承接 kyzegs/mtls-bundle 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

kyzegs/mtls-bundle

Composer 安装命令:

composer require kyzegs/mtls-bundle

包简介

A reusable Symfony bundle for mTLS (mutual TLS) client-certificate authentication.

README 文档

README

A reusable Symfony bundle for mTLS (mutual TLS) client certificate authentication.

mTLS validation happens at the transport layer (Nginx / Caddy / Apache / Envoy). This bundle lives at the application layer: it reads the certificate the web server already validated, parses it, maps it to a Symfony security user, and integrates with Symfony's firewall, passport, and access-control system.

Requirements

  • PHP 8.2+
  • Symfony 6.4 or 7.x

Installation

composer require kyzegs/mtls-bundle

If you are not using Symfony Flex, register the bundle manually:

// config/bundles.php
return [
    Kyzegs\MTLSBundle\MTLSBundle::class => ['all' => true],
];

Web server configuration

The bundle expects your reverse proxy to forward the client certificate and verification status as server variables (or headers converted to server vars by your framework).

Nginx example

ssl_client_certificate /etc/ssl/ca.crt;
ssl_verify_client      on;

location / {
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header SSL_CLIENT_CERT   $ssl_client_escaped_cert;
    proxy_set_header SSL_CLIENT_VERIFY $ssl_client_verify;
}

Caddy example

https://api.example.com {
    tls /certs/server.crt /certs/server.key {
        client_auth {
            mode require_and_verify
            trust_pool file /certs/ca.crt
        }
    }

    reverse_proxy 127.0.0.1:8000 {
        header_up SSL_CLIENT_CERT   {http.request.tls.client.certificate_pem}
        header_up SSL_CLIENT_VERIFY SUCCESS
    }
}

Configuration

# config/packages/mtls.yaml
mtls:
  enabled: true
  certificate_server_key: 'SSL_CLIENT_CERT'   # server var carrying the PEM
  verify_server_key:      'SSL_CLIENT_VERIFY'  # server var carrying the verify status
  allowed_verify_values:  ['SUCCESS']          # accepted verify statuses
  request_attribute_certificate: '_mtls_certificate'  # request attribute key for the ParsedCertificate

Security configuration

# config/packages/security.yaml
security:
  providers:
    mtls_memory:
      memory: ~

  firewalls:
    dev:
      pattern: ^/(_(profiler|wdt)|css|images|js)/
      security: false

    api:
      pattern: ^/api
      stateless: true
      custom_authenticators:
        - Kyzegs\MTLSBundle\Security\Authenticator\MTLSAuthenticator

  access_control:
    - { path: ^/api, roles: ROLE_MTLS }

Custom user resolver

The bundle ships with DefaultCertificateUserResolver, which maps the certificate's Common Name (CN) — or serial number as fallback — to an MTLSUser.

To plug in your own identity mapping, implement CertificateUserResolverInterface and alias it in your services configuration:

// src/Security/MyCustomUserResolver.php
namespace App\Security;

use Kyzegs\MTLSBundle\Contract\CertificateUserResolverInterface;
use Kyzegs\MTLSBundle\ValueObject\ParsedCertificate;
use Symfony\Component\Security\Core\User\UserInterface;

final class MyCustomUserResolver implements CertificateUserResolverInterface
{
    public function resolve(ParsedCertificate $certificate): ?UserInterface
    {
        // Your domain logic here — e.g. look up participant by SAN URI
        $participantId = $certificate->subjectAltName('URI')[0] ?? null;
        // ...
    }
}
# config/services.yaml
services:
  Kyzegs\MTLSBundle\Contract\CertificateUserResolverInterface:
    alias: App\Security\MyCustomUserResolver

Multiple firewalls / multiple resolvers

When you need different certificate resolvers for different API endpoints, define multiple named authenticator services — each wired to a different resolver — and assign them to separate Symfony firewalls:

# config/services.yaml
services:
  App\Security\PartnerCertificateUserResolver: ~

  mtls.authenticator.partner:
    class: Kyzegs\MTLSBundle\Security\Authenticator\MTLSAuthenticator
    arguments:
      $enabled: '%mtls.enabled%'
      $extractor: '@Kyzegs\MTLSBundle\Service\CertificateExtractor'
      $parser: '@Kyzegs\MTLSBundle\Service\CertificateParser'
      $validator: '@Kyzegs\MTLSBundle\Service\CertificateValidator'
      $userResolver: '@App\Security\PartnerCertificateUserResolver'
      $requestAttributeCertificate: '%mtls.request_attribute_certificate%'
# config/packages/security.yaml
security:
  firewalls:
    api_partner:
      pattern: ^/api/partner
      stateless: true
      custom_authenticators:
        - mtls.authenticator.partner

Accessing the certificate in a controller

After successful authentication the parsed certificate is available as a request attribute:

use Kyzegs\MTLSBundle\ValueObject\ParsedCertificate;

#[Route('/api/profile')]
public function profile(Request $request): Response
{
    /** @var ParsedCertificate $cert */
    $cert = $request->attributes->get('_mtls_certificate');

    return new JsonResponse([
        'cn'     => $cert->commonName,
        'serial' => $cert->serialNumber,
        'san'    => $cert->subjectAltName('URI'),
    ]);
}

Architecture

Web server (Nginx / Caddy)
  └─ validates client cert via TLS (mTLS)
  └─ forwards SSL_CLIENT_CERT + SSL_CLIENT_VERIFY to Symfony

MTLSAuthenticator::supports()
  └─ checks bundle is enabled + SSL_CLIENT_CERT header present

MTLSAuthenticator::authenticate()
  ├─ CertificateExtractor  — reads PEM + verify status from $request->server
  ├─ CertificateValidator  — asserts verify status is in allowed_verify_values
  ├─ CertificateParser     — openssl_x509_parse() → ParsedCertificate
  ├─ CertificateUserResolverInterface::resolve() → UserInterface
  └─ Returns SelfValidatingPassport with CertificateBadge

Local development / testing

See the ChatGPT design conversation for a full Caddy + OpenSSL local mTLS setup. Quick summary:

# 1. Generate local CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt \
  -subj "/CN=Local Dev CA"

# 2. Generate client certificate
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/CN=test-participant"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out client.crt -days 825 -sha256

# 3. Call your endpoint
curl --cacert ca.crt --cert client.crt --key client.key \
  https://localhost:8443/api/profile

License

MIT

kyzegs/mtls-bundle 适用场景与选型建议

kyzegs/mtls-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 0 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 04 月 13 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「symfony」 「security」 「Authentication」 「tls」 「certificate」 「mtls」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 kyzegs/mtls-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 kyzegs/mtls-bundle 我们能提供哪些服务?
定制开发 / 二次开发

基于 kyzegs/mtls-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 34
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-04-13