From 70bf8c257076dd74c57eba0a9b0a8b741851cc91 Mon Sep 17 00:00:00 2001 From: M Rizwan Shaik Date: Fri, 3 May 2024 07:49:17 +0200 Subject: [PATCH] fix(haproxy): delete headers when non-mtls --- jobs/haproxy/templates/haproxy.config.erb | 24 +++-- .../haproxy_config/frontend_https_spec.rb | 6 ++ .../haproxy_config/frontend_wss_spec.rb | 99 ++++++++++--------- 3 files changed, 74 insertions(+), 55 deletions(-) diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb index 8c8e0643..5d62e3d7 100644 --- a/jobs/haproxy/templates/haproxy.config.erb +++ b/jobs/haproxy/templates/haproxy.config.erb @@ -525,18 +525,20 @@ frontend https-in http-request del-header X-SSL-Client-Subject-DN http-request del-header X-SSL-Client-Subject-CN http-request del-header X-SSL-Client-Issuer-DN + http-request del-header X-SSL-Client-Root-CA-DN http-request del-header X-SSL-Client-NotBefore http-request del-header X-SSL-Client-NotAfter <%- when :non_mtls_only -%> - http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used } - http-request del-header X-SSL-Client if ! { ssl_c_used } - http-request del-header X-SSL-Client-Session-ID if ! { ssl_c_used } - http-request del-header X-SSL-Client-Verify if ! { ssl_c_used } - http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used } - http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used } - http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used } - http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used } - http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used } + http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used } + http-request del-header X-SSL-Client if ! { ssl_c_used } + http-request del-header X-SSL-Client-Session-ID if ! { ssl_c_used } + http-request del-header X-SSL-Client-Verify if ! { ssl_c_used } + http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used } + http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used } + http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used } + http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used } + http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used } + http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used } <%- when :non_route_service_only -%> acl route_service_request hdr(X-Cf-Proxy-Signature) -m found http-request del-header X-Forwarded-Client-Cert if !route_service_request @@ -546,6 +548,7 @@ frontend https-in http-request del-header X-SSL-Client-Subject-DN if !route_service_request http-request del-header X-SSL-Client-Subject-CN if !route_service_request http-request del-header X-SSL-Client-Issuer-DN if !route_service_request + http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request http-request del-header X-SSL-Client-NotBefore if !route_service_request http-request del-header X-SSL-Client-NotAfter if !route_service_request <%- end -%> @@ -680,6 +683,7 @@ frontend wss-in http-request del-header X-SSL-Client-Subject-DN http-request del-header X-SSL-Client-Subject-CN http-request del-header X-SSL-Client-Issuer-DN + http-request del-header X-SSL-Client-Root-CA-DN http-request del-header X-SSL-Client-NotBefore http-request del-header X-SSL-Client-NotAfter <%- when :non_mtls_only -%> @@ -690,6 +694,7 @@ frontend wss-in http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used } http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used } http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used } + http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used } http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used } http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used } <%- when :non_route_service_only -%> @@ -701,6 +706,7 @@ frontend wss-in http-request del-header X-SSL-Client-Subject-DN if !route_service_request http-request del-header X-SSL-Client-Subject-CN if !route_service_request http-request del-header X-SSL-Client-Issuer-DN if !route_service_request + http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request http-request del-header X-SSL-Client-NotBefore if !route_service_request http-request del-header X-SSL-Client-NotAfter if !route_service_request <%- end -%> diff --git a/spec/haproxy/templates/haproxy_config/frontend_https_spec.rb b/spec/haproxy/templates/haproxy_config/frontend_https_spec.rb index aac7288e..7370d6db 100644 --- a/spec/haproxy/templates/haproxy_config/frontend_https_spec.rb +++ b/spec/haproxy/templates/haproxy_config/frontend_https_spec.rb @@ -187,6 +187,7 @@ expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter') end @@ -212,6 +213,7 @@ expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }') expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }') expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }') + expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }') end @@ -232,6 +234,7 @@ expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter') end @@ -254,6 +257,7 @@ expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter') end @@ -300,6 +304,7 @@ expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request') + expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request') end @@ -326,6 +331,7 @@ expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request') + expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request') expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request') end diff --git a/spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb b/spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb index 9cfef0e3..a6aeb441 100644 --- a/spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb +++ b/spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb @@ -162,6 +162,7 @@ expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotAfter') end @@ -185,6 +186,7 @@ expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter') end @@ -197,9 +199,9 @@ context 'when mutual TLS is enabled' do let(:properties) do default_properties.merge({ - 'client_cert' => true, - 'forwarded_client_cert' => 'forward_only' - }) + 'client_cert' => true, + 'forwarded_client_cert' => 'forward_only' + }) end it 'deletes mTLS headers when mTLS is not used' do @@ -210,6 +212,7 @@ expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN if ! { ssl_c_used }') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN if ! { ssl_c_used }') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }') + expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }') end @@ -230,6 +233,7 @@ expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter') end @@ -252,6 +256,7 @@ expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN') + expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter') end @@ -298,6 +303,7 @@ expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request') + expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request') end @@ -310,9 +316,9 @@ context 'when mutual TLS is enabled' do let(:properties) do default_properties.merge({ - 'client_cert' => true, - 'forwarded_client_cert' => 'forward_only_if_route_service' - }) + 'client_cert' => true, + 'forwarded_client_cert' => 'forward_only_if_route_service' + }) end it 'deletes mTLS headers for non-route service requests (for mTLS and non-mTLS)' do @@ -324,6 +330,7 @@ expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-DN if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Subject-CN if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request') + expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request') expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request') end @@ -344,10 +351,10 @@ context 'when ha_proxy.legacy_xfcc_header_mapping is true' do let(:properties) do default_properties.merge({ - 'client_cert' => true, - 'forwarded_client_cert' => 'forward_only_if_route_service', - 'legacy_xfcc_header_mapping' => true - }) + 'client_cert' => true, + 'forwarded_client_cert' => 'forward_only_if_route_service', + 'legacy_xfcc_header_mapping' => true + }) end it 'overwrites mTLS headers without base64 encoding when mTLS is used' do @@ -438,10 +445,10 @@ context 'when HTTP1 and HTTP2 backend servers are available' do let(:properties) do default_properties.merge({ - 'disable_backend_http2_websockets' => true, - 'enable_http2' => true, - 'backend_ssl' => 'verify' - }) + 'disable_backend_http2_websockets' => true, + 'enable_http2' => true, + 'backend_ssl' => 'verify' + }) end it 'uses the HTTP2 backend default backend' do @@ -452,11 +459,11 @@ context 'when only HTTP2 backend servers are available' do let(:properties) do default_properties.merge({ - 'disable_backend_http2_websockets' => false, - 'enable_http2' => true, - 'backend_match_http_protocol' => false, - 'backend_ssl' => 'verify' - }) + 'disable_backend_http2_websockets' => false, + 'enable_http2' => true, + 'backend_match_http_protocol' => false, + 'backend_ssl' => 'verify' + }) end it 'uses the HTTP2 backend default backend' do @@ -481,9 +488,9 @@ context('when backend_ssl is off') do let(:properties) do default_properties.merge({ - 'backend_match_http_protocol' => true, - 'backend_ssl' => 'off' - }) + 'backend_match_http_protocol' => true, + 'backend_ssl' => 'off' + }) end it 'does not override the default backend' do @@ -495,17 +502,17 @@ context 'when ha_proxy.http_request_deny_conditions are provided' do let(:properties) do default_properties.merge({ - 'http_request_deny_conditions' => [{ - 'condition' => [{ - 'acl_name' => 'block_host', - 'acl_rule' => 'hdr_beg(host) -i login' - }, { - 'acl_name' => 'whitelist_ips', - 'acl_rule' => 'src 5.22.5.11 5.22.5.12', - 'negate' => true - }] - }] - }) + 'http_request_deny_conditions' => [{ + 'condition' => [{ + 'acl_name' => 'block_host', + 'acl_rule' => 'hdr_beg(host) -i login' + }, { + 'acl_name' => 'whitelist_ips', + 'acl_rule' => 'src 5.22.5.11 5.22.5.12', + 'negate' => true + }] + }] + }) end it 'adds the correct acls and http-request deny rules' do @@ -595,13 +602,13 @@ context 'when ha_proxy.routed_backend_servers are provided' do let(:properties) do default_properties.merge({ - 'routed_backend_servers' => { - '/images' => { - 'port' => 12_000, - 'servers' => ['10.0.0.1'] - } - } - }) + 'routed_backend_servers' => { + '/images' => { + 'port' => 12_000, + 'servers' => ['10.0.0.1'] + } + } + }) end it 'grants access to the backend servers' do @@ -612,12 +619,12 @@ context 'when a routed_backend_server contains additional_acls' do let(:properties) do super().deep_merge({ - 'routed_backend_servers' => { - '/images' => { - 'additional_acls' => ['method GET', 'path_end /foo'] - } - } - }) + 'routed_backend_servers' => { + '/images' => { + 'additional_acls' => ['method GET', 'path_end /foo'] + } + } + }) end it 'includes additional acls' do