 					id:     data.id,
-					expand: ['owner', 'certificate', 'access_list.[clients,items]']
+					expand: ['owner', 'certificate', 'access_list.[clientcas.certificate,clients,items]']
 				})
 					.then((row) => {
 						if (!row.enabled) {
@@ -225,7 +225,7 @@ const internalProxyHost = {
 					.query()
 					.where('is_deleted', 0)
 					.andWhere('id', data.id)
-					.allowGraph('[owner,access_list,access_list.[clients,items],certificate]')
+					.allowGraph('[owner,access_list.[clientcas.certificate,clients,items],certificate]')
 					.first();
 
 				if (access_data.permission_visibility !== 'all') {
@@ -308,7 +308,7 @@ const internalProxyHost = {
 			.then(() => {
 				return internalProxyHost.get(access, {
 					id:     data.id,
-					expand: ['certificate', 'owner', 'access_list']
+					expand: ['certificate', 'owner', 'access_list.[clientcas.certificate]']
 				});
 			})
 			.then((row) => {

backend/templates/_access.conf

@@ -1,4 +1,10 @@
 {% if access_list_id > 0 %}
+{% if access_list.clientcas.size > 0 %}
+    # TLS Client Certificate Authorization
+    if ($ssl_client_verify != "SUCCESS") {
+        return 403;
+    }
+{% endif %}
     {% if access_list.items.length > 0 %}
     # Authorization
     auth_basic            "Authorization required";

backend/templates/_certificates.conf

@@ -11,4 +11,10 @@
   ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
 {% endif %}
 {% endif %}
-
+{% if access_list_id > 0 -%}
+{% if access_list.clientcas.size > 0 %}
+  # Client Certificate Authorization ({{access_list.clientcas.size}} CAs)
+  ssl_client_certificate /data/clientca/{{ access_list_id }};
+  ssl_verify_client optional;
+{% endif %}
+{% endif %}