1. 22 Sep, 2023 1 commit
    • Jérome Perrin's avatar
      stack/erp5: serve balancer requests when client certificate is not verified · daad5830
      Jérome Perrin authored
      We configure haproxy with "verify optional", which makes haproxy request
      a client certificate, but accept the case where client does not present
      a certificate, but as described in [1], if client present a certificate
      and this certificate can not be verified, handshake is aborted. This is
      not what we want, we want to treat the case of a non verified
      certificate same as the case of the absence of certificate.
      
      This configures haproxy accordingly, using "crt-ignore-err all" to allow
      handshake anyway.
      
      Once this was fixed, there was a remaining problem with
      client_cert_verified acl, haproxy acl are OR, but this rule was supposed
      to be a AND (client present a certificate AND it is verified), this was
      rewritten to use inline condition which are AND.
      
      [1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
      
      Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert
      that there is no X-Forwarded-For header at all when no client
      certificate.
      daad5830
  2. 20 Sep, 2023 1 commit
  3. 18 Sep, 2023 1 commit
  4. 14 Sep, 2023 3 commits
  5. 13 Sep, 2023 1 commit
  6. 12 Sep, 2023 2 commits
  7. 04 Sep, 2023 9 commits
  8. 01 Sep, 2023 6 commits
  9. 31 Aug, 2023 3 commits
  10. 30 Aug, 2023 8 commits
  11. 28 Aug, 2023 3 commits
  12. 23 Aug, 2023 1 commit
  13. 21 Aug, 2023 1 commit