Hi Wei.
just for my curiosity was this described solution not a possible
solution?
https://docs.openshift.org/3.6/install_config/router/customized_haproxy_router.html#using-annotations
Best Regards
aleks
------ Originalnachricht ------
Von: "Wei Li" <w...@redhat.com>
An: dev@lists.openshift.redhat.com
Gesendet: 23.11.2017 18:05:28
Betreff: Fwd: a proposal to add support for client certificate
authentication in OpenShift Routes
Sorry for sending this again, but forgot to add formatting last time.
Should look better this time :)
Hi,
Recently we have a requirement to support client certificate
authentication for an application that is deployed on OpenShift. I get
it working using the “Passthrough” mode with the OpenShift router.
However, the downside is that I also have to manage SSL inside my
application, rather than taking advantage of the OpenShift routes.
But given that OpenShift routers are based on HAProxy, and HAProxy does
support client certification authentication, I did a small POC to prove
that OpenShift routers can perform client certificate authentication as
well, and here is what I did:
I modified the original haproxy-config.template file, added the
following sections:
https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L200-L202
https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L254-L287
The idea is quite simple: A new mapping file is used to save all the
hosts that require CCA. When a match is found for a given request, a
new frontend/backend pair will be used. The new frontend/backend pair
is similar to the existing be_sni/fe_sni pair, with a few small
changes. The first is to add the following new options to the bind
statement:
verify optional ca-file /var/lib/haproxy/conf/custom/ca/trust.pem
This will tell HAProxy to perform client certificate authentication.
Then the client cert info will be passed to the backend application via
a header:
# Set client certificate info
http-request set-header x-ssl-client-cert %{+Q}[ssl_c_der,base64]
I then created a few configmaps to save the new template file, the new
mapping file mentioned above (see this example
<https://gist.github.com/wei-lee/756e6afcb4f3778df016d6c56e81206f>),
and the CA file for client verification. At last, I attached the
configmaps to the router container as PVs, and set the container to use
the new HAProxy template.
After redeploy the router, I created a new “Edge” route in OpenShift
for my application (see route_config.png
<https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-route_config-png>).
When I navigate to the route in the browser, I got prompted to select
the client certificate to use (see select_cert.png
<https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-select_cert-png>).
Once the right cert is selected, the request is proxied to my backend
application, and my backend application can still access the client
cert info (see client_cert.png
<https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-client_cert-png>).
So based on the POC, I think we can add support for CCA in OpenShift
routes, and here is the proposal for how to implement it:
In the route config page, a few new fields can be added. These fields
will allow developers to config if they want to enable CCA, and upload
the CA file to client verification The backend model represents the
route configuration should be updated as well to persist the new CCA
info. When updating the HAproxy config file, new files should be
created, including: a mapping file to record what routes requires CCA
each CCA CA file should be written to a single file on disk For each of
the route that requires CCA, a new backend/frontend pair should be
added to the HAproxy config template file. Each frontend will be bound
to a new port, and use CA file that is specified for the route to
perform CCA.
So am I on the right track here, or is there a better way to do it? If
I want to implement this feature, where is best place to start? Also
who is the best person to ask questions around routers? Any other
suggestions/feedbacks/thoughts?
Thank you!
—
WEI LI
SENIOR SOFTWARE ENGINEER
Red Hat Mobile <https://www.redhat.com/>
w...@redhat.com M: +353862393272 <tel:+353862393272>
<https://red.ht/sig>
_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
