Skip to content

Add mTLS client certificate support for proxy authentication#4430

Open
dhawalseth wants to merge 2 commits into
actions:mainfrom
dhawalseth:feature/mtls-proxy-support
Open

Add mTLS client certificate support for proxy authentication#4430
dhawalseth wants to merge 2 commits into
actions:mainfrom
dhawalseth:feature/mtls-proxy-support

Conversation

@dhawalseth
Copy link
Copy Markdown

@dhawalseth dhawalseth commented May 19, 2026

Summary

Add support for configuring TLS client certificates when connecting through proxies that require mTLS authentication.

  • Adds environment variable support for mTLS proxy configuration:
    • HTTPS_PROXY_CLIENT_CERT: Path to client certificate file (PEM format)
    • HTTPS_PROXY_CLIENT_KEY: Path to client private key file (PEM format)
    • HTTPS_PROXY_CA_CERT: Path to CA certificate file (PEM format)
  • Updates RunnerWebProxy to read and expose these certificate paths
  • Updates HttpClientHandlerFactory to load X509 certificates and configure HttpClientHandler.ClientCertificates
  • Supports both uppercase and lowercase environment variable names for consistency with existing proxy variables

Use Case

Enterprise environments often use mTLS proxies (like Kraken, Envoy with mTLS, or corporate forward proxies) that require clients to present certificates for authentication. This change enables the GitHub Actions runner to work in such environments.

Example Usage

export HTTPS_PROXY="http://proxy.corp.example.com:8080"
export HTTPS_PROXY_CLIENT_CERT="/etc/runner/certs/client.crt"
export HTTPS_PROXY_CLIENT_KEY="/etc/runner/certs/client.key"
export HTTPS_PROXY_CA_CERT="/etc/runner/certs/ca.crt"

./run.sh

Related PRs

This is part of a broader effort to add mTLS proxy support across the GitHub Actions ecosystem:

  • actions-runner-controller PR: #4498
  • scaleset PR: #101

Test plan

  • Added unit tests for HTTPS_PROXY_CLIENT_CERT, HTTPS_PROXY_CLIENT_KEY, HTTPS_PROXY_CA_CERT environment variable parsing
  • Added tests for lowercase environment variable variants
  • Error handling for missing or invalid certificate files

🤖 Generated with Claude Code

@dseth-linkedin @claude
Add mTLS client certificate support for proxy authentication
42dd104 
Add support for configuring TLS client certificates when connecting
through proxies that require mTLS authentication. This is configured
via environment variables:

- HTTPS_PROXY_CLIENT_CERT: Path to client certificate file (PEM)
- HTTPS_PROXY_CLIENT_KEY: Path to client private key file (PEM)
- HTTPS_PROXY_CA_CERT: Path to CA certificate file (PEM)

The HttpClientHandlerFactory loads these certificates and configures
the HttpClientHandler to present them during TLS handshake.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@dhawalseth dhawalseth requested a review from a team as a code owner May 19, 2026 06:45
@dhawalseth dhawalseth mentioned this pull request May 19, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhawalseth @dseth-linkedin