caddy-frontend: Fully control slave information to nodes

Instead of dropping some keys (easy to implement, impossible to test and easy to leak) create whitelist of passed keys of slaves to the nodes. Then if there are new keys in slave's connection parameters the nodes are protected against being polluted with them.

caddy-frontend: Fully control slave information to nodes
Instead of dropping some keys (easy to implement, impossible to test and easy to leak) create whitelist of passed keys of slaves to the nodes. Then if there are new keys in slave's connection parameters the nodes are protected against being polluted with them.
94604880 · Łukasz Nowak · 1b978118 · 94604880 · 94604880
Commit 94604880 authored Apr 26, 2022 by Łukasz Nowak
Showing with 67 additions and 6 deletions

software/caddy-frontend/buildout.hash.cfg software/caddy-frontend/buildout.hash.cfg +1 -1

software/caddy-frontend/instance-apache-replicate.cfg.in software/caddy-frontend/instance-apache-replicate.cfg.in +66 -5

No files found.
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -26,7 +26,7 @@ md5sum = 02ce5d44d49982fda598e3086cfbca99

 [profile-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 4c0d7f947d52d594987c2544b65c92e1
+md5sum = 57388e76c7e61b3d7213df8aac0b407d

 [profile-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in

--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
 {% set aibcc_enabled = True %}
 {% import "caucase" as caucase with context %}
-{#- SERVER_POLLUTED_KEY_LIST is a list of keys which comes from various SlapOS Master implementations, which mix request and publish keys on each slave information -#}
-{%- set SERVER_POLLUTED_KEY_LIST = ['connection-parameter-hash', 'timestamp', 'slave_title', 'slap_software_type'] -%}
 {%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
 {%- set GOOD_CIPHER_LIST = ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-AES256-CBC-SHA', 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-ECDSA-AES256-CBC-SHA', 'ECDHE-ECDSA-AES128-CBC-SHA', 'RSA-AES256-CBC-SHA', 'RSA-AES128-CBC-SHA', 'ECDHE-RSA-3DES-EDE-CBC-SHA', 'RSA-3DES-EDE-CBC-SHA'] %}
 {#- Allow to pass only some parameters to frontend nodes #}
@@ -22,6 +20,66 @@
        'authenticate-to-backend',
    ]
 %}
+{#- SlapOS Master (but not slapproxy!) merges slave's instance and connection parameters, so the slave information passed to nodes have to be limited only to instance related keys #}
+{#- Note: As a result, this feature is very hard to be tested with slapproxy, as it does not pollute the slave information, this kind of whitelist is implemented #}
+{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_SCHEMA = [
+      'authenticate-to-backend',
+      'backend-connect-retries',
+      'backend-connect-timeout',
+      'ciphers',
+      'custom_domain',
+      'default-path',
+      'disable-no-cache-request',
+      'disable-via-header',
+      'disabled-cookie-list',
+      'enable-http2',
+      'enable_cache',
+      'health-check',
+      'health-check-authenticate-to-failover-backend',
+      'health-check-failover-https-url',
+      'health-check-failover-https-url-netloc-list',
+      'health-check-failover-ssl-proxy-ca-crt',
+      'health-check-failover-ssl-proxy-verify',
+      'health-check-failover-url',
+      'health-check-failover-url-netloc-list',
+      'health-check-fall',
+      'health-check-http-method',
+      'health-check-http-path',
+      'health-check-http-version',
+      'health-check-interval',
+      'health-check-rise',
+      'health-check-timeout',
+      'https-only',
+      'https-url',
+      'https-url-netloc-list',
+      'monitor-ipv4-test',
+      'monitor-ipv6-test',
+      'path',
+      'prefer-gzip-encoding-to-backend',
+      'request-timeout',
+      'server-alias',
+      'ssl-proxy-verify',
+      'ssl_ca_crt',
+      'ssl_crt',
+      'ssl_key',
+      'ssl_proxy_ca_crt',
+      'strict-transport-security',
+      'strict-transport-security-preload',
+      'strict-transport-security-sub-domains',
+      'type',
+      'url',
+      'url-netloc-list',
+      'virtualhostroot-http-port',
+      'virtualhostroot-https-port',
+      'websocket-path-list',
+      'websocket-transparent',
+    ]
+%}
+{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_INTERNAL = [
+      'slave_reference',
+    ]
+%}
+{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST = FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_SCHEMA + FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_INTERNAL %}
 {% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
 {% set aibcc_enabled = slapparameter_dict.get('automatic-internal-backend-client-caucase-csr', 'true').lower() in TRUE_VALUES %}
 {# Ports 8401, 8402 and 8410+1..N are reserved for monitor ports on various partitions #}
@@ -258,9 +316,12 @@ context =
 {%   endif %}
 {%   if len(slave_error_list) == 0 %}
 {#   Cleanup slave from not needed keys which come from implementation of SlapOS Master #}
-{%     set authorized_slave = slave.copy() %}
-{%     for key in SERVER_POLLUTED_KEY_LIST %}
-{%       do authorized_slave.pop(key, None) %}
+{#   Send only controlled information about the slave to node #}
+{%     set authorized_slave = {} %}
+{%     for key in FRONTEND_NODE_SLAVE_PASSED_KEY_LIST + FRONTEND_NODE_SLAVE_PASSED_KEY_LIST %}
+{%       if key in slave %}
+{%         do authorized_slave.__setitem__(key, slave[key]) %}
+{%       endif %}
 {%     endfor %}
 {%     do authorized_slave_list.append(authorized_slave) %}
 {%   else %}