Feature: make mTLS optional via configuration toggle

Author: leviathan0992

README.md

@@ -18,7 +18,7 @@ This tool is suitable for zero-trust network access, secure internal infrastruct
 ## Features
 
 - **Standard Compliant**: Full support for RFC 7231 HTTP/1.1 `CONNECT` tunneling.
-- **Secure by Design**: Enforced mTLS authentication + optional username/password.
+- **Secure by Design**: Optional mTLS authentication + mandatory/optional HTTP Basic Auth.
 - **Minimalist**: Single binary, zero dependencies, built on Go standard library.
 - **Production Ready**: OOM protection, graceful shutdown, atomic counters.
 
@@ -39,6 +39,7 @@ Edit `hproxy.json`:
     "server_pem": "/path/to/server.crt",
     "server_key": "/path/to/server.key",
     "client_pem": "/path/to/client.pem",
+    "mtls": true,
     "auth_users": {
         "your-username": "your-secure-password"
     }
@@ -50,7 +51,8 @@ Edit `hproxy.json`:
 | `listen_addr` | Address and port to listen on |
 | `server_pem` | Server certificate (PEM format) |
 | `server_key` | Server private key |
-| `client_pem` | CA certificate for verifying client certs |
+| `client_pem` | CA certificate for verifying client certs (only if `mtls` is `true`) |
+| `mtls` | (Optional) Enable/disable Client Certificate verification (Default: `true`) |
 | `auth_users` | (Optional) Username/password pairs for HTTP Basic Auth |
 
 ### 3. Run
@@ -110,7 +112,7 @@ Any client that supports "HTTPS Proxy" with client certificate authentication ca
 
 ## Security Features
 
-- **mTLS Enforcement**: Clients must present a valid certificate signed by the configured CA.
+- **Optional mTLS**: Toggleable client certificate verification via the `mtls` config.
 - **OOM Protection**: HTTP handshake limited to 16KB to prevent memory exhaustion.
 - **Log Sanitization**: Target addresses are filtered to prevent log injection attacks.
 - **Graceful Shutdown**: Handles SIGINT/SIGTERM for clean connection termination.

hproxy.json

@@ -3,6 +3,7 @@
     "server_pem": "server.crt",
     "server_key": "server.key",
     "client_pem": "client.pem",
+    "mtls": true,
     "auth_users": {
         "your-username": "your-secure-password"
     }

main.go

@@ -24,6 +24,7 @@ type Config struct {
 	ServerPEM  string            `json:"server_pem"`
 	ServerKey  string            `json:"server_key"`
 	ClientPEM  string            `json:"client_pem"`
+	MTLS       *bool             `json:"mtls,omitempty"` // Use pointer to distinguish between false and missing
 	ListenAddr string            `json:"listen_addr"`
 	AuthUsers  map[string]string `json:"auth_users,omitempty"`
 }
@@ -32,14 +33,16 @@ type Server struct {
 	serverPEM string
 	serverKEY string
 	clientPEM string
+	mtls      bool
 	authUsers map[string]string
 }
 
-func NewServer(serverPEM string, serverKEY string, clientPEM string, authUsers map[string]string) *Server {
+func NewServer(serverPEM string, serverKEY string, clientPEM string, mtls bool, authUsers map[string]string) *Server {
 	return &Server{
 		serverPEM: serverPEM,
 		serverKEY: serverKEY,
 		clientPEM: clientPEM,
+		mtls:      mtls,
 		authUsers: authUsers,
 	}
 }
@@ -219,25 +222,32 @@ func (s *Server) ListenAndServe(addr string) error {
 		return errors.New("failed to load server certificate and key: " + err.Error())
 	}
 
-	certBytes, err := os.ReadFile(s.clientPEM)
-	if err != nil {
-		return errors.New("failed to read client CA file: " + err.Error())
-	}
-
-	clientCertPool := x509.NewCertPool()
-	if ok := clientCertPool.AppendCertsFromPEM(certBytes); !ok {
-		return errors.New("failed to parse client CA certificates")
-	}
-
 	tlsConfig := &tls.Config{
 		MinVersion:             tls.VersionTLS12,
 		Certificates:           []tls.Certificate{cert},
-		ClientAuth:             tls.RequireAndVerifyClientCert,
-		ClientCAs:              clientCertPool,
 		SessionTicketsDisabled: false,
 		ClientSessionCache:     tls.NewLRUClientSessionCache(128),
 	}
 
+	if s.mtls {
+		certBytes, err := os.ReadFile(s.clientPEM)
+		if err != nil {
+			return errors.New("failed to read client CA file: " + err.Error())
+		}
+
+		clientCertPool := x509.NewCertPool()
+		if ok := clientCertPool.AppendCertsFromPEM(certBytes); !ok {
+			return errors.New("failed to parse client CA certificates")
+		}
+
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConfig.ClientCAs = clientCertPool
+		log.Printf("[SYSTEM] Server listening on %s (mTLS Enabled)", addr)
+	} else {
+		tlsConfig.ClientAuth = tls.NoClientCert
+		log.Printf("[SYSTEM] Server listening on %s (mTLS Disabled)", addr)
+	}
+
 	listener, err := tls.Listen("tcp", addr, tlsConfig)
 	if err != nil {
 		return err
@@ -295,7 +305,12 @@ func main() {
 		log.Fatalf("Failed to parse configuration file: %v", err)
 	}
 
-	s := NewServer(config.ServerPEM, config.ServerKey, config.ClientPEM, config.AuthUsers)
+	mtlsEnabled := true
+	if config.MTLS != nil {
+		mtlsEnabled = *config.MTLS
+	}
+
+	s := NewServer(config.ServerPEM, config.ServerKey, config.ClientPEM, mtlsEnabled, config.AuthUsers)
 
 	if err := s.ListenAndServe(config.ListenAddr); err != nil {
 		log.Fatalf("Server failed: %v", err)