Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546) #3555

Merged
merged 5 commits into from
May 30, 2024
Merged

reverse-proxy: T6419: build full CA chain when verifying backend server (backport #3546) #3555

merged 5 commits into from
May 30, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented May 30, 2024

Change Summary

Using a CA with intermediate to verify a backend service

set load-balancing reverse-proxy backend nextcloud ssl ca-certificate 'CAcert_Class_3_Root'`
set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWg...'
set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANB...'

One will see that the rendered ceritficate used inside haproxy.conf

# Backend
backend nextcloud
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server lnx03 172.16.36.40:443 ssl ca-file /run/haproxy/CAcert_Class_3_Root.pem
vyos@vyos# cat  /run/haproxy/CAcert_Class_3_Root.pem
-----BEGIN CERTIFICATE-----
MIIGPTCCBCWgAwIBAgIDFOIoM...
-----END CERTIFICATE-----[edit]

does not contain the full CA chain path, as only one of the two certificates is added into the file.

This PR calculates the CA chain and adds all required certificates to the resulting file

After this PR the file looks like:

vyos@vyos# cat /run/haproxy/CAcert_Class_3_Root.pem
-----BEGIN CERTIFICATE-----
MIIGPTCCBCWgAwIB...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIG7jCCBNagAwIBAg...
-----END CERTIFICATE-----

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

reverse-proxy

Proposed changes

How to test

Smoketest result

$ /usr/libexec/vyos/tests/smoke/cli/test_load-balancing_reverse-proxy.py
test_01_lb_reverse_proxy_domain (__main__.TestLoadBalancingReverseProxy.test_01_lb_reverse_proxy_domain) ... ok
test_02_lb_reverse_proxy_cert_not_exists (__main__.TestLoadBalancingReverseProxy.test_02_lb_reverse_proxy_cert_not_exists) ... ok
test_03_lb_reverse_proxy_ca_not_exists (__main__.TestLoadBalancingReverseProxy.test_03_lb_reverse_proxy_ca_not_exists) ... ok
test_04_lb_reverse_proxy_backend_ssl_no_verify (__main__.TestLoadBalancingReverseProxy.test_04_lb_reverse_proxy_backend_ssl_no_verify) ... ok
test_05_lb_reverse_proxy_backend_http_check (__main__.TestLoadBalancingReverseProxy.test_05_lb_reverse_proxy_backend_http_check) ... ok
test_06_lb_reverse_proxy_tcp_mode (__main__.TestLoadBalancingReverseProxy.test_06_lb_reverse_proxy_tcp_mode) ... ok
test_07_lb_reverse_proxy_http_response_headers (__main__.TestLoadBalancingReverseProxy.test_07_lb_reverse_proxy_http_response_headers) ... ok

----------------------------------------------------------------------
Ran 7 tests in 41.120s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly
This is an automatic backport of pull request #3546 done by [Mergify](https://mergify.com).

c-po added 5 commits May 30, 2024 11:48
@c-po @mergify
op-mode: T5231: add command to restart reverse-proxy
16235b2 
(cherry picked from commit 2980eb0)
@c-po @mergify
reverse-proxy: T5231: better mark v4v6 listen any address
8754f48 
haproxy supports both ":::80 v4v6" and "[::]:80 v4v6" as listen statement,
where the later one is more humand readable. Both act in the same way.

(cherry picked from commit a2f0b25)
@c-po @mergify
reverse-proxy: T5231: remove frontend ca-certificate code path
aa3970c 
The code path to handle the ca certificate used for the frontend service
is removed, as there is no way on the XLI to define the CA certificate used
for the frontend service.

(cherry picked from commit 6000c47)
@c-po @mergify
reverse-proxy: T6419: build full CA chain when verifying backend server
2ae1798 
(cherry picked from commit d83a6e5)
@c-po @mergify
reverse-proxy: T6419: build full CA chain for frontend SSL certificate
5cfca28 
(cherry picked from commit 4b189a7)
@mergify mergify bot requested a review from a team as a code owner May 30, 2024 11:48
@mergify mergify bot mentioned this pull request May 30, 2024
Merged
12 tasks
@github-actions github-actions bot added the sagitta VyOS 1.4 LTS label May 30, 2024
@c-po c-po enabled auto-merge May 30, 2024 12:03
@c-po c-po merged commit 94ee1d8 into sagitta May 30, 2024
6 checks passed
@mergify mergify bot deleted the mergify/bp/sagitta/pr-3546 branch May 30, 2024 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@jestabro jestabro jestabro approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

Assignees
No one assigned
Labels
sagitta VyOS 1.4 LTS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jestabro @c-po