Project

General

Profile

Actions

Bug #26634

closed

Smart proxy auth concern doesn't handle reverse proxy setup when the cert is (null)

Added by Ewoud Kohl van Wijngaarden over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

The Foreman::Controller::SmartProxyAuth attempts to use smart proxy certificate authentication by looking for client certificates. It does so by looking at the ssl_client_cert_env setting. In a reverse proxy setup (Apache from EL7) with a standalone Foreman process (using Puma) I set the following in /etc/foreman/settings.yaml:

# Configure reverse proxy headers
:ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN
:ssl_client_verify_env: HTTP_SSL_CLIENT_VERIFY
:ssl_client_cert_env: HTTP_SSL_CLIENT_CERT

When you navigate to a page with a browser that doesn't present any certificates but is authenticated, the result is that request.env[Setting[:ssl_client_cert_env]] returns (none). The code then attempts to parse this as a certificate which obviously fails.

Actions

Also available in: Atom PDF