stack/erp5: Prepare for trusted frontend SSL Auth

Remote-User header shall be trusted if comes from trusted frontend.

stack/erp5/buildout.hash.cfg

@@ -94,7 +94,7 @@ md5sum = c6c1b3e4b2f3c6f256153dcfe9fbecad
 
 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 3f4f7e49c504cbf610fc5dc462713dfc
+md5sum = 57e97921dab17d74a70adff2d92887c7
 
 [template-rsyslogd-cfg]
 filename = rsyslogd.cfg.in

stack/erp5/haproxy.cfg.in

@@ -165,9 +165,16 @@ listen family_{{ name }}
   # remove X-Forwarded-For unless client presented a verified certificate
   acl client_cert_verified ssl_c_used ssl_c_verify 0
   http-request del-header X-Forwarded-For unless client_cert_verified
-  # set Remote-User if client presented a verified certificate
-  http-request del-header Remote-User
-  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if client_cert_verified
+  # Keep Remote-User if client is trusted (present a verified certificate).
+  # the client here might be a frontend, which does it's own way to obtain the
+  # Remote-User value, eg. by verifying it's client with SSL certificate
+  # *This* haproxy is not a frontend, and it uses client verification on
+  # machine-to-machine level
+  # Note: This is change for future compatibility, when so called SSL Edge
+  #       Authentication will be implemented in the frontend and accepted
+  #       fully by a backend. Maybe more headers will be provided by the
+  #       frontend then, so they shall be "del-header <SOME-HEADER> unless"
+  http-request del-header Remote-User unless client_cert_verified
 
   # logs
   capture request header Referer len 512