1. 28 Sep, 2023 2 commits
    • Jérome Perrin's avatar
      stack/erp5: serve balancer requests when client certificate is not verified · d58bbbba
      Jérome Perrin authored
      We configure haproxy with "verify optional", which makes haproxy request
      a client certificate, but accept the case where client does not present
      a certificate, but as described in [1], if client present a certificate
      and this certificate can not be verified, handshake is aborted. This is
      not what we want, we want to treat the case of a non verified
      certificate same as the case of the absence of certificate.
      
      This configures haproxy accordingly, using "crt-ignore-err all" to allow
      handshake anyway.
      
      Once this was fixed, there was a remaining problem with
      client_cert_verified acl, haproxy acl are OR, but this rule was supposed
      to be a AND (client present a certificate AND it is verified), this was
      rewritten to use inline condition which are AND.
      
      [1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
      
      Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert
      that there is no X-Forwarded-For header at all when no client
      certificate.
      d58bbbba
    • Xavier Thompson's avatar
      2ffda605
  2. 27 Sep, 2023 9 commits
  3. 26 Sep, 2023 4 commits
  4. 25 Sep, 2023 2 commits
  5. 22 Sep, 2023 9 commits
  6. 20 Sep, 2023 1 commit
  7. 18 Sep, 2023 1 commit
  8. 14 Sep, 2023 3 commits
  9. 13 Sep, 2023 1 commit
  10. 12 Sep, 2023 2 commits
  11. 04 Sep, 2023 6 commits