Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-3.8] Allow insecure path Allow routes to override Redirect routes without … #18211

Closed
wants to merge 1 commit into from
Closed

[release-3.8] Allow insecure path Allow routes to override Redirect routes without … #18211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion images/router/haproxy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ RUN INSTALL_PKGS="haproxy" && \
yum clean all && \
mkdir -p /var/lib/haproxy/router/{certs,cacerts} && \
mkdir -p /var/lib/haproxy/{conf,run,bin,log} && \
touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_route_http_expose,os_route_http_redirect,cert_config,os_wildcard_domain}.map,haproxy.config} && \
touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_route_http_insecure,cert_config,os_wildcard_domain}.map,haproxy.config} && \
setcap 'cap_net_bind_service=ep' /usr/sbin/haproxy && \
chown -R :0 /var/lib/haproxy && \
chmod -R g+w /var/lib/haproxy
Expand Down
38 changes: 14 additions & 24 deletions images/router/haproxy/conf/haproxy-config.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,12 +161,12 @@ frontend public
http-request set-header Host %[req.hdr(Host),lower]

# check if we need to redirect/force using https.
acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found
acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_insecure.map) redirect
redirect scheme https if secure_redirect

# Check if it is an edge or reencrypt route exposed insecurely.
acl route_http_expose base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map) -m found
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map)] if route_http_expose
acl secure_redirect_or_allow base,map_reg(/var/lib/haproxy/conf/os_route_http_insecure.map) -m found
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_route_http_insecure.map)] if secure_redirect_or_allow !secure_redirect

# map to http backend
# Search from most specific to general path (host case).
Expand Down Expand Up @@ -519,34 +519,24 @@ backend be_tcp:{{$cfgIdx}}
{{ end -}}{{/* end edge http host map template */}}

{{/*
os_route_http_expose.map: contains a mapping of www.example.com -> <service name>.
Map is used to also expose edge terminated and reencrypt routes via an insecure scheme
(http) if acls match for routes with insecure option set to expose.
os_route_http_insecure.map: edge and reencrypt routes that redirect or allow insecure traffic
*/}}
{{ define "/var/lib/haproxy/conf/os_route_http_expose.map" -}}
{{ define "/var/lib/haproxy/conf/os_route_http_insecure.map" -}}
{{ range $idx, $cfg := .State -}}
{{ if and (ne $cfg.Host "") (and (matchValues (print $cfg.TLSTermination) "edge" "reencrypt") (eq $cfg.InsecureEdgeTerminationPolicy "Allow")) -}}
{{ if (eq $cfg.TLSTermination "edge") -}}
{{ if ne $cfg.Host "" -}}
{{ if and (matchValues (print $cfg.TLSTermination) "edge" "reencrypt") (eq $cfg.InsecureEdgeTerminationPolicy "Allow") -}}
{{ if (eq $cfg.TLSTermination "edge") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_edge_http:{{$idx}}
{{ else -}}
{{ else -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_secure:{{$idx}}
{{ end -}}
{{ end -}}
{{ if eq $cfg.InsecureEdgeTerminationPolicy "Redirect" -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} redirect
{{ end -}}
{{ end -}}
{{ end -}}
{{ end -}}{{/* end edge and reencrypt expose http host map template */}}

{{/*
os_route_http_redirect.map: contains a mapping of www.example.com -> <service name>.
Map is used to redirect insecure traffic to use a secure scheme (https)
if acls match for routes that have the insecure option set to redirect.
*/}}
{{ define "/var/lib/haproxy/conf/os_route_http_redirect.map" -}}
{{ range $idx, $cfg := .State -}}
{{ if and (ne $cfg.Host "") (eq $cfg.InsecureEdgeTerminationPolicy "Redirect") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{ end -}}
{{ end -}}
{{ end -}}{{/* end redirect http host map template */}}
{{ end -}}{{/* end edge and reencrypt routes that redirect or allow insecure traffic map template */}}


{{/*
Expand Down