Move examples repo into main repo (#1102)

examples/mutual-tls/Dockerfile

@@ -0,0 +1,11 @@
+FROM golang:latest as build-env
+
+WORKDIR /go/src/app
+ADD . /go/src/app
+
+RUN go get -d -v ./...
+RUN go install -v ./...
+
+FROM gcr.io/distroless/base
+COPY --from=build-env /go/bin/app /
+CMD ["/app"]

examples/mutual-tls/README.md

@@ -0,0 +1,85 @@
+# Mutual Authenticated TLS Example
+
+A tiny go http server that enforces client certificates and can be used to test mutual TLS with Pomerium.
+
+## TL;DR
+
+### Pomerium config
+
+```yaml
+# See detailed configuration settings : https://www.pomerium.io/reference/
+authenticate_service_url: https://authenticate.corp.domain.example
+authorize_service_url: https://authorize.corp.domain.example
+
+# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
+idp_provider: google
+idp_client_id: REPLACE_ME
+idp_client_secret: REPLACE_ME
+
+policy:
+  - from: https://mtls.corp.domain.example
+    to: https://localhost:8443
+    allowed_domains:
+      - domain.example
+    tls_custom_ca_file: "/Users/bdd/examples/mutual-tls/out/good-ca.crt"
+    tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt"
+    tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key"
+
+  - from: https://httpbin.corp.domain.example
+    to: https://httpbin.org
+    allow_public_unauthenticated_access: true
+```
+
+### Docker-compose
+
+```yaml
+version: "3"
+services:
+  pomerium:
+    image: pomerium/pomerium:latest
+    environment:
+      - CERTIFICATE
+      - CERTIFICATE_KEY
+      - COOKIE_SECRET
+    volumes:
+      # Mount your config file : https://www.pomerium.io/reference/
+      # be sure to change the default values :)
+      - ./example.config.yaml:/pomerium/config.yaml:ro
+    ports:
+      - 443:443
+
+  mtls:
+    image: pomerium/examples:mtls
+    environment:
+      - TLS_CERT
+      - TLS_KEY
+      - CLIENT_CA
+    ports:
+      - 8443:8443
+```
+
+## Generate some certificates
+
+This can be done a myriad of ways. The easiest for testing is probably using [certstrap](https://github.com/square/certstrap).
+
+See [scripts/generate_certs.sh](scripts/generate_certs.sh)
+
+## Run the server
+
+Certificates can be set using the following base 64 encoded [environmental variables](env). For example,
+
+```bash
+source ./env && go run main.go
+```
+
+## Test the server with curl
+
+See [scripts/curl.sh](scripts/curl.sh)
+
+## Docker
+
+Pull `pomerium/examples:mtls` or see [Dockerfile](Dockerfile)
+
+## Configuring Pomerium
+
+See [example.config.yaml](example.config.yaml)

examples/mutual-tls/docker-compose.yaml

@@ -0,0 +1,23 @@
+version: "3"
+services:
+  pomerium:
+    image: pomerium/pomerium:latest
+    environment:
+      - CERTIFICATE
+      - CERTIFICATE_KEY
+      - COOKIE_SECRET
+    volumes:
+      # Mount your config file : https://www.pomerium.io/reference/
+      # be sure to change the default values :)
+      - ./example.config.yaml:/pomerium/config.yaml:ro
+    ports:
+      - 443:443
+
+  mtls:
+    image: pomerium/examples:mtls
+    environment:
+      - TLS_CERT
+      - TLS_KEY
+      - CLIENT_CA
+    ports:
+      - 8443:8443

examples/mutual-tls/example.config.yaml

@@ -0,0 +1,24 @@
+# See detailed configuration settings : https://www.pomerium.io/reference/
+authenticate_service_url: https://authenticate.corp.domain.example
+authorize_service_url: https://authorize.corp.domain.example
+
+# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
+idp_provider: google
+idp_client_id: REPLACE_ME
+idp_client_secret: REPLACE_ME
+
+policy:
+  - from: https://mtls.corp.domain.example
+    to: https://localhost:8443
+    allowed_domains:
+      - domain.example
+    #good-ca.crt
+    tls_custom_ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU1RENDQXN5Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkbmIyOWsKTFdOaE1CNFhEVEU1TURneE1ERTNOREF3TWxvWERUSXhNREl4TURFM05EQXdNbG93RWpFUU1BNEdBMVVFQXhNSApaMjl2WkMxallUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUw3b2VldEovNmNFCkdicTcvanNtcU9FM2VyVE1aRHR0eFM4STVGV1c0TkRXbWNpOE5IdWRMZDhlM1JtOEh6Y09jSjRQL0ErcDVsYmsKTjhySzY4OUlsQzhqM28yaEhSdEk2T21saFY3NEoxaUlIOGtkSXU2V2xPMWtOdUx5dGRrbjhRaytJOUNEWjlGSAorZzhRbnVka0tMUWJkZFdDVXJzUjR4cEcyK0VkNWdua0JJNG4zbmNLMFgvWEZocWhDTEU1eFBaQk5OWktGbHJxCm1lYUl4dHoyc2ZvWVY1NmcwMnNGS1QxSUlMNTVFMG14djRUa2JtSWw5Rk9qZEtCdkhFZnJHeXl5OFRGTHErUzMKTXo2em9xNDhuOEhGMUc5cHBLVk9OMUp0Mks1UWEvV2hpbjVrcWNhYTNwNE0vN2tiNmtxU0tMWG1iN0gyN3kvVQpEYjZDUG01d2lodjA2c1FobXN2MHhuS2hqMm8vQzhlcWxzNzZZWDF1Y2NqMzlmSTRlQ1E4cENFbTlVcDh5ZkkvCkxlYVpXbGE0NEZneWw3N1lyc2MvM0U5dk1hS0ZVeGRjR3VtMXQrNUZZYWpkY0EvTlFreTJBeTJqcHRwVXV1SFUKNnhYSzdEcXY5Z01jQS8zM1VYOFpHZklPRk0rY3FlOTQxaTVPT1hGSHJoRDlqeTRQR2M4Z2kxSTRyK1VXd0tCYgoxSGg1clQ3ckJZK1NLTTBzZmtpQlZ1RU9pbnk2dDF1Z2tEdjY4dXNFWFlIWlZXaWl6b1hmcDVHbjZmckUvd1IxCkRkak13TGEvT2tQTnVEVVQ4eU1GS2hWRnFHcXdHQzY2bys1cjQyMlVwa0s4SHJ5K2tsQ3pUTys3U0RodTJiWk4KUVFGT0NLSVVldnR3bGdabVBNck1BNTZ3dzVSSnNhVnhBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQgpCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC9BZ0VBTUIwR0ExVWREZ1FXQkJSNTRKQ3pMRlg0T0RTQ1J0dWNBUGZOCnVYVnpuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBZituUmpBVnZuT0pSckpBQWpKWVY3aVF3bHExUXZYRGcKbHZhY0JoVFJyWFh4OW5GaVRZUzV4MkFMbXZ5WHhubTdIS2VDSUZEclJwOE5MVFkyYjJXR01BcTFxc3JBT0QvegpTNmNSSW1OQ21QNmd0UHNUNDlabzBYajNrZjZyTXBPeHBiSUlnSmZMY056UGZpL25jeC9oRDNBOHl6Zk4wQTZZCnFFd2QvSkZPajdEa3RaQmdlSXZETlJXS0pveEpJRlZ4anJqLzFiVmkxZTRWVjVvWmhOako4SzlyV1FRK1EvK3QKZ3lGK0sycGxDQ1RiRWR6eU9heDY1djh5UDJ5RCs2WkFIRk9sRjI2TnZpUkw4OWJ1VHIwaEpZa0N5VXZ3MmJZaQo4Q3MyWDZkd0NDdXVhZUdVR2VRemszMGxQeUdWSmVKL3ZJMGJRSzlpZ2I5dFozY3d0WHBQdjN6a1B1TDE3d01WCitCMXo2RW1HZVVLNXlTQ0xFWjc2aVliNU0vY3ZjTUVOMWdoeFNIN0FmaDhMS0c0eWszT21SQ253akVqdTFhaWoKZGs3cjJuc0xmYU9KWFBRNU1wMzRYU1ltdTlpTVl0VytMbWZiSDJxMW9vS3dKZDhHNVhhRWRmQmpHUEQ5Q3FkWAphSlh0MDA0cVdsalJOS3p1MFNFRmJ6UldGNHRoeXlUTzE4QVI4eTNHV0Vwak95amdKSzlFeU1sQm9Qa3RYQVVVCjZzTFhqT3ZZU0ovd202NUhxVVZBTTVsRy96WVN3TGdCTDAwc1pJKzVGa0QwblU0Rkx6QWRLV05LWkRXZFVNbUwKVi9lV0ZGNGwwVFBvNTVhM0pUL1BGc2J0RFBLVWxvWVFXeTFybmFqR3J1L0Y5bGRCcHB1bUVUa2FOS2ZWT05Jcgp4cERnc1FhVkVXOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    # pomerium.crt
+    tls_client_cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVJVENDQWdtZ0F3SUJBZ0lSQVBqTEJxS1lwcWU0ekhQc0dWdFR6T0F3RFFZSktvWklodmNOQVFFTEJRQXcKRWpFUU1BNEdBMVVFQXhNSFoyOXZaQzFqWVRBZUZ3MHhPVEE0TVRBeE9EUTVOREJhRncweU1UQXlNVEF4TnpRdwpNREZhTUJNeEVUQVBCZ05WQkFNVENIQnZiV1Z5YVhWdE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTY3S2pxbVFZR3EwTVZ0QUNWcGVDbVhtaW5sUWJEUEdMbXNaQVVFd3VlSFFucnQzV3R2cEQKT202QWxhSk1VblcrSHU1NWpqb2thbEtlVmpUS21nWUdicVV6VkRvTWJQRGFIZWtsdGRCVE1HbE9VRnNQNFVKUwpEck80emROK3pvNDI4VFgyUG5HMkZDZFZLR3k0UEU4aWxIYldMY3I4NzFZalY1MWZ3OENMRFg5UFpKTnU4NjFDCkY3VjlpRUptNnNTZlFsbW5oTjhqMytXelZiUFFOeTFXc1I3aTllOWo2M0VxS3QyMlE5T1hMK1dBY0tza29JU20KQ05WUlVBalU4WVJWY2dRSkIrelEzNEFRUGx6ME9wNU8vUU4vTWVkamFGOHdMUytpdi96dmlTOGNxUGJ4bzZzTApxNkZOVGx0ay9Ra3hlQ2VLS1RRZS8za1BZdlFBZG5sNjVRSURBUUFCbzNFd2J6QU9CZ05WSFE4QkFmOEVCQU1DCkE3Z3dIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUIwR0ExVWREZ1FXQkJRQ1FYbWIKc0hpcS9UQlZUZVhoQ0dpNjhrVy9DakFmQmdOVkhTTUVHREFXZ0JSNTRKQ3pMRlg0T0RTQ1J0dWNBUGZOdVhWegpuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBcm9XL2trMllleFN5NEhaQXFLNDVZaGQ5ay9QVTFiaDlFK1BRCk5jZFgzTUdEY2NDRUFkc1k4dll3NVE1cnhuMGFzcSt3VGFCcGxoYS9rMi9VVW9IQ1RqUVp1Mk94dEF3UTdPaWIKVE1tMEorU3NWT3d4YnFQTW9rK1RqVE16NFdXaFFUTzVwRmNoZDZXZXNCVHlJNzJ0aG1jcDd1c2NLU2h3YktIegpQY2h1QTQ4SzhPdi96WkxmZnduQVNZb3VCczJjd1ZiRDI3ZXZOMzdoMGFzR1BrR1VXdm1PSDduTHNVeTh3TTdqCkNGL3NwMmJmTC9OYVdNclJnTHZBMGZMS2pwWTQrVEpPbkVxQmxPcCsrbHlJTEZMcC9qMHNybjRNUnlKK0t6UTEKR1RPakVtQ1QvVEFtOS9XSThSL0FlYjcwTjEzTytYNEtaOUJHaDAxTzN3T1Vqd3BZZ3lxSnNoRnNRUG50VmMrSQpKQmF4M2VQU3NicUcwTFkzcHdHUkpRNmMrd1lxdGk2Y0tNTjliYlRkMDhCNUk1N1RRTHhNcUoycTFnWmw1R1VUCmVFZGNWRXltMnZmd0NPd0lrbGNBbThxTm5kZGZKV1FabE5VaHNOVWFBMkVINnlDeXdaZm9aak9hSDEwTXowV20KeTNpZ2NSZFQ3Mi9NR2VkZk93MlV0MVVvRFZmdEcxcysrditUQ1lpNmpUQU05dkZPckJ4UGlOeGFkUENHR2NZZAowakZIc2FWOGFPV1dQQjZBQ1JteHdDVDdRTnRTczM2MlpIOUlFWWR4Q00yMDUrZmluVHhkOUcwSmVRRTd2Kyt6CldoeWo2ZmJBWUIxM2wvN1hkRnpNSW5BOGxpekdrVHB2RHMxeTBCUzlwV3ppYmhqbVFoZGZIejdCZGpGTHVvc2wKZzlNZE5sND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+    # pomerium.key
+    tls_client_key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBNjdLanFtUVlHcTBNVnRBQ1ZwZUNtWG1pbmxRYkRQR0xtc1pBVUV3dWVIUW5ydDNXCnR2cERPbTZBbGFKTVVuVytIdTU1ampva2FsS2VWalRLbWdZR2JxVXpWRG9NYlBEYUhla2x0ZEJUTUdsT1VGc1AKNFVKU0RyTzR6ZE4rem80MjhUWDJQbkcyRkNkVktHeTRQRThpbEhiV0xjcjg3MVlqVjUxZnc4Q0xEWDlQWkpOdQo4NjFDRjdWOWlFSm02c1NmUWxtbmhOOGozK1d6VmJQUU55MVdzUjdpOWU5ajYzRXFLdDIyUTlPWEwrV0FjS3NrCm9JU21DTlZSVUFqVThZUlZjZ1FKQit6UTM0QVFQbHowT3A1Ty9RTi9NZWRqYUY4d0xTK2l2L3p2aVM4Y3FQYngKbzZzTHE2Rk5UbHRrL1FreGVDZUtLVFFlLzNrUFl2UUFkbmw2NVFJREFRQUJBb0lCQVFEQVQ0eXN2V2pSY3pxcgpKcU9SeGFPQTJEY3dXazJML1JXOFhtQWhaRmRTWHV2MkNQbGxhTU1yelBmTG41WUlmaHQzSDNzODZnSEdZc3pnClo4aWJiYWtYNUdFQ0t5N3lRSDZuZ3hFS3pRVGpiampBNWR3S0h0UFhQUnJmamQ1Y2FMczVpcDcxaWxCWEYxU3IKWERIaXUycnFtaC9kVTArWGRMLzNmK2VnVDl6bFQ5YzRyUm84dnZueWNYejFyMnVhRVZ2VExsWHVsb2NpeEVrcgoySjlTMmxveWFUb2tFTnNlMDNpSVdaWnpNNElZcVowOGJOeG9IWCszQXVlWExIUStzRkRKMlhaVVdLSkZHMHUyClp3R2w3YlZpRTFQNXdiQUdtZzJDeDVCN1MrdGQyUEpSV3Frb2VxY3F2RVdCc3RFL1FEcDFpVThCOHpiQXd0Y3IKZHc5TXZ6Q2hBb0dCQVBObzRWMjF6MGp6MWdEb2tlTVN5d3JnL2E4RkJSM2R2Y0xZbWV5VXkybmd3eHVucnFsdwo2U2IrOWdrOGovcXEvc3VQSDhVdzNqSHNKYXdGSnNvTkVqNCt2b1ZSM3UrbE5sTEw5b21rMXBoU0dNdVp0b3huCm5nbUxVbkJUMGI1M3BURkJ5WGsveE5CbElreWdBNlg5T2MreW5na3RqNlRyVnMxUERTdnVJY0s1QW9HQkFQZmoKcEUzR2F6cVFSemx6TjRvTHZmQWJBdktCZ1lPaFNnemxsK0ZLZkhzYWJGNkdudFd1dWVhY1FIWFpYZTA1c2tLcApXN2xYQ3dqQU1iUXI3QmdlazcrOSszZElwL1RnYmZCYnN3Syt6Vng3Z2doeWMrdytXRWExaHByWTZ6YXdxdkFaCkhRU2lMUEd1UGp5WXBQa1E2ZFdEczNmWHJGZ1dlTmd4SkhTZkdaT05Bb0dCQUt5WTF3MUM2U3Y2c3VuTC8vNTcKQ2Z5NTAwaXlqNUZBOWRqZkRDNWt4K1JZMnlDV0ExVGsybjZyVmJ6dzg4czBTeDMrYS9IQW1CM2dMRXBSRU5NKwo5NHVwcENFWEQ3VHdlcGUxUnlrTStKbmp4TzlDSE41c2J2U25sUnBQWlMvZzJRTVhlZ3grK2trbkhXNG1ITkFyCndqMlRrMXBBczFXbkJ0TG9WaGVyY01jSkFvR0JBSTYwSGdJb0Y5SysvRUcyY21LbUg5SDV1dGlnZFU2eHEwK0IKWE0zMWMzUHE0amdJaDZlN3pvbFRxa2d0dWtTMjBraE45dC9ibkI2TmhnK1N1WGVwSXFWZldVUnlMejVwZE9ESgo2V1BMTTYzcDdCR3cwY3RPbU1NYi9VRm5Yd0U4OHlzRlNnOUF6VjdVVUQvU0lDYkI5ZHRVMWh4SHJJK0pZRWdWCkFrZWd6N2lCQW9HQkFJRncrQVFJZUIwM01UL0lCbGswNENQTDJEak0rNDhoVGRRdjgwMDBIQU9mUWJrMEVZUDEKQ2FLR3RDbTg2MXpBZjBzcS81REtZQ0l6OS9HUzNYRk00Qm1rRk9nY1NXVENPNmZmTGdLM3FmQzN4WDJudlpIOQpYZGNKTDQrZndhY0x4c2JJKzhhUWNOVHRtb3pkUjEzQnNmUmIrSGpUL2o3dkdrYlFnSkhCT0syegotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+
+  - from: https://httpbin.corp.domain.example
+    to: https://httpbin.org
+    allow_public_unauthenticated_access: true

examples/mutual-tls/main.go

@@ -0,0 +1,125 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"os"
+)
+
+func main() {
+	port := "8443"
+	if fromEnv := os.Getenv("PORT"); fromEnv != "" {
+		port = fromEnv
+	}
+	tlsCert := os.Getenv("TLS_CERT")
+	tlsKey := os.Getenv("TLS_KEY")
+	clientCA := os.Getenv("CLIENT_CA")
+
+	if tlsCert == "" {
+		log.Fatal("TLS_CERT environment variable must be set")
+	}
+	if tlsKey == "" {
+		log.Fatal("TLS_KEY environment variable must be set")
+	}
+	if clientCA == "" {
+		log.Fatal("CLIENT_CA environment variable must be set")
+	}
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", hello)
+	srv := &http.Server{Handler: mux}
+	ln, err := newClientCertTLSListener(":"+port, tlsCert, tlsKey, clientCA)
+	if err != nil {
+		log.Fatalf("failed creating tls listener: %v", err)
+	}
+	log.Printf("listening on port %s", port)
+	log.Fatal(srv.Serve(ln))
+}
+
+func hello(w http.ResponseWriter, r *http.Request) {
+	log.Printf("Serving request: %s", r.URL.Path)
+	fmt.Fprintf(w, "Hello, world!\n")
+	fmt.Fprintf(w, "%s %s %s\n", r.Method, r.URL, r.Proto)
+	fmt.Fprintf(w, "TLS\n\tServerName: %s\n\tVersion: %d \n\t CipherSuite:%d \n", r.TLS.ServerName, r.TLS.Version, r.TLS.CipherSuite)
+
+	for _, cert := range r.TLS.PeerCertificates {
+		fmt.Fprintf(w, "TLSPeerCertificate: Subject %+v\n", cert.Subject)
+	}
+
+	if headerIP := r.Header.Get("X-Forwarded-For"); headerIP != "" {
+		fmt.Fprintf(w, "Client IP (X-Forwarded-For): %s\n", headerIP)
+	}
+	fmt.Fprintf(w, "Headers\n")
+	for k, v := range r.Header {
+		fmt.Fprintf(w, "\t[%s]:\n\t\t%s\n", k, v)
+	}
+}
+
+func newClientCertTLSListener(addr, tlsCert, tlsKey, clientCA string) (net.Listener, error) {
+	caPool, err := decodeCertPoolFromPEM(clientCA)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := decodeCertificate(tlsCert, tlsKey)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig := &tls.Config{
+		ClientAuth: tls.RequireAndVerifyClientCert,
+		ClientCAs:  caPool,
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+		PreferServerCipherSuites: true,
+		CurvePreferences: []tls.CurveID{
+			tls.X25519,
+			tls.CurveP256,
+		},
+		Certificates: []tls.Certificate{*cert},
+		NextProtos:   []string{"h2"},
+	}
+	tlsConfig.BuildNameToCertificate()
+
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	return tls.NewListener(ln, tlsConfig), nil
+}
+
+func decodeCertPoolFromPEM(encPemCerts string) (*x509.CertPool, error) {
+	pemCerts, err := base64.StdEncoding.DecodeString(encPemCerts)
+	if err != nil {
+		return nil, fmt.Errorf("couldn't decode pem %v: %v", pemCerts, err)
+	}
+	certPool := x509.NewCertPool()
+	if ok := certPool.AppendCertsFromPEM(pemCerts); !ok {
+		return nil, fmt.Errorf("failed to append certs from pem")
+	}
+	return certPool, nil
+}
+
+func decodeCertificate(cert, key string) (*tls.Certificate, error) {
+	decodedCert, err := base64.StdEncoding.DecodeString(cert)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode certificate cert %v: %v", decodedCert, err)
+	}
+	decodedKey, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode certificate key %v: %v", decodedKey, err)
+	}
+	x509, err := tls.X509KeyPair(decodedCert, decodedKey)
+	return &x509, err
+}

examples/mutual-tls/out/bad-ca.crl

@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICgDBqAgEBMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMTBmJhZC1jYRcNMTkw
+ODEwMTc0MDExWhcNMjEwMjEwMTc0MDA3WjAAoCMwITAfBgNVHSMEGDAWgBQq63Nb
+YCpJHmrjK5UOEYdXiefewTANBgkqhkiG9w0BAQsFAAOCAgEAi4dqR+WaVMZwnDnx
+tBXBWKUPYwbhicEGBRX7foRkP9lU05w1KiiBUAjNstOXteePrXWnmMlmvtErQuiN
+ySwVqLXO/IwP7kstkT6i6g07J/Aj7J/L68zEsm3td9iTJQXKi+q9sZNIOv6NqhfK
+U63PLQ5VhhTqO9pfmpJl3EbYFQdsyQbhLKOqJAXGWgRwWHPBpTdgf06VtAV9hDT2
+Jd68wK4LTRC6VMd5guUZcRK2TSI1+3k/m0S13rtejD8ilfUoMxoUuSzUXnHr9oyL
+fLsmv64phmFBJrgmtUbU9iZBEr8Xo8kvg5qp4fbYw7AmS1LgJPsLeT3gTSLOAY5e
+0lqF4IwnbWjeVSVki7r9k5DNv9EeCbROyxUG0/j0TWH76xilobIE6/oz4ZiQvund
+IgNa4hhZxJQbxUWj/joxHXN47FXAR+E/Udq5knIduYTnbZkIvMWA2zz9N5Btnlkt
+r8gZcIApdPw12QkHNYwz3zwA+Nndr5aBuDYEm7mhqP2m6qFCMzIA1ZycJY2i79H/
+ZaFAEEqO8Tfca6eyHc6aSSKUhAJXFGbCsdnhZ7Ld0DZM9R2a9ReTh2364h8kBb3o
+eNoIPWEb8dGtWqLe8rTWuH9r9i9d3t3lLzAcjZwT8E+/7XXkdS+ZgO16U+nr/MSd
+w9qdocuETDhJJTh1DHniJnlf5SA=
+-----END X509 CRL-----

examples/mutual-tls/out/bad-ca.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZiYWQt
+Y2EwHhcNMTkwODEwMTc0MDA3WhcNMjEwMjEwMTc0MDA3WjARMQ8wDQYDVQQDEwZi
+YWQtY2EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDN0AnicJPTsZtF
+0gRuLutXdPvqXNkJujeVew8Vfxt3jBVR5+AEaM+fN1blOmhezbqyqwUOys7XxgMc
+zJSsgsYB0yfZ6UkipfsB7290R9huuz3ya6r/mMY9yrH8/iydMRn4mHYzSruCSMSn
+D/VZeB702wulqE/rfNxJZ1C3oJFO+LNty4pP1IkcFEOY41GdjewwjyPUTwT2dqUl
+6KMUvFfO/aHHCDKs/nf7bK4RGrtPc97/gsUhIeaU5M3qnFJCi41RyJVG+FgiRuVa
+CzjiS70+SA46ENbnaw4c6SQSl3PqPMUKSm+vcAblLD6nEtUqNwVeOBy1Ghckv4EC
+5MQNRTFdSkzr0H6oeNR7Uxba2W8Tz7O9i0IKlG5pIS0HEHRUu2sWU9HH41hr09CC
+hiT8SiLvd6pCm7hyc6XbsdTWUlQpnPR3OlSp9zgmdUv+pHuw4CgFg8Iq2EMetOP6
+oYwGAYmYRAxagT40KHL53ecHjnhNWnpLJVV/Vpscp7uA9gsImQF9jVAa9cj1GoJR
+f+R55oJ0um0Fa+fewQ7bgaU4AvH0R/8tPFPFCa7QrCIFGGjhvJ2b06hyIz/+Nhoo
+TQhr6U8YXmgTZtzFkSETizBxQ7cKtBJHB5UwFkJ7LwvU/KfwwTnxiks9CIIyVpg4
+CnmQ5KRWLu8sbIYSUfTQ2mZVX3wZJwIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUKutzW2AqSR5q4yuVDhGHV4nn
+3sEwDQYJKoZIhvcNAQELBQADggIBADllwWq8XECqK0A8Io1OZ6ZqmwDFg5Z+xj9m
+jQMWcwY53NvEXYCm/odwOcoB0pB0xVG2FDsE7cw8aP/2XMBZ5DA5YR64r0fE80Og
+aS6SOXxR4H13tRrZfGgtlh+7ADYYuurYsVcvKKsqxtQTrrmR9qcHV7fEl2/bLBJP
+tJyD2kXYbmLC6rbp3V2llYOxE2Ox2MXG6TTKWQ1AOcPw93GdQ8mXCdUbZyy3e/tK
+dy7/Y1P+tUxvKXInyvgWPuCiKQRqswvGxpyXjx4pP9Cf5ZVpnZtQ1m051JZSFw1Q
+qRJC1au/PsblKVRLdyELqYvi99W6hilVvrBYHM2QlKqH2YL6DuOuCAjB72cUrpnX
+5YldQGTVZ5yVa9emFz7VatVZAgF4rsyv4Mg8ultYo1ZgVgV+WsVL+yfsDCYYNpw7
+kmy9TJhi21MNpJbqY57CpYo6NoraNUfQanbuCmpFd3My0pF4Ht4CmjaN1p4m6osA
+hVDNdWRWng6IGmyI4j9fUhnBySOTKrzn+TGdeml54iZoUe6qjfgbTls6HRrQbUgO
+LlPijh0IcpzCWPDqXunSg2mLrQjYiUPvAOJRbK/XbG2L0zXfwH+q/HJ8cek0pXIE
+bHDtujodlrco+crJ4mUwg9Pt0cA1L+SZONvvWK4AtxsqnTxr8kBx5Brug9S6gQ/V
+JyG+pk4A
+-----END CERTIFICATE-----

examples/mutual-tls/out/bad-ca.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAzdAJ4nCT07GbRdIEbi7rV3T76lzZCbo3lXsPFX8bd4wVUefg
+BGjPnzdW5TpoXs26sqsFDsrO18YDHMyUrILGAdMn2elJIqX7Ae9vdEfYbrs98muq
+/5jGPcqx/P4snTEZ+Jh2M0q7gkjEpw/1WXge9NsLpahP63zcSWdQt6CRTvizbcuK
+T9SJHBRDmONRnY3sMI8j1E8E9nalJeijFLxXzv2hxwgyrP53+2yuERq7T3Pe/4LF
+ISHmlOTN6pxSQouNUciVRvhYIkblWgs44ku9PkgOOhDW52sOHOkkEpdz6jzFCkpv
+r3AG5Sw+pxLVKjcFXjgctRoXJL+BAuTEDUUxXUpM69B+qHjUe1MW2tlvE8+zvYtC
+CpRuaSEtBxB0VLtrFlPRx+NYa9PQgoYk/Eoi73eqQpu4cnOl27HU1lJUKZz0dzpU
+qfc4JnVL/qR7sOAoBYPCKthDHrTj+qGMBgGJmEQMWoE+NChy+d3nB454TVp6SyVV
+f1abHKe7gPYLCJkBfY1QGvXI9RqCUX/keeaCdLptBWvn3sEO24GlOALx9Ef/LTxT
+xQmu0KwiBRho4bydm9OociM//jYaKE0Ia+lPGF5oE2bcxZEhE4swcUO3CrQSRweV
+MBZCey8L1Pyn8ME58YpLPQiCMlaYOAp5kOSkVi7vLGyGElH00NpmVV98GScCAwEA
+AQKCAgEAl+HrKXxC23q6R7BRLK7bZlMihTW3xYHy+xExdH+02Wg7Y5Jms1pVvf2s
+1sVfuHbCTJAAz4XDV2D9cwdWwGhRj48wXZPXMQakUi1MZteOVUlA0eG685zez0MC
+Tt2UNvzBWb/JmtiPv/nLhi40ta37yl7MHZg0QmiGeHUSEDEiitDmOSR4Eama9WnO
+6Mj4tfjCUKORoWAfHXM5NNyVXPwRIOPzu1nFa/zutlDhtCWyDVRJQO5UY7sM2txv
+Sa/K1Oj/hVctMo6bG9CN+QFHHVkfcxLhzOAYd/d9FsDGqiGynS3zi0CbYzCdJgqc
+wdcYEGtCPuHR7aQvaCMbJfOE6vYhEo/0Eiv4D9ZSlj03VFQ1OLKDWfKu80dVpBYA
+3/CNNi5jCSy7u59r7fOB3g1pjtytZ58A1YArxU5I3J1hNPY2h3ATGHnkLtG9wIrc
+oJPNt0jn0Hx4ra885mK5sHu5R9o8A4a7gru4erkhn0/l19pcK0E+TI5MhzNiEgbO
+mw2NwOy8jMkGiBnxYY7SmgK0jE62yZOiZcvxKmrKkvxeLpKK4I1isS9hPWEsJW2r
+XFvRsazZQrOGXSvKXvnUBfYqZJmZHbU4VmaqC0PZnrfQ7tCCJSN4EomBRzPgrSmT
+XcRcjx9lhcNVUjD3alBZ2wYt1KIdwPt9NceqSjqgnStI7xy5b0ECggEBAPVaWzxG
+r8rzn/axskzVCSRXWkASc3SRoMzP8q7PuytDL5gpET7nWMdoGfQMFQV0OAob3z7X
+QdGqhR6ydNGtIJwPY66wtZ8lteKTHvSJvevYgJAvwInROSCcacwhvF3hsinc1WEr
+SeVbHN+yT6fpQyRuGvJFNupl4cf6By6OACDDYUohVt9a1ISf+LmHo6kOYhLlmBVR
+YeJllCYASZUDsKvTZhnjVJN9I5Dtv5+XgnzEM8NJhXfAq6ZB7PO/R2sOGcuQ2EWH
+CYi9WlGs6loUPjWsI0ne4P6MydBvh0a9COFeRxjX7/n+SqeEzHGHDTVQ60OlyJ4N
+QSMgvv3A1vaEvYkCggEBANa+bRfb7zPN8lWcjzKA3MoVE1Wj93g7k3vzm5VMZpo0
+3IIAMozF3TWGvaWOn1/5CAfRkRHLVPRPrNeIrOF1BC75e+adyhgbJp0G8NW/X0Kn
+lzjX1FGmRQcvDUecnhmcLlRJ75YIFTaOnnY1BB8ccb0O440FXvjfg9+E/xUKPgt4
+ZBfjUkgNIzBL3hJb/sTF/SFLNEPl1LHVTwczeNppjtXkWTc30bzhwaJd8ygTQPrl
+KObCurDV10r/ABMYmZQjL9SM2mA8onIvacbddHwVOprT3hMEqmeYYlyuWKMgAoKR
+Qi8UHw6tFwGbPzgZOXl99WHn95vpNp3oKe+Vv+5UpS8CggEBAN3NF1mAVX9VirDL
+p3JJzH/r8AyoIXOqCwHco3lhFcVgcXBO/+Yr4lgyRfQX0BEkJV0OIV1/32KZkspT
+bcP3jNlIGEdePHJo9uqjMYLD2suQ53hxks+EMu7GN+ZwQQdl91hc6RF0vtL28T1Q
+xy32c9pFJ1sJM0HnZJsR7tgpSvhTaGpJhW1ZgXF75LBkbJFyDTskD76F2cV/KtTH
+wb1Snq5W56BToKvMnxBvvaGaqD3+aQUMO/osVYBxbLJVo0ymbK9YfAsurnHNLA9W
+EG3qiuqeeTBYqnGz+OXTTSmnzpVeU0ukOq93MSoLpX6kJk6inmyDPL+VH+OPwNlJ
+MYueKHECggEAftZI71+7QFjzOrfXKJhOUJn0KpBHWd+uc/bmPV+79nckizB8qwMv
+bi8gksnTvscDhEK2sdDsY8UvrLqQijYoe2pmUUd/l49p1jPESivXozIDstJgGL3h
+ZaXX7SVHiI7kGmr1NSOfC/NfCyizP4D4eRdzNdcnSk4SwRH37EB5dyLr0+QztFT2
+JM+a4jMuHqFmqqSVwUjdwQ/htrojNrZEZHeUbnXszuh1C2b8eP4uUkLKTspTpKEZ
+obVOIPlVtNa3qI5taYxG0rTIgGpLJAMR82MSdx85Wyj5aA6eUfNVKDON6Oq0kWGR
+BiThSUw001qfde2iJZew58G6C0Xi8G1UhwKCAQAhfeZnuBGRDnJMcsoV7HOBSpB1
+3DXlGuqGUNb96bKl4AK/pKY5i7DuZF7j1LotjT7baPHSlSv9XS1CZuUxWimVV6M0
+54/r25pKYYPPAtaCz80unI9gnVBf0dkKzSsTcf3BYsOulwHgrY4tu7BPAAWtqyUY
+g+HwB7hYifxwNCPciqqxn3ibi3gqg0hfHEJGFcgFi33ydGBK9KuhIvzrSnm8OaQw
+MnbXfATlkHlPqJ3g7hvg+Ror8zK05NJDxRTfchXKeCltUDoEcsOFarU/TcagcH6H
+gh8+C1LxJ4t6sdg/V2LUsDH4mwMN6ZJgFFtya+F28Gm59IAZT9m2KH4Dc7Fm
+-----END RSA PRIVATE KEY-----

examples/mutual-tls/out/bad-curl.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAgigAwIBAgIRAJHMl1QUOc5iXrRsUUPYNK0wDQYJKoZIhvcNAQELBQAw
+ETEPMA0GA1UEAxMGYmFkLWNhMB4XDTE5MDgxMDE3NDAzMVoXDTIxMDIxMDE3NDAw
+NlowEzERMA8GA1UEAxMIYmFkLWN1cmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC5ei7Ag0ESrE7J1x8mzXh0Uh4KddqyPKYt4LqeH3TN613MnFZN91DC
+i2ql297F5D5PrHWgKswxWukafaz7uD7Q8QpptsqFkRodjxD7lxMqtJrd8EnmAWWz
+VAS7d7LUVYg0nsPXY6cyAtOOq7THlT7AyfjSapZhj7mBIfNbfdTxUYoFEzrkUp5U
+2Kq3K5rspShHH9uwPix7shiQ1LgO22sZS9nhn25LFauvQs68TXLF7Ww8NzkEDuGm
+/6frWIE14gjkDmuTfOrAI1juHLJbJpiC9Bt42R99MWcuQZQbsVz8slMW/VBITRKQ
+JZBH4JYoAzGvzyFhWaMohSrDYS/ERHojAgMBAAGjcTBvMA4GA1UdDwEB/wQEAwID
+uDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFD4zDz3S
+r+u1I9Cab5XAXcuJP3BQMB8GA1UdIwQYMBaAFCrrc1tgKkkeauMrlQ4Rh1eJ597B
+MA0GCSqGSIb3DQEBCwUAA4ICAQCIraEFD0Dt/LreT0kZMlTgtKIpriSLVF6e22Lm
+bX0XQ/gTqKm98kDRsxLlBEetrgUdzpdvqqU33ZTvohqvVhwnJ+PzHW3O/n6eyFkj
+DiUavkmI8jO17Z5iY8G32aGlpMYeIUiGkTDB6ZoAn09BswlAqdNoOUje/xQZmBBu
+RFXmHVR3c2mv7QN8iDg0184d7NKTK3TZ3n59xHEL0a8RrUgmCVb80A214N/XQlBs
+mLiveprusafcLIA6yKgPXx1bdtkJw0159Jog6TVHhC8zq7e/6FZJeONAz1ZCytXZ
+Ge/LrlQScd9pzbHQn7nS9yD2gUM3R6kr1m8GTnL/0aVbXX7USrh7uFwggXudPZcw
+kA/BzRQyE5gfJSUow3WLnoP4g+PuJWAGbwEHS0MAQ8quSaISm+P2hmOANodk3R7c
+ULUkFhXT9w0Zk/SdGpo5t5XDby1XsofFLq9Pl8vZq23iBPQvjWLQL71zzFggTN44
+bsKE56pNaHmIZVZp7hY7Rt9/D6hVvR0jueVm32uB9tQwYq0CfkXgq68aGS5yt21n
+Bm/MszjDTTNe93K0PWyGP0RNJOXb6jL6aNvN3GTBSGkkDD8vraTF56CcneaJcf4Q
+IS+GlJZd6ACsv2RQtgOlQW7rma0hjgh9Wo1av0OOirgxuCI90t70aBuvznzxM0uu
+6OHJvg==
+-----END CERTIFICATE-----

examples/mutual-tls/out/bad-curl.csr

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWDCCAUACAQAwEzERMA8GA1UEAxMIYmFkLWN1cmwwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC5ei7Ag0ESrE7J1x8mzXh0Uh4KddqyPKYt4LqeH3TN
+613MnFZN91DCi2ql297F5D5PrHWgKswxWukafaz7uD7Q8QpptsqFkRodjxD7lxMq
+tJrd8EnmAWWzVAS7d7LUVYg0nsPXY6cyAtOOq7THlT7AyfjSapZhj7mBIfNbfdTx
+UYoFEzrkUp5U2Kq3K5rspShHH9uwPix7shiQ1LgO22sZS9nhn25LFauvQs68TXLF
+7Ww8NzkEDuGm/6frWIE14gjkDmuTfOrAI1juHLJbJpiC9Bt42R99MWcuQZQbsVz8
+slMW/VBITRKQJZBH4JYoAzGvzyFhWaMohSrDYS/ERHojAgMBAAGgADANBgkqhkiG
+9w0BAQsFAAOCAQEApF1NeVOAbbfGPALlEyWb01fnzyeJolPTXLirYPNM1tkIt6/0
+9M7jTwB3ZvQYqbu53+XMLQ9xw5PhRTSg8LL2IKTfw0SeRAjZO86ztMxAUjvidDzO
+p6TmXSFXJflJ52wZIzrPHt+j07Qd1/bjgAFiNXonXyAr7AEYLVTw+kg7lnVm7PYu
+5cRfinIS08gzxsK/wbxAs6OQzKUq0Y58y9J2djRHF93ja8O73JA8Zst/MLNjwuRy
+8grtLoNjllYnyGoEfwYiSnek4OUaRPKRGYIXxYyDzA31GWn49ot88PB3DPKqU4Ps
+sWYgGKMXnvrPa+qlYY074iw5pAOIiL78CjrIog==
+-----END CERTIFICATE REQUEST-----

examples/mutual-tls/out/bad-curl.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuXouwINBEqxOydcfJs14dFIeCnXasjymLeC6nh90zetdzJxW
+TfdQwotqpdvexeQ+T6x1oCrMMVrpGn2s+7g+0PEKabbKhZEaHY8Q+5cTKrSa3fBJ
+5gFls1QEu3ey1FWINJ7D12OnMgLTjqu0x5U+wMn40mqWYY+5gSHzW33U8VGKBRM6
+5FKeVNiqtyua7KUoRx/bsD4se7IYkNS4DttrGUvZ4Z9uSxWrr0LOvE1yxe1sPDc5
+BA7hpv+n61iBNeII5A5rk3zqwCNY7hyyWyaYgvQbeNkffTFnLkGUG7Fc/LJTFv1Q
+SE0SkCWQR+CWKAMxr88hYVmjKIUqw2EvxER6IwIDAQABAoIBAB+VhtCRiUs8vE3y
+rANXieOE+EifuRYQ7dtyIVU71hAavGZTWP791mrKguargkwAifvXSlBz+UGOUZOJ
+QyO6RDggU72cuu/zvZa6/hFZsJHdH2IbwPnB0yeubv/daj5uMjuDraXH+nixsoTh
+CG/UIlOCETUDoYgLiXNL7LzvuIs/JMPUYLU0AgQC27nRUD/bnws502VEOJFRdt59
+B/VpDmeTTIHAk2iJhYpyJXRs0YM+RiVOIUJiSlsUZF3U7QMzWITUjN8yms9SD/MP
+ZJMYeBLuIazWeV8jeLbyZN1zZLxKwwKuphtDU8v9lH/Yw6LuJoi5gbkRsOgQW5Ot
+xSKfo0ECgYEA8Noyxeg+AG4h73aO3l2dTfGW0p/a/MqwimqCG64RxJ+LgjUZFnZj
+QxGXHuFySTB2xLQzKDW/x2htnIgy5G1HmYl+w7RLjEk0V/tuXh70wxEHpbBxLjeD
+qnxPOByqLvXRZFFzn+imEbuWbf/h9yNfccAYW5aqY6n4Rlvs7uaDnTUCgYEAxSRt
+eVpMPTCOu1Qh61PZ0QBdkxYVyy7ZXJo2ka2n+uB6spSNMrxcM6xb3HsxpOchp//v
+XJW0qOTckDMJeEL/dw6neSx2sNFLJMyGg+QtLFobs1/75QgXQpqRvovGt3wnmd0s
+Q1LGCdaL0cc7SK62/CeANpfF9VCkqlJRu/5+HPcCgYEAhzhZrRbYSHGMh96uE1XH
+jQ0HujSZQ7egKfXmGhg+TX+tWWrqLNxGmk7z4xh7i2+0Hnd1CSw0AYY1k947hFd+
+DUtOah19FMO8qXC15A3JKQMUogdPY70zJLIp37zoJvlHl+TK34pEQkxpBlTUzmWD
+nl9UzYbnHpE8nHPbr7ynQ8kCgYBgsIgc38PKsxkeGZp1P+/xyPscG9XejIDBIUWo
+V4Ku0hB7q85A1w9lrKB1V9q2ZUIlkqpEP4yW1YC0HMQFPt7q9r3++WbRPCVdzA4h
+e/UH7r3tUSNLZpd57DOVQBrbfUIy/b4q2tsUkiyLW+rgsAhBTeJdZD0MH1xTyQIb
+cStLawKBgQDCpG5GyYqQ8hSiRGK9NzowxD//LIjLR5vNWcW0xDE5NE8zYO9EjI2W
+VcS+7eVyiApwMMjl2q0JMK+1HziMTaN7YRmp+8c+U8wFU5lVZqE/FPEk6EQ2vfpj
+Ir1xWZUXgRCVOM7MfaBGp2BNUeQo7sycWe0F71+bXTmxYHbdwRxqCg==
+-----END RSA PRIVATE KEY-----

examples/mutual-tls/out/good-ca.crl

@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICgTBrAgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB2dvb2QtY2EXDTE5
+MDgxMDE3NDAwNloXDTIxMDIxMDE3NDAwMlowAKAjMCEwHwYDVR0jBBgwFoAUeeCQ
+syxV+Dg0gkbbnAD3zbl1c5wwDQYJKoZIhvcNAQELBQADggIBALkD8splQjWe/LNm
+7q4KhoalL1ynr/NLeoefEGJj8QlyAWlQc1Ozr3RmgKgoOVWQRJG+nMcPpS4Mr2e7
+WifVcy0GXLDT3mbyUKnd+yR+V/BNnvxA6pxh9szF3A1nL3vmhVUJzKjsbx4SgXjR
+hh9Mcn22wsn5J7qOcM9T60QDk2/mN47R/36TuCOnl+BEPpfOE2w5Q77wAigit7Gj
+/EsfOuVEVg3hk8apAmQwotmJg/2kDhhOW2HaiOLgS3RkJHdoeiqeiKs8Pff3tPsf
+U7BVUh4vKT4VEVi3BgunMNMqpH3slWXqJgC4ew4zwhocsbqW3qM/M4z+i6+cgtVY
+UQp1lwBs2HeKljSi0TsVGzQk2v3VGODfLEe19XllIJCymWdPuD5cSrGpi0rAK5Ft
+PXffvhBZlwYZqdSAS7jypOIwyoOstjUBaYKypYCE/ZLITqAyL042Ot/pKARWxyKH
+RyaeNvjurivx9/CXTflKU4JptWKjCi14ll1CLs5JrDENqHpByXcNDznrxc0ZRCN/
+AmgAoMFwVbUnQFcx7d0RTePKHZlMx1jWZnYD6tI2sQqsgCbdp3dphNQT67wwdjMj
+YRxlPYE0j+kF6hwUjr6jP8Si6bHBb1Blj6zgMy+0NnA03opfvwGQflkPx9mCFjkl
+nzcWwEbl1hEk9+UE+HWsAu5i1kzA
+-----END X509 CRL-----

examples/mutual-tls/out/good-ca.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5DCCAsygAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdnb29k
+LWNhMB4XDTE5MDgxMDE3NDAwMloXDTIxMDIxMDE3NDAwMlowEjEQMA4GA1UEAxMH
+Z29vZC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7oeetJ/6cE
+Gbq7/jsmqOE3erTMZDttxS8I5FWW4NDWmci8NHudLd8e3Rm8HzcOcJ4P/A+p5lbk
+N8rK689IlC8j3o2hHRtI6OmlhV74J1iIH8kdIu6WlO1kNuLytdkn8Qk+I9CDZ9FH
++g8QnudkKLQbddWCUrsR4xpG2+Ed5gnkBI4n3ncK0X/XFhqhCLE5xPZBNNZKFlrq
+meaIxtz2sfoYV56g02sFKT1IIL55E0mxv4TkbmIl9FOjdKBvHEfrGyyy8TFLq+S3
+Mz6zoq48n8HF1G9ppKVON1Jt2K5Qa/Whin5kqcaa3p4M/7kb6kqSKLXmb7H27y/U
+Db6CPm5wihv06sQhmsv0xnKhj2o/C8eqls76YX1uccj39fI4eCQ8pCEm9Up8yfI/
+LeaZWla44Fgyl77Yrsc/3E9vMaKFUxdcGum1t+5FYajdcA/NQky2Ay2jptpUuuHU
+6xXK7Dqv9gMcA/33UX8ZGfIOFM+cqe941i5OOXFHrhD9jy4PGc8gi1I4r+UWwKBb
+1Hh5rT7rBY+SKM0sfkiBVuEOiny6t1ugkDv68usEXYHZVWiizoXfp5Gn6frE/wR1
+DdjMwLa/OkPNuDUT8yMFKhVFqGqwGC66o+5r422UpkK8Hry+klCzTO+7SDhu2bZN
+QQFOCKIUevtwlgZmPMrMA56ww5RJsaVxAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIB
+BjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBR54JCzLFX4ODSCRtucAPfN
+uXVznDANBgkqhkiG9w0BAQsFAAOCAgEAf+nRjAVvnOJRrJAAjJYV7iQwlq1QvXDg
+lvacBhTRrXXx9nFiTYS5x2ALmvyXxnm7HKeCIFDrRp8NLTY2b2WGMAq1qsrAOD/z
+S6cRImNCmP6gtPsT49Zo0Xj3kf6rMpOxpbIIgJfLcNzPfi/ncx/hD3A8yzfN0A6Y
+qEwd/JFOj7DktZBgeIvDNRWKJoxJIFVxjrj/1bVi1e4VV5oZhNjJ8K9rWQQ+Q/+t
+gyF+K2plCCTbEdzyOax65v8yP2yD+6ZAHFOlF26NviRL89buTr0hJYkCyUvw2bYi
+8Cs2X6dwCCuuaeGUGeQzk30lPyGVJeJ/vI0bQK9igb9tZ3cwtXpPv3zkPuL17wMV
++B1z6EmGeUK5ySCLEZ76iYb5M/cvcMEN1ghxSH7Afh8LKG4yk3OmRCnwjEju1aij
+dk7r2nsLfaOJXPQ5Mp34XSYmu9iMYtW+LmfbH2q1ooKwJd8G5XaEdfBjGPD9CqdX
+aJXt004qWljRNKzu0SEFbzRWF4thyyTO18AR8y3GWEpjOyjgJK9EyMlBoPktXAUU
+6sLXjOvYSJ/wm65HqUVAM5lG/zYSwLgBL00sZI+5FkD0nU4FLzAdKWNKZDWdUMmL
+V/eWFF4l0TPo55a3JT/PFsbtDPKUloYQWy1rnajGru/F9ldBppumETkaNKfVONIr
+xpDgsQaVEW8=
+-----END CERTIFICATE-----

examples/mutual-tls/out/good-ca.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAvuh560n/pwQZurv+Oyao4Td6tMxkO23FLwjkVZbg0NaZyLw0
+e50t3x7dGbwfNw5wng/8D6nmVuQ3ysrrz0iULyPejaEdG0jo6aWFXvgnWIgfyR0i
+7paU7WQ24vK12SfxCT4j0INn0Uf6DxCe52QotBt11YJSuxHjGkbb4R3mCeQEjife
+dwrRf9cWGqEIsTnE9kE01koWWuqZ5ojG3Pax+hhXnqDTawUpPUggvnkTSbG/hORu
+YiX0U6N0oG8cR+sbLLLxMUur5LczPrOirjyfwcXUb2mkpU43Um3YrlBr9aGKfmSp
+xprengz/uRvqSpIoteZvsfbvL9QNvoI+bnCKG/TqxCGay/TGcqGPaj8Lx6qWzvph
+fW5xyPf18jh4JDykISb1SnzJ8j8t5plaVrjgWDKXvtiuxz/cT28xooVTF1wa6bW3
+7kVhqN1wD81CTLYDLaOm2lS64dTrFcrsOq/2AxwD/fdRfxkZ8g4Uz5yp73jWLk45
+cUeuEP2PLg8ZzyCLUjiv5RbAoFvUeHmtPusFj5IozSx+SIFW4Q6KfLq3W6CQO/ry
+6wRdgdlVaKLOhd+nkafp+sT/BHUN2MzAtr86Q824NRPzIwUqFUWoarAYLrqj7mvj
+bZSmQrwevL6SULNM77tIOG7Ztk1BAU4IohR6+3CWBmY8yswDnrDDlEmxpXECAwEA
+AQKCAgB5+O5sdgrxGp2VwSbdhAXCXz/249/mWGvzcSrxxEQ/Kd13c0fU8sesFnwN
+RTRsaL1rP6s8FsEkIwvCdYPUG/sRY0l+E8IU/LBTF33u/32kAtTMGeGHro3YXn7y
+4T9uTyahUSJwxoQ+Ik6R8XyVOlkHOcQ/ddSF0RfYYg159zBSgWynprFsPW080J8+
+xERZdx9wdpjbkNpXnCxYLmtgIf30XDkfEIIDjniavsqs5457NyW2MnyUGMvR5E1P
+c64OBRiHpoyTglWA+8ux8/Osfu9TTqI7zLN1KlQORkB6nsdbWKqztn0Cd1BkismX
+60319wwrq98RRUPsuv9NCMn6pcyWlXWLounNV57hz8QPj6lFSuGc9oWISKZM0Fis
+NxluS9wKCZsdJCGPiJl+LOl1mWLSBMeCE3bKT/ypCQS04MLZf52SC8w3XzWv9wRM
+83pDmDEckZD2wt9LC8HjYJryFlXKz2PxwLbBWEW9lIdSqcPFlqetcG8N56QgEbT5
+TLEoPHMiqg8sfMABvhJ4g5u+PsyH0jRZb/eCC8bQhQMqaXRJ64YUbyKO32P5xtJp
+IkQ4FpNe2OK4I8p/1CKXjDahy7OvlumWxBBkffnzTVNkmJpPWQiFFI1A1Kjuz41Q
+hHWXuXdSpOIEMcLt7laCftxKdOVyQz+h76mYGf7uXetVlaJYQQKCAQEA1nkkYXuA
+qQVs1nSmcBRkC6QQj0gU+9iRw6IG+WI6m1BeE0kPbgJV1aKLNLaEcD8SHrW+tmyi
+sfXn1TXjRoybS/doTVkdeGAcNt1X9kwtsl9C7mVv4jF4Svmycpl0MXRIuwScQfag
+vlWNBDUu6bF8y78MUTTWTMOZlm60uCzyQs98byhiupfqyYDskYoa28++tsq6YQvb
+eKXr2StIxWYmKDWmN7S1tLq69JftMI+BxUr6cJvl4tCMi/mXoIHYN3hDZzTmSqAG
+C0O5QN34VXZY5V58hVjN8mRg1EHvZTx2tBoWKX43Ju/ZuhlBumIYRKhHjkqGqWpB
+/SY1Y68hM2X3twKCAQEA499GlT40TI9Fe9U3tGcSTjPxboH8qLPjO4h4Z6WtiQER
+AaRdGrjRRZaptZb9zA0aAubAe4P9lGlVRinujr8V0vTunhXSMsJDgAFUmcdRq8R2
+YaIDUdPFCFj8neKOoUh+xg4lUuTh+tu9A/loo/bjAoFwr3d1YCYwQCmzJGKcOHFl
+5WW4ev6OpnOwjYczjHRImUNlCVzLgoXwV8hddJdspJHBwCrzEt76rFH55sSs4Kys
+d15pXKNw+TR24max6MN/aAWe6rxqQ/XnwwN3Eu91ERcWv5gXEA07p4T1JtJm9sqx
+fFZr+0aAOSHGr1dw9TEOnAwUI0TwSB7/rDOJF1K8FwKCAQAUI6gA52H7fSDtOmLu
+n1uNpEhRzAj8ZSe64RoajNjIANH0qaWjRODegLblqkXhbGq9K3/PDYBxiY/Ne5Pt
+6gIjLgZDTRzxUsUTedFqtViNKVjVnfzVlqOfFrdk/3fjtPGnbhVmNEx/0vS88mmH
+VD1NvJDhhz6gUrW3ZInfyYiuMWGT5ozuzJklds/AEuHWxjk4XO0Hc9+WAq6U4/Wf
+Y6otmGwVSwjNAcPQd/uz1aXv6sx9ioYZuE+aTUOptMei3c4mgNcnJsOqhx98MdvB
+2q0aTLcQpnggTMCy7cYXEYhr/Q8bslhndZpSWVDMua1htROTDvh6LBoqNU5KIAXU
+F70dAoIBAQDjjWKpxH1reqMTfx9qeocwKvTMuue4/DJNkAFU14DM0JDQB/elqKvq
+hwKgQNDfBLJV9WJ/tZXzr6AlOdhtGerMSCVFHltSruXDHREDo6QuGDlzU9tmykf3
+Bw31CHoQGxnl49hnyALWhLpjDpvtKK0XInWJ84v14QzL9hhbnFGOl8b+Zi7sO+nt
+1JeZLUtP1gttaXyq9cyQYfpZXs/cjx5B1QAbS4iC7sJ6dD5OsVZF4okzhsdGaDx3
+z2lsusqsuxUupnZEyLSBez3eY0Z0VUWdNGZWG6XkNKK+rao2A2QozM6icJbSTVvc
+MZt8G6DEaSHCuNkfQ0eDbdk5eBlNfiQvAoIBAHWqWmtjTIzmTlq/SGJwbOSVc8dI
+Pm0PFGmCFgtrW8qk5wE8SpeLzZfICSYfeab/EvAHIu/kplKtAstwVDthH3vWlrTj
+uiL3Q3rahONTSel+gXSjO6Are8L7mM/XhwUjEUo1gFZZsl+ESNujgyiATFDqFMpC
+LufHOb0x8FkOf6ofuV6F6eQ6d3uXzcHdO6jQI3Jy58T+Iol1IJllCbCEIw+0BfAy
+bHrWFymPLDhqhe7Srk89cpHCDiyKVsvoBHCjhDkefFSwLplxXn/2qqCOYy42+1oX
+k0bF2an/MdZaYjqVzmv3JH3IJFzPo0S8ZYsVVYQs/ZDmIWMlPl0r+MnWLYU=
+-----END RSA PRIVATE KEY-----

examples/mutual-tls/out/good-curl.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAgqgAwIBAgIRANQqXXolrTowpeLNiQ7GJnowDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEAxMHZ29vZC1jYTAeFw0xOTA4MTAxNzQwMjRaFw0yMTAyMTAxNzQw
+MDFaMBQxEjAQBgNVBAMTCWdvb2QtY3VybDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALXtXApHls1fFq5h2EcmyszIMdd85226zbS9w5n72TjURM2sFMRk
+IZJhZG14zlrcjKtYWxerE1oj4475DL09DocSFDGgBIX8jl9QOPT/jqeEssToe8nn
+pyJ+B5xy+dEZzThkXv5FjnHRr9wtngoWYMhhKJ8pXrr5q3WcEpX3Rm5igAwOPLAf
+mGo7GFs9C2EyTlWHy8ffI8UNnJGn0Oi5frNBEev3thPtWZ/96gBsOdDZgGBQaD/0
+trlYa2Chw6DBztTguAxgPalJDAKvdh38ar82bRUPpZPHsJ2XJ2JFVEe387m1GtLl
+HzKeQ5233Az/FptUaCrsQbZljyEol4FzrW0CAwEAAaNxMG8wDgYDVR0PAQH/BAQD
+AgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQURipl
+Mdci0TJWmt3MtH4wSzWriAkwHwYDVR0jBBgwFoAUeeCQsyxV+Dg0gkbbnAD3zbl1
+c5wwDQYJKoZIhvcNAQELBQADggIBAEurdNd2onZmEx30aWQe4Q9JolTIsFg0NspO
+ifG7wjSkzZ1EEks75nCKs4yMKW0PLJhaYOiD6y4ZNWshyVtInVGaQYR4IPDK3Xg3
++2laHvfCEI0/WRjBZEqJXUYjl2gayn5mumUvcfR4K2NQoYusd5KAihAWsUXImDaN
+SWEMzM1V1ZpReHwPiHUJcfue8HMPrZDNZvHOw9bbytfpb9HkJGZPsvOg1aElvT1m
+ptnSg96BKZRTgs3IPuZP26bxJLGih/XCDGTlbwRHzuwFrRkOtXhnpmjDxyWkCtLR
+HYEEquoeacE0ONHDapnhkFtVMNoeana3Sbtr3wHyrtsXoSPHwvtqEYizXWhwPQej
+RRIGilR6seH+Nobqk/YVzxmsImvBHTepRKx1J16fXpriZKxgRec7qcy37Em1ZJ2j
+NekTly/pyY+s/I664w1z/I6oN5TyytWLyhzNruRyXlPAHNttzp6v8SxWGDJh93aY
+f6swdTd5ocWj44mFogs7HSRZXkSCCuLON8ljaDLILgHnL5q/M+AIEQ3cGd29+U/9
+uuq8pHp54JILfO2Oz7W0AEnIq1jiQeM5BKYqt8CfAEG27oncObjnJBdy3l6xfrVH
+mAP+DnBMdpiJu1B0x1LH0JLO2Uj4fDArtsn8p4SVBF89u/qgAVXZwfWyO4RACLwp
+QPCo/K4s
+-----END CERTIFICATE-----

examples/mutual-tls/out/good-curl.csr

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWTCCAUECAQAwFDESMBAGA1UEAxMJZ29vZC1jdXJsMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAte1cCkeWzV8WrmHYRybKzMgx13znbbrNtL3DmfvZ
+ONREzawUxGQhkmFkbXjOWtyMq1hbF6sTWiPjjvkMvT0OhxIUMaAEhfyOX1A49P+O
+p4SyxOh7yeenIn4HnHL50RnNOGRe/kWOcdGv3C2eChZgyGEonyleuvmrdZwSlfdG
+bmKADA48sB+YajsYWz0LYTJOVYfLx98jxQ2ckafQ6Ll+s0ER6/e2E+1Zn/3qAGw5
+0NmAYFBoP/S2uVhrYKHDoMHO1OC4DGA9qUkMAq92HfxqvzZtFQ+lk8ewnZcnYkVU
+R7fzubUa0uUfMp5DnbfcDP8Wm1RoKuxBtmWPISiXgXOtbQIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggEBAF08BpT6xeTfdSFFujMjaaMT6fVpf1BIhYCxbKW7QBMLu/+F
+C5CBze0dnF8WYO8nhLzKzi2KcqWIxB6mHgt1Vy/iCqeNgjzBitQo7Rygi0C7ih9S
+sCCSPx98eH4IHfQqadCSa9QhX6jvBSjavnrnKvLjtcRGXTtPFoSdwUgrpYtZ0zA7
+jI8PQjFq+vezEtUPdhkPAU3uO6k5lgNjWqv8OEqsuuHx1QEouxE+LuOgEapPRDwi
+LdmOrC4vXWww6m1F288eB1/n/LLJjMjtahK6sVsogfhQe/sv9MJIDDpSt3kIz/kP
+IvjUqzmEaazbpm3XHbrd2qbcwMZGGwwEkBjj/xs=
+-----END CERTIFICATE REQUEST-----

examples/mutual-tls/out/good-curl.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAte1cCkeWzV8WrmHYRybKzMgx13znbbrNtL3DmfvZONREzawU
+xGQhkmFkbXjOWtyMq1hbF6sTWiPjjvkMvT0OhxIUMaAEhfyOX1A49P+Op4SyxOh7
+yeenIn4HnHL50RnNOGRe/kWOcdGv3C2eChZgyGEonyleuvmrdZwSlfdGbmKADA48
+sB+YajsYWz0LYTJOVYfLx98jxQ2ckafQ6Ll+s0ER6/e2E+1Zn/3qAGw50NmAYFBo
+P/S2uVhrYKHDoMHO1OC4DGA9qUkMAq92HfxqvzZtFQ+lk8ewnZcnYkVUR7fzubUa
+0uUfMp5DnbfcDP8Wm1RoKuxBtmWPISiXgXOtbQIDAQABAoIBAQCppXpzl4hXYHlt
+CY694r2wMmrP8Ah7OXwDNAXHfKN2K/Mw+2uuK1VnA+y7bLC45/tA+LaRHpWANAFK
+XJF1kg8PA1vTXs15CCbXWJ6UUA79xW9S0RxGDf+72VxNlqXASFgnYul2IPSQzKE6
+J0u9Slrb4EYaDWDp6FHr7Ssjrx99ZEc79H9uH0dSzZlx41YQCzrauA/RUOvqHMX3
+I9GGCXEEcGVt6DcHl6KZuQOnBiy7ukgW45HtFxsH7MR/sU8Cx5OWOKZgsnkALc95
+2NKDzafLyG0yVehcWe7MiC7cbnGIISHU7+s+LJkdfnQTYM4W3e1JITRsc5OvL97z
+4A6FSFGBAoGBAMhZ4k73m+cgVwHoeqtYKSAvHVWKkAxzQBWgJ2QFNAORgGF+v6HR
+I14uepFnH+qUi+Y721ZDIGMyJ4mCqAftnx2/GY4pUYvsaWSd7VpkUGlUoHvybIkY
+OyF1c5BuJME2zgr8FVGoMOmOjMuLQuQzCXOAiLXCSKRoUmtJYiZgrTTNAoGBAOh1
+bbgEA2daZmWYvuYEg8ZcQcbEOVMEK41endvADsyR5/2U8+3fwlhMclIRbPe5cJ5Q
+W+qUTESvvJuGLPpe1IhV8HbafMb7QabiS8TEqKkE4HWe3mYeiT/R8nBd1Ile01se
+ua92hDT+0urFUEEQMaXF1lnvZNEy5g26/AEmx1shAoGAQHerun0yTUy6soJ79maH
+1TNT3RKZB2iOVmcSRbzm378R8E04nHkPSF7sUZ09R95EpfDcwwUWhtS8pCLGrsZn
+TMsRDg19j+iigR3QIiXlOf9hJID9K6AAZuPEK9VFPmbEJgS3V28nTf/wjg5hl8xU
+XjYdx16cwUpQOvWB/5dcJIECgYEA51Ais9/aezfreOF75GtNrU8UbPPJjyAxLmWe
+c5MzpsDxttZHvMbSHwdDIwMQCZnPxNl1/YFAO4EcDy5/B0zh9CCAPeTAEUjoVWYN
+u2lt43Jk4OYLrFZqgMUrmEDmQyPG8X8rirxGZm3D97YMXBH/NVQeLjQXgExDvBn6
+tjKeYcECgYAT7tuceS7YkvkNPrg6xzhjtA6+pZhKBrf2CGm36XAClpUnqX5sT/e5
+CIM8AYUL1HBjtZUft2uBZNNNNFVxDr5Jy59NX+DMTLe4Frfqvn5alIz1BfSIgXG0
+VgrWNLHlu4B4mHg7gB/7aPFbB8GaGX+x+RIHb1qRZnoyEWv2dVfWKw==
+-----END RSA PRIVATE KEY-----

examples/mutual-tls/out/pomerium.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEITCCAgmgAwIBAgIRAPjLBqKYpqe4zHPsGVtTzOAwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEAxMHZ29vZC1jYTAeFw0xOTA4MTAxODQ5NDBaFw0yMTAyMTAxNzQw
+MDFaMBMxETAPBgNVBAMTCHBvbWVyaXVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA67KjqmQYGq0MVtACVpeCmXminlQbDPGLmsZAUEwueHQnrt3WtvpD
+Om6AlaJMUnW+Hu55jjokalKeVjTKmgYGbqUzVDoMbPDaHekltdBTMGlOUFsP4UJS
+DrO4zdN+zo428TX2PnG2FCdVKGy4PE8ilHbWLcr871YjV51fw8CLDX9PZJNu861C
+F7V9iEJm6sSfQlmnhN8j3+WzVbPQNy1WsR7i9e9j63EqKt22Q9OXL+WAcKskoISm
+CNVRUAjU8YRVcgQJB+zQ34AQPlz0Op5O/QN/MedjaF8wLS+iv/zviS8cqPbxo6sL
+q6FNTltk/QkxeCeKKTQe/3kPYvQAdnl65QIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC
+A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQCQXmb
+sHiq/TBVTeXhCGi68kW/CjAfBgNVHSMEGDAWgBR54JCzLFX4ODSCRtucAPfNuXVz
+nDANBgkqhkiG9w0BAQsFAAOCAgEAroW/kk2YexSy4HZAqK45Yhd9k/PU1bh9E+PQ
+NcdX3MGDccCEAdsY8vYw5Q5rxn0asq+wTaBplha/k2/UUoHCTjQZu2OxtAwQ7Oib
+TMm0J+SsVOwxbqPMok+TjTMz4WWhQTO5pFchd6WesBTyI72thmcp7uscKShwbKHz
+PchuA48K8Ov/zZLffwnASYouBs2cwVbD27evN37h0asGPkGUWvmOH7nLsUy8wM7j
+CF/sp2bfL/NaWMrRgLvA0fLKjpY4+TJOnEqBlOp++lyILFLp/j0srn4MRyJ+KzQ1
+GTOjEmCT/TAm9/WI8R/Aeb70N13O+X4KZ9BGh01O3wOUjwpYgyqJshFsQPntVc+I
+JBax3ePSsbqG0LY3pwGRJQ6c+wYqti6cKMN9bbTd08B5I57TQLxMqJ2q1gZl5GUT
+eEdcVEym2vfwCOwIklcAm8qNnddfJWQZlNUhsNUaA2EH6yCywZfoZjOaH10Mz0Wm
+y3igcRdT72/MGedfOw2Ut1UoDVftG1s++v+TCYi6jTAM9vFOrBxPiNxadPCGGcYd
+0jFHsaV8aOWWPB6ACRmxwCT7QNtSs362ZH9IEYdxCM205+finTxd9G0JeQE7v++z
+Whyj6fbAYB13l/7XdFzMInA8lizGkTpvDs1y0BS9pWzibhjmQhdfHz7BdjFLuosl
+g9MdNl4=
+-----END CERTIFICATE-----

examples/mutual-tls/out/pomerium.csr

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWDCCAUACAQAwEzERMA8GA1UEAxMIcG9tZXJpdW0wggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDrsqOqZBgarQxW0AJWl4KZeaKeVBsM8YuaxkBQTC54
+dCeu3da2+kM6boCVokxSdb4e7nmOOiRqUp5WNMqaBgZupTNUOgxs8Nod6SW10FMw
+aU5QWw/hQlIOs7jN037OjjbxNfY+cbYUJ1UobLg8TyKUdtYtyvzvViNXnV/DwIsN
+f09kk27zrUIXtX2IQmbqxJ9CWaeE3yPf5bNVs9A3LVaxHuL172PrcSoq3bZD05cv
+5YBwqySghKYI1VFQCNTxhFVyBAkH7NDfgBA+XPQ6nk79A38x52NoXzAtL6K//O+J
+Lxyo9vGjqwuroU1OW2T9CTF4J4opNB7/eQ9i9AB2eXrlAgMBAAGgADANBgkqhkiG
+9w0BAQsFAAOCAQEAMW3hEN39eQXdNt5so5L2XCY8dAVsm6oDg/97JzgW/gf7proz
+CXxratCk9KEePcRbSxpB64K1pac98M9Ehb1ILX6LFnN+H3WCTr1Yyn05z2J5v0lJ
+u1pDj50yHjCGh6M2fIqubqgMNdCI6irU1hz06l+DdtKGX9yDMw+fYPlZDrTfiXL+
+gXzQN2fBOZCEcP18oz01eQqOjUumRMH3n53XJclOnN0PT3jubNjAUhsa+wAoCGTa
+3Tjw3mX1qwdsV1E+utxhrY64KMh/lpLTIPA/SR9D8x1BZcAh0bY9ScZReTC6D4Np
+S4STZIZQl7wp/0HRNr24uJaRtNcNVAHDwHxq7Q==
+-----END CERTIFICATE REQUEST-----

examples/mutual-tls/out/pomerium.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEA67KjqmQYGq0MVtACVpeCmXminlQbDPGLmsZAUEwueHQnrt3W
+tvpDOm6AlaJMUnW+Hu55jjokalKeVjTKmgYGbqUzVDoMbPDaHekltdBTMGlOUFsP
+4UJSDrO4zdN+zo428TX2PnG2FCdVKGy4PE8ilHbWLcr871YjV51fw8CLDX9PZJNu
+861CF7V9iEJm6sSfQlmnhN8j3+WzVbPQNy1WsR7i9e9j63EqKt22Q9OXL+WAcKsk
+oISmCNVRUAjU8YRVcgQJB+zQ34AQPlz0Op5O/QN/MedjaF8wLS+iv/zviS8cqPbx
+o6sLq6FNTltk/QkxeCeKKTQe/3kPYvQAdnl65QIDAQABAoIBAQDAT4ysvWjRczqr
+JqORxaOA2DcwWk2L/RW8XmAhZFdSXuv2CPllaMMrzPfLn5YIfht3H3s86gHGYszg
+Z8ibbakX5GECKy7yQH6ngxEKzQTjbjjA5dwKHtPXPRrfjd5caLs5ip71ilBXF1Sr
+XDHiu2rqmh/dU0+XdL/3f+egT9zlT9c4rRo8vvnycXz1r2uaEVvTLlXulocixEkr
+2J9S2loyaTokENse03iIWZZzM4IYqZ08bNxoHX+3AueXLHQ+sFDJ2XZUWKJFG0u2
+ZwGl7bViE1P5wbAGmg2Cx5B7S+td2PJRWqkoeqcqvEWBstE/QDp1iU8B8zbAwtcr
+dw9MvzChAoGBAPNo4V21z0jz1gDokeMSywrg/a8FBR3dvcLYmeyUy2ngwxunrqlw
+6Sb+9gk8j/qq/suPH8Uw3jHsJawFJsoNEj4+voVR3u+lNlLL9omk1phSGMuZtoxn
+ngmLUnBT0b53pTFByXk/xNBlIkygA6X9Oc+yngktj6TrVs1PDSvuIcK5AoGBAPfj
+pE3GazqQRzlzN4oLvfAbAvKBgYOhSgzll+FKfHsabF6GntWuueacQHXZXe05skKp
+W7lXCwjAMbQr7Bgek7+9+3dIp/TgbfBbswK+zVx7gghyc+w+WEa1hprY6zawqvAZ
+HQSiLPGuPjyYpPkQ6dWDs3fXrFgWeNgxJHSfGZONAoGBAKyY1w1C6Sv6sunL//57
+Cfy500iyj5FA9djfDC5kx+RY2yCWA1Tk2n6rVbzw88s0Sx3+a/HAmB3gLEpRENM+
+94uppCEXD7Twepe1RykM+JnjxO9CHN5sbvSnlRpPZS/g2QMXegx++kknHW4mHNAr
+wj2Tk1pAs1WnBtLoVhercMcJAoGBAI60HgIoF9K+/EG2cmKmH9H5utigdU6xq0+B
+XM31c3Pq4jgIh6e7zolTqkgtukS20khN9t/bnB6Nhg+SuXepIqVfWURyLz5pdODJ
+6WPLM63p7BGw0ctOmMMb/UFnXwE88ysFSg9AzV7UUD/SICbB9dtU1hxHrI+JYEgV
+Akegz7iBAoGBAIFw+AQIeB03MT/IBlk04CPL2DjM+48hTdQv8000HAOfQbk0EYP1
+CaKGtCm861zAf0sq/5DKYCIz9/GS3XFM4BmkFOgcSWTCO6ffLgK3qfC3xX2nvZH9
+XdcJL4+fwacLxsbI+8aQcNTtmozdR13BsfRb+HjT/j7vGkbQgJHBOK2z
+-----END RSA PRIVATE KEY-----

examples/mutual-tls/out/web-app.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIERzCCAi+gAwIBAgIRAPXxwn/7n06kIzhT3fsBWf4wDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEAxMHZ29vZC1jYTAeFw0xOTA4MTAyMTQyMjVaFw0yMTAyMTAxNzQw
+MDFaMBIxEDAOBgNVBAMTB3dlYi1hcHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC4vnZ9idwdlFX2GFIzUoObJbmQRgXFsxh5N9CVuDbNpqzkU1roT0us
+oOlAqM/geAqmFkzXBldBAK0s5RWzEt8ixirP7r+2tAAifu8CwAUypZQUhgBMLNW/
+weBtqZ/d1XCZ0C/e/xh5Wzkimz9Q/vK3CY4GJLO6c0JrEKl24eWs1VM3CSEpn7by
+ZgIkOCPlfAf37hlt2dkZv08U3ZIZgalE8Q9I/MPHj6z/pHp3HQmBGBjouxXMU/NX
+A6YJQipdRn3SJ6+ARGfoDaywre82k88RTEHqSF1HaBqcYIFpTspiIdEP2e46SIc5
+XGQs4b8jlzI8/7OvXKvgoEuvYalUPD6jAgMBAAGjgZcwgZQwDgYDVR0PAQH/BAQD
+AgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUD5te
+BH7V+Y54qA5xm0Y5z3+q+xYwHwYDVR0jBBgwFoAUeeCQsyxV+Dg0gkbbnAD3zbl1
+c5wwIwYDVR0RBBwwGoIHd2ViLWFwcIIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4ICAQCDCKZq2pZAwKHU+KMBEgvz+4uaHVcJpzB2xi8EnxzDp90+HO3n
+j5E/b9PQ3B5QK0hFxiAah1vOIBHlZ0Xp979QYYRyM92xRmNCQbc1UMAQJeIRfqxx
+GhRkUFKXfJ8YCg+ULbMsvIgF68EzSMnSn3WKc6lRYsLyDaiZACQ1aTfufTjGZd37
+0XcPMHiD7MGQVXtAMyu0sxXDl83jzYCP1BD8z4ERgqoGbIIBpZYEYHyBLY6i022K
+NmqFL2TxgvnZM7y3pkSPTurFLBXjqF4UKexMGuXEi4B+O4G4STkfxBSQHzXmHhRW
+7FW9kNuoKLuOnP5stNiGW38/1F5ekLKdW32MtT5L+FNqknXRddpQO+CvFbUirB2W
+Yjo+nIzJV8YhIbKi50Z4U9n0yTMHDVh+TdXOPoQwd7MssC7dyD3bxxO08MzZDKMq
+MZd1KyA4Zo4GrUB/1kcVagoRG119RrmMNj0lPY2fO2ZQAnY7ZuGXN98+/eVaYIwF
+PGuCd1siQ9ty/yWLhi+Ut8Qpd46jboAbWWZmTddvVuUd8o0BGU9rdxYd1GxkO6sz
+68DaMm+uP9hjkkEJxh6ZFOwNRokmW5kujElDfr/0yGjS2lUn6HHBee/hxvn5evI8
+cNscqwNe6ls9GTa2b06caRq1UEKiyc/FothI44LBh5zGMRSg6yBntTtUog==
+-----END CERTIFICATE-----

examples/mutual-tls/out/web-app.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICjTCCAXUCAQAwEjEQMA4GA1UEAxMHd2ViLWFwcDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALi+dn2J3B2UVfYYUjNSg5sluZBGBcWzGHk30JW4Ns2m
+rORTWuhPS6yg6UCoz+B4CqYWTNcGV0EArSzlFbMS3yLGKs/uv7a0ACJ+7wLABTKl
+lBSGAEws1b/B4G2pn93VcJnQL97/GHlbOSKbP1D+8rcJjgYks7pzQmsQqXbh5azV
+UzcJISmftvJmAiQ4I+V8B/fuGW3Z2Rm/TxTdkhmBqUTxD0j8w8ePrP+kencdCYEY
+GOi7FcxT81cDpglCKl1GfdInr4BEZ+gNrLCt7zaTzxFMQepIXUdoGpxggWlOymIh
+0Q/Z7jpIhzlcZCzhvyOXMjz/s69cq+CgS69hqVQ8PqMCAwEAAaA2MDQGCSqGSIb3
+DQEJDjEnMCUwIwYDVR0RBBwwGoIHd2ViLWFwcIIJbG9jYWxob3N0hwR/AAABMA0G
+CSqGSIb3DQEBCwUAA4IBAQAQYQEPk4FBo6NxdDu5+cPdnZrkXKc159tUhjMqr6hh
+niWER1Pe2oDfgxvNv1/bAj5RqKv+UzAbr8gWpUJ412GOLNAV7iKwaShGwLuSSHBK
+EB9wAgz6HD6Vb4qbjzBp1Y7oLaJvCXhwAtTie/1mr3SBA1f9mZir+mnPAmsIagmr
+ZlT3/w+wXSxPrIBvPrlLApVOWF8evlKqfEBYJXEesad7N4VvcEVDaEtR3BONfRcF
+Qc14bsK9Eeh/qlKBCGZdos9ZBniUURxOalathVm+jbM16qgiGeHzbb9exdI8kvVY
+fIrFNBUji6DYRlcOo/jSu41pHWI6DlReIRHhmZs1sKTU
+-----END CERTIFICATE REQUEST-----

examples/mutual-tls/out/web-app.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAuL52fYncHZRV9hhSM1KDmyW5kEYFxbMYeTfQlbg2zaas5FNa
+6E9LrKDpQKjP4HgKphZM1wZXQQCtLOUVsxLfIsYqz+6/trQAIn7vAsAFMqWUFIYA
+TCzVv8Hgbamf3dVwmdAv3v8YeVs5Ips/UP7ytwmOBiSzunNCaxCpduHlrNVTNwkh
+KZ+28mYCJDgj5XwH9+4ZbdnZGb9PFN2SGYGpRPEPSPzDx4+s/6R6dx0JgRgY6LsV
+zFPzVwOmCUIqXUZ90ievgERn6A2ssK3vNpPPEUxB6khdR2ganGCBaU7KYiHRD9nu
+OkiHOVxkLOG/I5cyPP+zr1yr4KBLr2GpVDw+owIDAQABAoIBADg5NsRj9UpHP5YC
+ttmJriXEaGHg/Za6N6OEegVmp78Uj595QrxajZQ+8F3OQl11CwCa3s29z0YoF4wH
+OABkqOXjW1omtc+7niLhcInsuGg+ff90/JgyOOb/8PZO3ilb8MXO1xLNnbwpKA1B
+JBbZUDKmRMPX3Z7LvxXoXzqf6w8a47f/5tqMtpy1lyoLQ8tKcN6UfdwpaY3cnq1T
+/tS7e39Ebx5MkKVIaVVeNiTNOWWabsoZbZUJTpgUyTRdIZm8j8EDb4JbBiqhFpKq
+99qBaWoDWU5aZ75yGC6dPlZAfFc+22Th+Dv18EFeO2P2u/zT8OoijFoW/rPDl2mp
+hz/N6SkCgYEAwGS1HN42pEMfM/ECMwyOyn8h0T2d5BI7KDrLZyDHHes168iYwCAi
+/mMSzi8eZU46VzDNivOHYApOB+M0V9is/DHIdqnv1Vvp2RV9+2DKsYzp8mcFLqFw
+8YV39OrOmPgLKkYurHoPNKrRA6W/ML3AI38lWZCpD45Osi8sv92KRW0CgYEA9dJY
+jK04kPqDtehS9qeVttRPG0TyZtYfrtesyuptF9yZv8ZSShiXtf6mPct5iW0t3p3h
+3chYf2msgEQit/nszRcy3o5yI2XwV3QYzcJwfRVSwAfhY4tiuZ5hJl7C5z4gA1iw
+IfwCLeUwdHVlHuc4hPDeB44bhyIyCQyTAjf62k8CgYBUiyynTeLXFgPdMFhWFHue
+8nTq3NfIRFaonAWMAPRe6mBch17Qdo7KGMFHx57kx5aNgA2itNdVVdHqV2ZGABos
+DLhZpN2WdXhyg6ZD08necdzQP4MgdaMLDyqifphg0gceAY87Dbwm2bVVk/1LLucC
+8jl4fUA9bLyaQm64tWKwlQKBgHoEKLPbH2LHFi1q3hNUZ7nSdFmixXdJ/Xv5zekC
+p5fahe5s8FebEWLivX2ay/7s1IHVeFFvqo3D1D3ulBUh1uqOA0/5AKqVZNDj7ZPk
+WZWcyfBLeRLCEwTzmmFDVBcX/SfsE7Eqt6I0SvLjeof2WVWTgYHahctzq8ZWGXpW
+cwt9AoGAJqdcR7ghv1b41NJw6A41NjH6o2583gwKY4S92JnpXyGAaqATzTmTHOZO
+Y+11BVhHyMduygeEz4ltNIcR/d6br0nutESj4mD97gdIDq4gdHKfQ/Rwzw0n0z5o
+c7MgcKcYjSYj6XpRhbthH4TRP8a2RlDjEcRk9xg+wElWfZ18TZc=
+-----END RSA PRIVATE KEY-----

examples/mutual-tls/scripts/curl.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# A valid client cert
+curl -v \
+	--cacert out/good-ca.crt \
+	--key out/good-curl.key \
+	--cert out/good-curl.crt \
+	https://127.0.0.1:8443
+
+# an untrusted server ca, but good client cert, reject by client
+# curl -v \
+# 	--cacert out/bad-ca.crt \
+# 	--key out/good-curl.key \
+# 	--cert out/good-curl.crt \
+# 	https://127.0.0.1:8443
+
+# # an untrusted client cert from unustusted ca (rejected by server)
+
+# curl -v \
+# 	--cacert out/good-ca.crt \
+# 	--key out/bad-curl.key \
+# 	--cert out/bad-curl.crt \
+# 	https://127.0.0.1:8443

examples/mutual-tls/scripts/generate_certs.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# https://github.com/square/certstrap
+certstrap init --common-name good-ca
+certstrap init --common-name bad-ca
+
+# pomerium client cert
+certstrap request-cert --common-name pomerium
+certstrap sign pomerium --CA good-ca
+
+# downstream app
+certstrap request-cert -ip 127.0.0.1 -domain web-app,localhost
+certstrap sign web-app --CA good-ca
+
+certstrap request-cert --common-name good-curl
+certstrap sign good-curl --CA good-ca
+
+certstrap request-cert --common-name bad-curl
+certstrap sign bad-curl --CA bad-ca

examples/traefik/README.md

@@ -0,0 +1,17 @@
+# Pomerium as forward-auth provider for Traefik
+
+Run this demo locally on your docker-compose capable workstation, or replace `localhost.pomerium.io` with your own domain if running on a server.
+
+## Includes
+
+- Authentication and Authorization managed by pomerium
+- Routing / reverse proxying handled by traefik
+
+## How
+
+- Update `config.yaml` for your e-mail address, if not using gmail/google.
+- Replace secrets in `config.yaml`.
+- Run `docker-compose up` from this directory.
+- Navigate to `https://httpbin.localhost.pomerium.io`
+- ???
+- Profit

examples/traefik/config.yaml

@@ -0,0 +1,21 @@
+# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+
+pomerium_debug: true
+address: :80
+cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo=
+shared_secret: 80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ=
+
+idp_provider: "google"
+idp_client_id: REPLACEME
+idp_client_secret: REPLACEME
+
+insecure_server: true
+forward_auth_url: http://pomerium
+authenticate_service_url: https://authenticate.localhost.pomerium.io
+
+policy:
+  - from: https://httpbin.localhost.pomerium.io
+    to: https://httpbin
+    allowed_domains:
+      - pomerium.io
+      - gmail.com

examples/traefik/docker-compose.yaml

@@ -0,0 +1,44 @@
+version: "3"
+services:
+  traefik:
+    image: traefik:v2.1
+    command:
+      - "--accesslog=true"
+      - "--api.insecure=true"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.websecure.forwardedHeaders.insecure"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker=true"
+
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  httpbin:
+    image: kennethreitz/httpbin:latest
+    labels:
+      - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
+      - "traefik.http.middlewares.pomerium.forwardauth.address=https://a6acdabcde358bd08f3537f4de7df7eb.m.pipedream.net"
+      - "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true"
+
+      - "traefik.http.routers.httpbin.middlewares=pomerium@docker"
+      - "traefik.enable=true"
+      - "traefik.http.routers.httpbin.rule=Host(`httpbin.localhost.pomerium.io`)"
+      - "traefik.http.routers.httpbin.entrypoints=websecure"
+      - "traefik.http.routers.httpbin.tls=true"
+
+  pomerium:
+    image: pomerium/pomerium:latest
+    volumes:
+      - ./config.yaml:/pomerium/config.yaml:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pomerium.rule=Host(`authenticate.localhost.pomerium.io`)"
+      - "traefik.http.routers.pomerium.entrypoints=websecure"
+      - "traefik.http.routers.pomerium.tls=true"
+    expose:
+      - 80