Does GitLab support Client Certificate Authentication?

Does GitLab support Client Certificate Authentication?
Does GitLab support Client Certificate Authentication via reverse proxy server?

I know there is a limitation about TLS Client authentication.
https://docs.gitlab.com/ce/administration/auth/ldap.html#tls-client-authentication

Thanks

I’m looking for this myself. I have TLS mutual auth enabled https://docs.gitlab.com/omnibus/settings/nginx.html#enable-2-way-ssl-client-authentication but that is only for TLS session and it looks like there is no way to pass that user id/authentication information to the GitLab application.

Did you find a way to authenticate via certificate?

I follow the link to enable ssl client certificate, but I can’t make it work in git client, I got fatal: unable to access ‘https://xxxx/xxxx/xxxx.git/’: The requested URL returned error: 400, I did configured. http.sslcert,http.sslkey,http.sslcainfo in git config --global, anything I missed?

yea, works well -Technicaly gitlab doesnt but nginx does.
This is just a basic example but it should get you somewhere.
I use this cind of stettings on my internal test server.

When you want to use the certificates with a runner or a registery edit first your CA settings - when you do so - be shure to edit the right patrt - in this case [ v3_ca ]


/etc/pki/tls/openssl.cnf
      ....
      [ v3_ca ]
      
      subjectAltName = @alt_names
      
      [ alt_names ]
      # DNS:FQDN (git.url.eu)
      IP.1 = 182.16.23.180
      IP.2 = 127.0.0.1
      IP.3 = 59.0.0.1

      DNS.1 = git.url.eu
      DNS.2 = dockertest.url.de
      ...

setup a CA

openssl req -x509 -newkey rsa:4096 -keyout gitlab.key  -out gitlab.crt -days 3650 -nodes -subj "/C=DE/ST=BE/L=BE/O=something/OU=nan/CN=Internal-Gitlab" -config /etc/pki/tls/openssl.cnf

Generate a client key and a csr

openssl req -out underknowledge.csr -new -newkey rsa:4096 -keyout underknowledge.key -nodes  -subj "/C=DE/ST=BE/L=BE/O=something/OU=nan/CN=Internal-Gitlab"

sing the key with the CA

openssl x509 -req -CA gitlab.crt -CAkey gitlab.key  -CAcreateserial -in underknowledge.csr -out underknowledge_cert.pem

Export your certificate a way your browser can understand

openssl pkcs12 -export -out certificate.pfx -inkey underknowledge.key -in underknowledge_cert.pem 

go to your browser into settings and look for Manage certificates or only certificates


Hit import and upload the previusly generated pfx

Thanks @Underknowledge, I did follow a similar guide in creating the self-signed server/client ssl key pairs.
After doing some research about enable 2 way SSL on nginx, I found out I made a mistake in configuring it, which is the nginx[‘ssl_client_certificate’], it should put the self-signed CA.crt, but I used the client.crt before, so I got the 400 error, after correct this, I have no problem to run git command using the same http.sslcert,http.sslkey,http.sslcainfo setting in git config --global.

Awesome!
Didnt knew that you could pass the sslcert in the git config- but always using ssh anyway.
Have to note that.

Any reason why ssh over https? Seems like to me both it’s encrypted should provide same level of security, seems github recommend https for the benefit of 2FA

Mostly just personal preference. I got my YubiKey always with me on my keychain, but not my KeePass file wich would contain the paswords.
as far as I can tell they recommend HTTPS that they don’t have to document ssh-agent and :22 might be blocked by firewalls 乁(ᴗ ͜ʖ ᴗ)ㄏ