Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-3113

Client cert authentication for allow-header-cert-info

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Puppet Server
    • Environment:

      Puppet FOSS 6 w/ multiple compile masters and HAproxy w/ TCP load balancing.

    • Template:
    • QA Risk Assessment:
      Needs Assessment

      Description

      Problem: The External SSL Termination documentation goes to lengths to suggest that allow-header-cert-info: true is dangerous but it seems like it should be an easy fix.

      Given: Some of the most common proxies, HAproxy, nginx, Apache and probably others can be configured to present client certificates to HTTPS enabled backend servers.

      Proposal: When allow-header-cert-info: true use TLS certificate based authentication to only accept the x-client-* headers from trusted proxies.

      Digram: Something roughly like the following where the "authorize" step is the new feature.

      Though I have drawn the "authorize" step here at Jetty it could likely also be done at the TrapperKeeper auth middleware.

      Notes:
      Somewhere in here maybe?  (Sorry, not a TK/Clojure expert.)

      Flexible implementation:
      Perhaps it makes sense to even re-use the rules functionality.  I can see two ways to go about it in auth.conf.

      1. Add a new parameter maybe allow-header-cert-info-rules
         authorization:
          {
            version: 1
            allow-header-cert-info: true
            allow-header-cert-info-rules: [...]
            rules: [...]
        {{  }}}
      2. Let the "allow-header-cert-info" parameter to be a boolean or list of {rules}
        authorization:
          {
            version: 1
            allow-header-cert-info: [...]
            rules: [...]
        {{  }}}

      {}

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            alanwevans Alan Evans
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support