Bug #26634
Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (null)
Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
-
Description
The Foreman::Controller::SmartProxyAuth attempts to use smart proxy certificate authentication by looking for client certificates. It does so by looking at the ssl_client_cert_env setting. In a reverse proxy setup (Apache from EL7) with a standalone Foreman process (using Puma) I set the following in /etc/foreman/settings.yaml:
# Configure reverse proxy headers :ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN :ssl_client_verify_env: HTTP_SSL_CLIENT_VERIFY :ssl_client_cert_env: HTTP_SSL_CLIENT_CERT
When you navigate to a page with a browser that doesn't present any certificates but is authenticated, the result is that request.env[Setting[:ssl_client_cert_env]] returns (none). The code then attempts to parse this as a certificate which obviously fails.
Associated revisions
History
#1
Updated by The Foreman Bot almost 4 years ago
Updated by - Assignee set to Ewoud Kohl van Wijngaarden
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/6691 added
#2
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
Updated by - Subject changed from Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (none) to Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (null)
#3
Updated by Tomer Brisker almost 4 years ago
Updated by - Fixed in Releases 1.22.0 added
#4
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset fa571deb45e7f9a4a438c83585a3bfbfcfeec58b.
Fixes #26634 - Handle (none) certificates in SmartProxyAuth
When visiting the page from behind a reverse proxy this value can end up
as (none) and then fails to parse. This special cases it.