Files
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00
..

provider-http/tls (HTTP Provider with TLS Certificates)

You can run this example with:

npx promptfoo@latest init --example provider-http/tls
cd provider-http/tls

This example demonstrates how to configure the HTTP provider with TLS/SSL certificates for mutual TLS (mTLS) authentication.

Overview

The HTTP provider supports multiple certificate formats for mutual TLS authentication:

  1. PEM (Separate cert/key files): Traditional format with separate certificate and key files
  2. PEM with Encrypted Key: PEM format where the private key is password-protected
  3. PFX/PKCS#12: Combined certificate bundle format

Each format can be provided via:

  • File Path: Reference files on disk
  • Inline Content: Embed certificate content directly (base64 for binary formats)
  • Environment Variables: Load from environment variables

PEM Certificate Options

Using Unencrypted PEM Files

The simplest approach - separate certificate and key files:

tls:
  certPath: '/path/to/client-cert.pem'
  keyPath: '/path/to/client-key.pem'

Using Encrypted PEM Private Key

When your private key is password-protected (starts with BEGIN ENCRYPTED PRIVATE KEY):

tls:
  certPath: '/path/to/client-cert.pem'
  keyPath: '/path/to/client-key-encrypted.pem'
  passphrase: 'your-key-password'

Using Inline PEM Content

Embed certificates directly in your configuration:

tls:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIDxTCCAq2gAwIBAgIJAL...
    -----END CERTIFICATE-----
  key: |
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0B...
    -----END PRIVATE KEY-----

PFX Certificate Options

Using File Path

Reference a PFX file on the filesystem:

tls:
  pfxPath: '/path/to/certificate.pfx'
  passphrase: 'your-passphrase'

Using Inline Base64 Content

Embed the certificate directly in your configuration:

tls:
  pfx: 'MIIJKQIBAzCCCO8GCSqGSIb3DQEHA...' # Base64-encoded PFX
  passphrase: 'your-passphrase'

Using Environment Variables

Store sensitive certificates in environment variables:

tls:
  pfx: '{{env.PFX_CERTIFICATE_BASE64}}'
  passphrase: '{{env.PFX_PASSPHRASE}}'

Converting PFX to Base64

To use inline PFX certificates, you need to convert your PFX file to base64:

Linux/Mac

base64 -i certificate.pfx -o certificate.b64

Windows

certutil -encode certificate.pfx certificate.b64

Then copy the content (excluding the BEGIN/END headers) to use as the pfx value.

Security Considerations

  1. Never commit certificates to version control: Use environment variables or external secret management
  2. Protect your private keys: Ensure PFX files have appropriate file permissions
  3. Use strong passphrases: Always protect PFX files with strong passphrases
  4. Certificate validation: Keep rejectUnauthorized: true in production

Running the Example

  1. Replace the sample certificate values with your actual certificates
  2. Set the required environment variables:
    export PFX_PASSPHRASE="your-passphrase"
    export PFX_CERTIFICATE_BASE64="your-base64-cert"
    
  3. Run the evaluation:
    promptfoo eval
    

TLS Configuration Options

Option Description
cert Inline PEM certificate content
certPath Path to PEM certificate file
key Inline PEM private key content
keyPath Path to PEM private key file
pfx Inline PFX certificate (base64-encoded string or Buffer)
pfxPath Path to PFX file on disk
passphrase Password for encrypted PEM private key or PFX certificate
ca CA certificate content for server verification
caPath Path to CA certificate file
rejectUnauthorized Verify server certificates (always true in production)
minVersion Minimum TLS version (e.g., 'TLSv1.2')
maxVersion Maximum TLS version (e.g., 'TLSv1.3')
ciphers Cipher suite specification

Troubleshooting

Invalid PFX Format

If you get an error about invalid PFX format:

  • Ensure the base64 encoding is correct
  • Verify the passphrase is correct
  • Check that the PFX file is not corrupted

Connection Refused

If the connection is refused:

  • Verify the server requires client certificates
  • Ensure the certificate is valid and not expired
  • Check that the certificate is trusted by the server

Certificate Verification Failed

If certificate verification fails:

  • Add the server's CA certificate using ca or caPath
  • For development only: set rejectUnauthorized: false (never in production)