Hi folks,
https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
Suggests the following code as a way to set X-SSL-* headers based on client
certificate properties.
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
However SSL certificates can contain UTF8 characters but HTTP headers may only
contain standard ASCII characters. Therefore the above code can cause problems
for backend servers as it may send non-ascii characters in the header fields
(in our case it broke a Spring Java app).
I've been tasked with fixing this. Although I'm able to get
%{+Q}[ssl_c_s_dn,url_enc] working fine, my preferred solution of simply
deleting the non ascii characters via %{+Q}[ssl_c_s_dn,regsub([^\x20-\x7F],,g)]
does not seem to work at all -- it seems like regsub is doing nothing.
I've been testing this with a client certificate with the following subject:
/C=Vatican City/O=Víkî’s Vergnügungspark/CN=localhost
%{+Q}[ssl_c_s_dn,url_enc] correctly results in X-SSL-Client-DN header of
%2FC%3DVatican+City%2FO%3DViki%27s+Vergn%C3%BCgungspark%2FCN%3Dlocalhost
However %{+Q}[ssl_c_s_dn,regsub([^\x20-\x7F],,g)] does not seem to transform
the header at all and results in non-ASCII characters in the header
/C=Vatican City/O=Víkî’s Vergnügungspark/CN=localhost
I've repeated this test with as many different regsub configurations as I can
think of just to try and get regsub working (eg replacing all 'V's with 'X's
via regsub(V,X,g) ) and as far as I can tell regsub is not doing anything.
I would appreciate any advice you can offer on why regsub is seemingly not
doing anything, how I might be mis-configuring this, or better approaches to
achieve this
kind regards,
Pete
