Pass the TLS Cert infos in headers #3826
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ldez
added
area/provider/kv
and removed
area/provider/consul
status/2-needs-review
labels
Co-authored-by: Julien Salleyron <[email protected]>
Co-authored-by: Julien Salleyron <[email protected]>
Co-authored-by: Julien Salleyron <[email protected]>
Co-authored-by: Julien Salleyron <[email protected]>
Co-authored-by: Julien Salleyron <[email protected]>
jbdoumenjou
force-pushed
the
hotfix/clientTLSInfos
branch
from
6c810d1
to
7472ab7
Compare
mmatur
requested changes
Aug 28, 2018
| @@ -0,0 +1,112 @@ | |||
| logLevel = "DEBUG" | |||
mmatur
requested changes
Aug 28, 2018
middlewares/tlsClientHeaders_test.go
Outdated
| for _, certContent := range certContents { | ||
| peerCertificates = append(peerCertificates, getCertificate(certContent)) | ||
| } | ||
| return &tls.ConnectionState{PeerCertificates: peerCertificates} |
There was a problem hiding this comment.
Could you please add a new line before?
middlewares/tlsClientHeaders_test.go
Outdated
| test := test | ||
| t.Run(test.desc, func(t *testing.T) { | ||
| t.Parallel() | ||
| require.Equal(t, test.expected, sanitize(test.toSanitize), "The sanitized certificates should be equal") |
There was a problem hiding this comment.
Could you please add a new line before ?
middlewares/tlsClientHeaders_test.go
Outdated
| } | ||
|
|
||
| for _, test := range testCases { | ||
|
|
middlewares/tlsClientHeaders_test.go
Outdated
| for _, test := range testCases { | ||
|
|
||
| sans := getSANs(test.cert) | ||
| test := test |
There was a problem hiding this comment.
Could you please add a new line before ?
middlewares/tlsClientHeaders_test.go
Outdated
| func TestTlsClientheadersWithCertInfos(t *testing.T) { | ||
| minimalCertAllInfos := `Subject="C=FR,ST=Some-State,O=Internet Widgits Pty Ltd",NB=1531902496,NA=1534494496,SAN=` | ||
| completeCertAllInfos := `Subject="C=FR,ST=SomeState,L=Toulouse,O=Cheese,CN=*.cheese.org",NB=1531900816,NA=1563436816,SAN=*.cheese.org,*.cheese.net,cheese.in,[email protected],[email protected],10.0.1.0,10.0.1.2` | ||
| testCases := []struct { |
There was a problem hiding this comment.
Could you please add a new line before ?
provider/label/partial.go
Outdated
| @@ -60,6 +60,39 @@ func GetRedirect(labels map[string]string) *types.Redirect { | |||
| return nil | |||
| } | |||
|
|
|||
| // GetTLSClientCert create tls client header configuration from labels | |||
There was a problem hiding this comment.
// GetTLSClientCert creates TLS client header configuration from labels instead of // GetTLSClientCert create tls client header configuration from labels
server/server_loadbalancer.go
Outdated
| @@ -314,7 +313,8 @@ func createClientTLSConfig(entryPointName string, tlsOption *traefiktls.TLS) (*t | |||
| if len(tlsOption.ClientCA.Files) > 0 { | |||
| pool := x509.NewCertPool() | |||
| for _, caFile := range tlsOption.ClientCA.Files { | |||
| data, err := ioutil.ReadFile(caFile) | |||
|
|
|||
There was a problem hiding this comment.
Could you remove this line please
types/types.go
Outdated
| Sans bool `description:"Add Sans info in header" json:"sans"` | ||
| } | ||
|
|
||
| // TLSCLientCertificateSubjectInfos holds the client tls certificate subject infos configuration |
types/types.go
Outdated
| Infos *TLSClientCertificateInfos `description:"Enable header with configured client cert infos" json:"infos,omitempty"` | ||
| } | ||
|
|
||
| // TLSClientCertificateInfos holds the client tls certificate infos configuration |
types/types.go
Outdated
| @@ -611,3 +612,27 @@ func (h HTTPCodeRanges) Contains(statusCode int) bool { | |||
| } | |||
| return false | |||
| } | |||
|
|
|||
| // TLSClientHeaders holds the tls client cert headers configuration. | |||
dduportal
previously requested changes
Aug 28, 2018
| @@ -19,7 +19,7 @@ Træfik can be configured to use Docker as a provider. | |||
| # | |||
| endpoint = "unix:///var/run/docker.sock" | |||
|
|
|||
| # Default base domain used for the frontend rules. | |||
| # Default domain used. | |||
There was a problem hiding this comment.
This line sounds like a forgotten diff when rebasing (it comes from #3797 ). Can you keep it ?
jbdoumenjou
force-pushed
the
hotfix/clientTLSInfos
branch
2 times, most recently
from
3644792
to
aa15e8d
Compare
dduportal
dismissed
their stale review
Splitting to another PR for doc rebase issues
jbdoumenjou
force-pushed
the
hotfix/clientTLSInfos
branch
from
aa15e8d
to
497b1d4
Compare
nmengin
approved these changes
Aug 29, 2018
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Add a specific option to pass ssl client infos in two specifics headers :
X-Forwarded-Ssl-Client-Certheader contains the escaped pemX-Forwarded-Ssl-Client-Cert-Infoscontains the escaped selected informationsThe options are available in the following providers:
Motivation
Fix the #3052
More
Additional Notes
To test efficiency the client CA files can now be a list of files or contents