Skip to content

Commit

Permalink
fix(haproxy): delete headers when non-mtls
Browse files Browse the repository at this point in the history
  • Loading branch information
Mrizwanshaik committed May 3, 2024
1 parent 7f8e791 commit 6fabce0
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 59 deletions.
2 changes: 1 addition & 1 deletion acceptance-tests/xfcc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ var _ = Describe("forwarded_client_cert", func() {
"X-SSL-Client-Subject-Cn": "app.mycert.com",
"X-SSL-Client-Issuer-Dn": "ACME inc, USA",
"X-SSL-Client-Issuer-Cn": "mycert.com",
"X-SSL-Client-Root-CA-DN": "/C=X/ST=Y/L=xyz/O=ABC/CN=*.example.com"
"X-SSL-Client-Root-CA-DN": "/C=X/ST=Y/L=xyz/O=ABC/CN=*.example.com",
"X-SSL-Client-Notbefore": "Wednesday",
"X-SSL-Client-Notafter": "Thursday",
"X-SSL-Client-Cert": "ABC",
Expand Down
24 changes: 15 additions & 9 deletions jobs/haproxy/templates/haproxy.config.erb
Original file line number Diff line number Diff line change
Expand Up @@ -525,18 +525,20 @@ frontend https-in
http-request del-header X-SSL-Client-Subject-DN
http-request del-header X-SSL-Client-Subject-CN
http-request del-header X-SSL-Client-Issuer-DN
http-request del-header X-SSL-Client-Root-CA-DN
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-NotAfter
<%- when :non_mtls_only -%>
http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used }
http-request del-header X-SSL-Client if ! { ssl_c_used }
http-request del-header X-SSL-Client-Session-ID if ! { ssl_c_used }
http-request del-header X-SSL-Client-Verify if ! { ssl_c_used }
http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used }
http-request del-header X-SSL-Client if ! { ssl_c_used }
http-request del-header X-SSL-Client-Session-ID if ! { ssl_c_used }
http-request del-header X-SSL-Client-Verify if ! { ssl_c_used }
http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
<%- when :non_route_service_only -%>
acl route_service_request hdr(X-Cf-Proxy-Signature) -m found
http-request del-header X-Forwarded-Client-Cert if !route_service_request
Expand All @@ -546,6 +548,7 @@ frontend https-in
http-request del-header X-SSL-Client-Subject-DN if !route_service_request
http-request del-header X-SSL-Client-Subject-CN if !route_service_request
http-request del-header X-SSL-Client-Issuer-DN if !route_service_request
http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request
http-request del-header X-SSL-Client-NotBefore if !route_service_request
http-request del-header X-SSL-Client-NotAfter if !route_service_request
<%- end -%>
Expand Down Expand Up @@ -680,6 +683,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Subject-DN
http-request del-header X-SSL-Client-Subject-CN
http-request del-header X-SSL-Client-Issuer-DN
http-request del-header X-SSL-Client-Root-CA-DN
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-NotAfter
<%- when :non_mtls_only -%>
Expand All @@ -690,6 +694,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
<%- when :non_route_service_only -%>
Expand All @@ -701,6 +706,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Subject-DN if !route_service_request
http-request del-header X-SSL-Client-Subject-CN if !route_service_request
http-request del-header X-SSL-Client-Issuer-DN if !route_service_request
http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request
http-request del-header X-SSL-Client-NotBefore if !route_service_request
http-request del-header X-SSL-Client-NotAfter if !route_service_request
<%- end -%>
Expand Down
6 changes: 6 additions & 0 deletions spec/haproxy/templates/haproxy_config/frontend_https_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand All @@ -212,6 +213,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }')
end
Expand All @@ -232,6 +234,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand All @@ -254,6 +257,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand Down Expand Up @@ -300,6 +304,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
end
Expand All @@ -326,6 +331,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
end
Expand Down
105 changes: 56 additions & 49 deletions spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand All @@ -185,6 +186,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand All @@ -197,9 +199,9 @@
context 'when mutual TLS is enabled' do
let(:properties) do
default_properties.merge({
'client_cert' => true,
'forwarded_client_cert' => 'forward_only'
})
'client_cert' => true,
'forwarded_client_cert' => 'forward_only'
})
end

it 'deletes mTLS headers when mTLS is not used' do
Expand All @@ -210,6 +212,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }')
end
Expand All @@ -230,6 +233,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand All @@ -252,6 +256,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
end
Expand Down Expand Up @@ -298,6 +303,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
end
Expand All @@ -310,9 +316,9 @@
context 'when mutual TLS is enabled' do
let(:properties) do
default_properties.merge({
'client_cert' => true,
'forwarded_client_cert' => 'forward_only_if_route_service'
})
'client_cert' => true,
'forwarded_client_cert' => 'forward_only_if_route_service'
})
end

it 'deletes mTLS headers for non-route service requests (for mTLS and non-mTLS)' do
Expand All @@ -324,6 +330,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
end
Expand All @@ -344,10 +351,10 @@
context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
let(:properties) do
default_properties.merge({
'client_cert' => true,
'forwarded_client_cert' => 'forward_only_if_route_service',
'legacy_xfcc_header_mapping' => true
})
'client_cert' => true,
'forwarded_client_cert' => 'forward_only_if_route_service',
'legacy_xfcc_header_mapping' => true
})
end

it 'overwrites mTLS headers without base64 encoding when mTLS is used' do
Expand Down Expand Up @@ -438,10 +445,10 @@
context 'when HTTP1 and HTTP2 backend servers are available' do
let(:properties) do
default_properties.merge({
'disable_backend_http2_websockets' => true,
'enable_http2' => true,
'backend_ssl' => 'verify'
})
'disable_backend_http2_websockets' => true,
'enable_http2' => true,
'backend_ssl' => 'verify'
})
end

it 'uses the HTTP2 backend default backend' do
Expand All @@ -452,11 +459,11 @@
context 'when only HTTP2 backend servers are available' do
let(:properties) do
default_properties.merge({
'disable_backend_http2_websockets' => false,
'enable_http2' => true,
'backend_match_http_protocol' => false,
'backend_ssl' => 'verify'
})
'disable_backend_http2_websockets' => false,
'enable_http2' => true,
'backend_match_http_protocol' => false,
'backend_ssl' => 'verify'
})
end

it 'uses the HTTP2 backend default backend' do
Expand All @@ -467,9 +474,9 @@
context 'when backend_match_http_protocol is true' do
let(:properties) do
default_properties.merge({
'backend_match_http_protocol' => true,
'backend_ssl' => 'verify'
})
'backend_match_http_protocol' => true,
'backend_ssl' => 'verify'
})
end

it 'enables config to match the protocol' do
Expand All @@ -481,9 +488,9 @@
context('when backend_ssl is off') do
let(:properties) do
default_properties.merge({
'backend_match_http_protocol' => true,
'backend_ssl' => 'off'
})
'backend_match_http_protocol' => true,
'backend_ssl' => 'off'
})
end

it 'does not override the default backend' do
Expand All @@ -495,17 +502,17 @@
context 'when ha_proxy.http_request_deny_conditions are provided' do
let(:properties) do
default_properties.merge({
'http_request_deny_conditions' => [{
'condition' => [{
'acl_name' => 'block_host',
'acl_rule' => 'hdr_beg(host) -i login'
}, {
'acl_name' => 'whitelist_ips',
'acl_rule' => 'src 5.22.5.11 5.22.5.12',
'negate' => true
}]
}]
})
'http_request_deny_conditions' => [{
'condition' => [{
'acl_name' => 'block_host',
'acl_rule' => 'hdr_beg(host) -i login'
}, {
'acl_name' => 'whitelist_ips',
'acl_rule' => 'src 5.22.5.11 5.22.5.12',
'negate' => true
}]
}]
})
end

it 'adds the correct acls and http-request deny rules' do
Expand Down Expand Up @@ -595,13 +602,13 @@
context 'when ha_proxy.routed_backend_servers are provided' do
let(:properties) do
default_properties.merge({
'routed_backend_servers' => {
'/images' => {
'port' => 12_000,
'servers' => ['10.0.0.1']
}
}
})
'routed_backend_servers' => {
'/images' => {
'port' => 12_000,
'servers' => ['10.0.0.1']
}
}
})
end

it 'grants access to the backend servers' do
Expand All @@ -612,12 +619,12 @@
context 'when a routed_backend_server contains additional_acls' do
let(:properties) do
super().deep_merge({
'routed_backend_servers' => {
'/images' => {
'additional_acls' => ['method GET', 'path_end /foo']
}
}
})
'routed_backend_servers' => {
'/images' => {
'additional_acls' => ['method GET', 'path_end /foo']
}
}
})
end

it 'includes additional acls' do
Expand Down

0 comments on commit 6fabce0

Please sign in to comment.