enable TLS client forwarding #1446
Conversation
server.go
Outdated
| return nil, err | ||
| } | ||
| ok := pool.AppendCertsFromPEM(data) | ||
| if !ok { |
There was a problem hiding this comment.
I suppose this can be merged with the previous line and simplified like
if !pool.AppendCertsFromPEM(data) {
server.go
Outdated
| } | ||
| } | ||
| config.RootCAs = pool | ||
| //config.ClientAuth = tls.RequireAndVerifyClientCert |
server.go
Outdated
| if frontend.PassTLSCert { | ||
| tlsConfig, err = createClientTLSConfig(entryPoint.TLS) | ||
| if err != nil { | ||
| log.Errorf("failed to create TLS config %s: %v", frontendName, err) |
There was a problem hiding this comment.
Please capitalize the first letter of the log message.
server.go
Outdated
| if frontend.PassTLSCert { | ||
| tlsConfig, err = createClientTLSConfig(entryPoint.TLS) | ||
| if err != nil { | ||
| log.Errorf("failed to create TLS config %s: %v", frontendName, err) |
There was a problem hiding this comment.
s/config/config for frontend/
server.go
Outdated
| @@ -418,6 +418,35 @@ func (server *Server) listenSignals() { | |||
| server.Stop() | |||
| } | |||
|
|
|||
| func createClientTLSConfig(tlsOption *TLS) (*tls.Config, error) { | |||
| if tlsOption == nil { | |||
| return nil, errors.New("no TLS provided") | |||
There was a problem hiding this comment.
IIUC, then we only hit this case if no TLS was configured on the entry point.
Could we handle this error further up the stack, e.g., in loadConfig?
There was a problem hiding this comment.
since it's a pointer, a tlsOption(nil) will panic. It should really be checked prior to access
ldez
added
contributor/waiting-for-corrections
priority/P1
ldez
added
status/2-needs-review
and removed
priority/P1
|
Ping @drewwells ? |
|
there were some non-trivial changes to server.go, not sure I will get these conflicts merged correctly. |
|
would it be enough to simply forward the subject of the certificate... i did a pull request for the underlying proxy library to enable this |
|
@timoreimann do you validate this PR finally (even with the conflict)? |
ldez
added
kind/enhancement
|
Any time frame for merge? |
|
@zyclonite that MR turns off SSL verification |
|
This MR conflicts again, is there any interest in supporting this feature? We have moved on and no longer use Traefik b/c this feature was missing. |
|
@drewwells @samgurtman sorry if it takes some time. We are a small team, half of the maintainers team does this on his spare time. We will merge it for sure, but be patient. |
|
Ping @timoreimann |
|
@emilevauge I approved a few days ago. Your LGTM is still missing. 😀 |
|
@timoreimann oops, sorry. Was looking from my mobile phone, and reviews are not visible 😊 |
emilevauge
added
contributor/needs-resolve-conflicts
status/3-needs-merge
and removed
status/2-needs-review
labels
emilevauge
force-pushed
the
forwardclient
branch
from
9291994
to
34c9024
Compare
|
Closing & reopening to enable Semaphore CI |
Copys the incoming TLS client certificate to the outgoing request. The backend can then use this certificate for client authentication ie. k8s client cert authentication
emilevauge
force-pushed
the
forwardclient
branch
from
34c9024
to
22a4433
Compare
|
Great, thanks!
…On Sun, Jun 11, 2017 at 8:24 AM Ludovic Fernandez ***@***.***> wrote:
Merged #1446 <#1446>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1446 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAOmE85fX_i27sP-B_L0U-pok5EN12yGks5sC-qTgaJpZM4M_P_F>
.
|
|
Fantastic! Thanks for this! We can fully transition to Traefik now. |
|
I'm trying this on Docker Swarm with a build off of master, but adding the label "traefik.frontend.passTLSCert=true" has no effect. Is this to be expected? |
|
@samgurtman, in fact, @drewwells didn't add any label in this PR. We would love if you could help us on this in a new PR ❤️ |
|
Could you point me to an example of an existing label implementation I can base it off of? I don't have any Go experience so that may be a problem. |
|
@samgurtman you can have a look at |
|
Well originally this was a POC, but it took months to get the code merged. Maybe somebody with write access can add the other labels. Unless you want labels sometime in September :) |
Maintainers (who have write access) are also making PR and it can take some time to get merged. We are a small team dealing with many contributions. We prefer carefully reviewing every PR than merging on the hoof. And by the way, you were not that responsive either ! |
|
So I added the label handling for docker, and I can confirm the passTLSCert stuff is being triggered, but I see no effects in the headers passed to my downstream server. Has this been smoke tested, and can someone confirm it is actually working with traefik.toml configuration? |
|
This PR is merged. Please open a new issue or discuss this in :
|
|
Ok, I guess I won't contribute a PR then if you can't confirm whether this existing PR actually has any effect. |
|
@samgurtman we just asked you to come discuss we us somewhere else as this PR is closed. If you think there may be an issue on this, we would love to hear you on Slack instead. |
|
I have indeed posted on slack already. I'd love to here from you there.
…On 22/06/2017 9:10 PM, "Emile Vauge" ***@***.***> wrote:
@samgurtman <https://github.com/samgurtman> we just asked you to come
discuss we us somewhere else as this PR is closed. If you think there may
be an issue on this, we would love to hear you on Slack instead.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1446 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGIKX4mgVQZktgXVM_VOZkYO2ElFExZWks5sGi-SgaJpZM4M_P_F>
.
|
|
Pretty confused about how I find out if this issue is resolved, or rather, how to implement the resolution, and by traefik documentation in general, tbh. |
|
Thank you for your support ! 👍 |
|
I'm also confused if this suppose to work.
|
Thanks for your interest in Traefik 😃 This issue PR closed. Please open a new issue or discuss this in :
|
Copys the incoming TLS client certificate to the outgoing
request. The backend can then use this certificate for
client authentication ie. k8s client cert authentication
fixes #1392