Commit 92871951 authored by Łukasz Nowak's avatar Łukasz Nowak

stack/erp5: Prepare for trusted frontend SSL Auth

Remote-User header shall be trusted if comes from trusted frontend.
parent 236f0f6f
Pipeline #17751 running with stage
in 0 seconds
......@@ -94,7 +94,7 @@ md5sum = c6c1b3e4b2f3c6f256153dcfe9fbecad
[template-haproxy-cfg]
filename = haproxy.cfg.in
md5sum = 3f4f7e49c504cbf610fc5dc462713dfc
md5sum = 57e97921dab17d74a70adff2d92887c7
[template-rsyslogd-cfg]
filename = rsyslogd.cfg.in
......
......@@ -165,9 +165,16 @@ listen family_{{ name }}
# remove X-Forwarded-For unless client presented a verified certificate
acl client_cert_verified ssl_c_used ssl_c_verify 0
http-request del-header X-Forwarded-For unless client_cert_verified
# set Remote-User if client presented a verified certificate
http-request del-header Remote-User
http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if client_cert_verified
# Keep Remote-User if client is trusted (present a verified certificate).
# the client here might be a frontend, which does it's own way to obtain the
# Remote-User value, eg. by verifying it's client with SSL certificate
# *This* haproxy is not a frontend, and it uses client verification on
# machine-to-machine level
# Note: This is change for future compatibility, when so called SSL Edge
# Authentication will be implemented in the frontend and accepted
# fully by a backend. Maybe more headers will be provided by the
# frontend then, so they shall be "del-header <SOME-HEADER> unless"
http-request del-header Remote-User unless client_cert_verified
# logs
capture request header Referer len 512
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment