The createDevProxy function creates a proxy for all(?) Nitro requests, and while it forwards non-TLS information, it doesn't allow client certificates:

It would be useful if this also allowed using peer certificates:

    if (!proxyReq.hasHeader("Client-Cert")) {
      // authorized is true if the TLS server was able to verify the client certificate against the CA bundle.
      if (req.socket.getPeerX509Certificate && req.socket.authorized) {
        const cert = req.socket.getPeerX509Certificate();
        if (cert) {
          proxyReq.setHeader("Client-Cert", cert.raw.toString('base64'));
        }
      }
    }

RFC 9440 defines this header as base64 of the DER encoding and requires the TLS server to perform verification. There's an optional Client-Cert-Chain it could also forward.

It would be even neater if the getPeerX509Certificate function was also made available on the Nitro side, so I don't have to treat this hidden proxying differently, but as long as the data is available, the rest is sugar.

Requires unjs/listhen#204

• Envoy uses x-forwarded-client-cert
• There are references to x-client-cert and x-client-certificate in various places on the Internet.