I'm using EJBCA which seems to use WildFly under the covers.

The EJBCA application supports mTLS from reverse proxy via HTTP headers, specifically this in WildFly: https://docs.wildfly.org/25/wildscribe/subsystem/undertow/server/http-listener/index.html#attr-certificate-forwarding

Looks like this:

Client <-- mTLS -> Proxy <- SSL_CLIENT_CERT header --> EJBCA/WildFly

This works with something like ngnix when forwarding SSL_CLIENT_CERT header with variable $ssl_client cert (https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_cert).

But this variable is deprecated because the value is not encoded properly (it has newlines), so they suggest using $ssl_client_escaped_cert.

But WildFly doesn't seem to handle this properly as far as I can tell. Is it possible to add url decoding to existing header or introduce an alternate header which supports encoding?