New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clear TLS client headers if TLSMutualAuth is optional #4963
Conversation
Hi @stffabi, thanks for your interest in the project. Your pull request description seems confusing to me. Is that what you want ? |
Hi @jbdoumenjou, thanks for your reply. It should prevent that an incoming request which has the Assuming an entrypoint with the following config, More precisely it won't touch the request. Let's assume the incoming request already had the One could discuss if the headers should always be removed, even if e.g. |
It is a good point to avoid someone to send unwanted passTLSClientCert header to the backend. Anyway, I totally agree with the need of the PR and change the status accordingly. |
That makes perfectly sense to remove the headers from untrusted sources if passTLSClientCert is not set. |
The header rewriter middleware comes after all other middlewares, so the current implementation removes the header even if the tlsClientHeaders middleware has added it before. @jbdoumenjou any idea what would be the best way to handle this? Isn't that also a problem for the fowardAuth middleware? If forwardAuth has the flag |
You’re right. Finally, we can consider that the last modification solve an edge case and it's not worth the cost. |
I've removed the changes from the rewriter middleware, the PR is now ready for another review. Traefik 2.0 has the "rewriter middleware" (forwarded_header middleware) as one of the first middleware in the chain defined. So we could implement the logic for 2.0. If you are interested I could open another PR for the change in 2.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
If no client peer certificates could be found always clear the headers so no request could pass them to backends, e.g. if TLSMutualAuth is optional.
We were discussing about the PR when we realized a misconception on the middleware. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 👍
Glad I could help 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What does this PR do?
If no client peer certificates could be found always clear the headers so no request could pass them to backends, e.g. if TLSMutualAuth is optional.
Motivation
Using an optional TLSMutualAuth we've seen that clients could pass the headers into the request and the final request to the backend may look like it has been TLS mutual authenticated.
More
Additional Notes