[v11] Validate proxy peer identity #23507

rosstimothy · 2023-03-23T13:34:18Z

Backport #23392 to branch/v11

Closes #23230 Proxy peer clients now validate that any connections established to a peer have the expected UUID. This prevents clients from connecting to incorrect peers if the `peer_public_addr` is shared by multiple proxies, or is a load balancer. In the event that a connection is established to an incorrect peer the connection is closed and a error is written to the logs. The gRPC connection should be attempted multiple times and eventually land on the correct peer. However there may be some degradation of service until the peer connections are all properly established.

rosstimothy added the backport label Mar 23, 2023

rosstimothy marked this pull request as ready for review March 23, 2023 14:43

github-actions bot requested review from fspmarshall, GavinFrazar and zmb3 March 23, 2023 14:43

github-actions bot added the size/md label Mar 23, 2023

zmb3 approved these changes Mar 23, 2023

View reviewed changes

GavinFrazar approved these changes Mar 23, 2023

View reviewed changes

public-teleport-github-review-bot bot removed the request for review from fspmarshall March 23, 2023 17:46

rosstimothy added this pull request to the merge queue Mar 23, 2023

Merged via the queue into branch/v11 with commit 45ab93c Mar 23, 2023
20 checks passed

rosstimothy deleted the bot/backport-23392-branch/v11 branch March 23, 2023 20:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v11] Validate proxy peer identity #23507

[v11] Validate proxy peer identity #23507

rosstimothy commented Mar 23, 2023

[v11] Validate proxy peer identity #23507

[v11] Validate proxy peer identity #23507

Conversation

rosstimothy commented Mar 23, 2023