Project

General

Profile

Bug #26634

Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (null)

Added by Ewoud Kohl van Wijngaarden almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The Foreman::Controller::SmartProxyAuth attempts to use smart proxy certificate authentication by looking for client certificates. It does so by looking at the ssl_client_cert_env setting. In a reverse proxy setup (Apache from EL7) with a standalone Foreman process (using Puma) I set the following in /etc/foreman/settings.yaml:

# Configure reverse proxy headers
:ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN
:ssl_client_verify_env: HTTP_SSL_CLIENT_VERIFY
:ssl_client_cert_env: HTTP_SSL_CLIENT_CERT

When you navigate to a page with a browser that doesn't present any certificates but is authenticated, the result is that request.env[Setting[:ssl_client_cert_env]] returns (none). The code then attempts to parse this as a certificate which obviously fails.

Associated revisions

Revision fa571deb (diff)
Added by Ewoud Kohl van Wijngaarden almost 4 years ago

Fixes #26634 - Handle (none) certificates in SmartProxyAuth

When visiting the page from behind a reverse proxy this value can end up
as (none) and then fails to parse. This special cases it.

History

#1 Updated by The Foreman Bot almost 4 years ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/6691 added

#2 Updated by Ewoud Kohl van Wijngaarden almost 4 years ago

  • Subject changed from Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (none) to Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (null)

#3 Updated by Tomer Brisker almost 4 years ago

  • Fixed in Releases 1.22.0 added

#4 Updated by Ewoud Kohl van Wijngaarden almost 4 years ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF