A Private pkg Repo Behind Mutual TLS

Summary

I am a big fan of mutual TLS ("mTLS" if you prefer the shorter spelling, "client certificates" if you are describing the half a user actually touches). Strangely, I rarely see it used in the wild. That probably says something worrying about how I choose to spend free time, but they are a neat fit for small private infrastructure. Most people reach for HTTP Basic, an API token, or a VPN, and call it a day. A private pkg repository is one of those quiet little places where mutual TLS fits perfectly: a well established mechanisms, no humans typing passwords, and a server that should only answer questions from boxes I actually have access to. This is the story of putting a FreeBSD repository over HTTPS, and make nginx accept only clients with certificates signed by my own tiny certificate authority. This can be usefull if you want to for example build a "enterprise repo" where only subscribed user can have access, or test repo that only friends can access. Start with plain HTTPS First things first - port 80's only job is to redirect to 443. There is no prize for serving packages over cleartext in 2026. A tiny declaration in /usr/local/etc/nginx/sites-available/ is enough: server { listen 80; server_name pkg.example.com; return 301 https://$server_name$request_uri; } The server side of TLS Next, the actual HTTPS server. This is still the "regular" half of TLS - the server proves who it is to clients. I am using a Let's Encrypt certificate for pkg.example.com, which is free and renews itself if you ask it nicely. The mutual half comes later - first we need a working one-sided handshake to build on top of. The configuration is well known for all of us: server { listen 443 ssl; listen [::]:443 ssl; ssl_certificate /usr/local/etc/nginx/ssl/example.com.crt; ssl_certificate_key /usr/local/etc/nginx/ssl/example.com.key; ssl_protocols TLSv1.2 TLSv1.3; root /var/www-private-pkg/html; server_name pkg.example.com; location / { try_files $uri $uri/ =404; } } The root is where the pk...