Commit 94604880 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Fully control slave information to nodes

Instead of dropping some keys (easy to implement, impossible to test and easy
to leak) create whitelist of passed keys of slaves to the nodes.

Then if there are new keys in slave's connection parameters the nodes are
protected against being polluted with them.
parent 1b978118
Pipeline #21275 failed with stage
in 0 seconds
...@@ -26,7 +26,7 @@ md5sum = 02ce5d44d49982fda598e3086cfbca99 ...@@ -26,7 +26,7 @@ md5sum = 02ce5d44d49982fda598e3086cfbca99
[profile-caddy-replicate] [profile-caddy-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
md5sum = 4c0d7f947d52d594987c2544b65c92e1 md5sum = 57388e76c7e61b3d7213df8aac0b407d
[profile-slave-list] [profile-slave-list]
_update_hash_filename_ = templates/apache-custom-slave-list.cfg.in _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
......
{% set aibcc_enabled = True %} {% set aibcc_enabled = True %}
{% import "caucase" as caucase with context %} {% import "caucase" as caucase with context %}
{#- SERVER_POLLUTED_KEY_LIST is a list of keys which comes from various SlapOS Master implementations, which mix request and publish keys on each slave information -#}
{%- set SERVER_POLLUTED_KEY_LIST = ['connection-parameter-hash', 'timestamp', 'slave_title', 'slap_software_type'] -%}
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} {%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{%- set GOOD_CIPHER_LIST = ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-AES256-CBC-SHA', 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-ECDSA-AES256-CBC-SHA', 'ECDHE-ECDSA-AES128-CBC-SHA', 'RSA-AES256-CBC-SHA', 'RSA-AES128-CBC-SHA', 'ECDHE-RSA-3DES-EDE-CBC-SHA', 'RSA-3DES-EDE-CBC-SHA'] %} {%- set GOOD_CIPHER_LIST = ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-AES256-CBC-SHA', 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-ECDSA-AES256-CBC-SHA', 'ECDHE-ECDSA-AES128-CBC-SHA', 'RSA-AES256-CBC-SHA', 'RSA-AES128-CBC-SHA', 'ECDHE-RSA-3DES-EDE-CBC-SHA', 'RSA-3DES-EDE-CBC-SHA'] %}
{#- Allow to pass only some parameters to frontend nodes #} {#- Allow to pass only some parameters to frontend nodes #}
...@@ -22,6 +20,66 @@ ...@@ -22,6 +20,66 @@
'authenticate-to-backend', 'authenticate-to-backend',
] ]
%} %}
{#- SlapOS Master (but not slapproxy!) merges slave's instance and connection parameters, so the slave information passed to nodes have to be limited only to instance related keys #}
{#- Note: As a result, this feature is very hard to be tested with slapproxy, as it does not pollute the slave information, this kind of whitelist is implemented #}
{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_SCHEMA = [
'authenticate-to-backend',
'backend-connect-retries',
'backend-connect-timeout',
'ciphers',
'custom_domain',
'default-path',
'disable-no-cache-request',
'disable-via-header',
'disabled-cookie-list',
'enable-http2',
'enable_cache',
'health-check',
'health-check-authenticate-to-failover-backend',
'health-check-failover-https-url',
'health-check-failover-https-url-netloc-list',
'health-check-failover-ssl-proxy-ca-crt',
'health-check-failover-ssl-proxy-verify',
'health-check-failover-url',
'health-check-failover-url-netloc-list',
'health-check-fall',
'health-check-http-method',
'health-check-http-path',
'health-check-http-version',
'health-check-interval',
'health-check-rise',
'health-check-timeout',
'https-only',
'https-url',
'https-url-netloc-list',
'monitor-ipv4-test',
'monitor-ipv6-test',
'path',
'prefer-gzip-encoding-to-backend',
'request-timeout',
'server-alias',
'ssl-proxy-verify',
'ssl_ca_crt',
'ssl_crt',
'ssl_key',
'ssl_proxy_ca_crt',
'strict-transport-security',
'strict-transport-security-preload',
'strict-transport-security-sub-domains',
'type',
'url',
'url-netloc-list',
'virtualhostroot-http-port',
'virtualhostroot-https-port',
'websocket-path-list',
'websocket-transparent',
]
%}
{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_INTERNAL = [
'slave_reference',
]
%}
{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST = FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_SCHEMA + FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_INTERNAL %}
{% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %} {% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
{% set aibcc_enabled = slapparameter_dict.get('automatic-internal-backend-client-caucase-csr', 'true').lower() in TRUE_VALUES %} {% set aibcc_enabled = slapparameter_dict.get('automatic-internal-backend-client-caucase-csr', 'true').lower() in TRUE_VALUES %}
{# Ports 8401, 8402 and 8410+1..N are reserved for monitor ports on various partitions #} {# Ports 8401, 8402 and 8410+1..N are reserved for monitor ports on various partitions #}
...@@ -258,9 +316,12 @@ context = ...@@ -258,9 +316,12 @@ context =
{% endif %} {% endif %}
{% if len(slave_error_list) == 0 %} {% if len(slave_error_list) == 0 %}
{# Cleanup slave from not needed keys which come from implementation of SlapOS Master #} {# Cleanup slave from not needed keys which come from implementation of SlapOS Master #}
{% set authorized_slave = slave.copy() %} {# Send only controlled information about the slave to node #}
{% for key in SERVER_POLLUTED_KEY_LIST %} {% set authorized_slave = {} %}
{% do authorized_slave.pop(key, None) %} {% for key in FRONTEND_NODE_SLAVE_PASSED_KEY_LIST + FRONTEND_NODE_SLAVE_PASSED_KEY_LIST %}
{% if key in slave %}
{% do authorized_slave.__setitem__(key, slave[key]) %}
{% endif %}
{% endfor %} {% endfor %}
{% do authorized_slave_list.append(authorized_slave) %} {% do authorized_slave_list.append(authorized_slave) %}
{% else %} {% else %}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment