• Jérome Perrin's avatar
    stack/erp5: serve balancer requests when client certificate is not verified · d58bbbba
    Jérome Perrin authored
    We configure haproxy with "verify optional", which makes haproxy request
    a client certificate, but accept the case where client does not present
    a certificate, but as described in [1], if client present a certificate
    and this certificate can not be verified, handshake is aborted. This is
    not what we want, we want to treat the case of a non verified
    certificate same as the case of the absence of certificate.
    
    This configures haproxy accordingly, using "crt-ignore-err all" to allow
    handshake anyway.
    
    Once this was fixed, there was a remaining problem with
    client_cert_verified acl, haproxy acl are OR, but this rule was supposed
    to be a AND (client present a certificate AND it is verified), this was
    rewritten to use inline condition which are AND.
    
    [1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
    
    Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert
    that there is no X-Forwarded-For header at all when no client
    certificate.
    d58bbbba
buildout.hash.cfg 2.93 KB