[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Origin router and X-Forwarded-For



Hi Aleks,
I already configured the 4 values and if I miss the intermediate CA into the destinationCACertificate field the Origin GUI shows to me a warning related to the certificate. The export of the command is :

apiVersion: v1

kind: Route

metadata:

  creationTimestamp: null

  name: callcentergw-dev-external

spec:

  host: callcenter.fineco.it

  port:

    targetPort: 443-tcp

  tls:

    caCertificate: |-

      -----BEGIN CERTIFICATE-----

….

      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----

    certificate: |-

      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----

    destinationCACertificate: |-

      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----

    key: |-

      -----BEGIN RSA PRIVATE KEY-----

      -----END RSA PRIVATE KEY-----

    termination: reencrypt

  to:

    kind: Service

    name: callcentergw-dev

    weight: 100

  wildcardPolicy: None

status:

  ingress:

  - conditions:

    - lastTransitionTime: 2017-10-18T07:54:22Z

      status: "True"

      type: Admitted

    host: callcenter.test.local

    routerName: router

    wildcardPolicy: None


The second command results are the same in insecure and passing the cafile formed by intermediate + root CA certificates.


* About to connect() to callcenter.test.local port 443 (#0)

*   Trying 192.168.10.10...

* Connected to callcenter.test.local (192.168.10.10) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /tmp/new-cac.crt

  CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

* Server certificate:

*       subject: E=my.test.local,CN=callcenter.test.local,OU=test,O=Local=Milan,ST=Italy,C=IT

*       start date: Mar 31 11:54:54 2016 GMT

*       expire date: Mar 31 11:54:54 2018 GMT

*       common name: callcenter.test.local

*       issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it

> GET / HTTP/1.1

> User-Agent: curl/7.29.0

> Host: callcenter.test.local

> Accept: */*

>

< HTTP/1.1 302 Found

< Date: Wed, 18 Oct 2017 08:29:17 GMT

< Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips

< Location: https://callcenter.test.local/home

 < Content-Length: 228

< Content-Type: text/html; charset=iso-8859-1


Marcello





On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic <aleks me2digital eu> wrote:
Hi Marcello.

on Dienstag, 17. Oktober 2017 at 09:11 was written:

> Hi,
> I'm using a re-encrypt configuration to preserve the x-forwrded-for information. The configuration is:
>
> Name:                   callcentergw-dev-external
> Namespace:              dev-shared
> Created:                17 hours ago
> Labels:                 <none>
> Annotations:            <none>
> Requested Host:         callcenter.test.local
>                           exposed on router router 17 hours ago
> Path:                   <none>
> TLS Termination:        reencrypt
> Insecure Policy:        Redirect
> Endpoint Port:          443-tcp

> Service:        callcentergw-dev
> Weight:         100 (100%)
> Endpoints:      10.131.0.138:443, 10.131.0.138:80

I miss the destinationCACertificate maybe it's shown with export.

oc export route -n dev-shared callcentergw-dev-external

You can add in the GUI (=> Webinterface ) all four values under
"Security" settings. There is a section "Certificates" .

key: [as in edge termination]
certificate: [as in edge termination]
caCertificate: [as in edge termination]
destinationCACertificate: ...

Please can you also show us the output of

curl -vk callcenter.test.local

> Marcello

Best Regards
Aleks

> Il 16 Ott 2017 20:45, "Aleksandar Lazic" <aleks me2digital eu> ha scritto:

> Hi Marcello.

>  on Montag, 16. Oktober 2017 at 15:23 was written:

 >> Hi,
 >> I have tried it and it worked fine but the problem is override the
 >> default wildcard certificate and configure a different certificate,
 >> because it's not possible to configure the intermediate CA chain into
 >> the admin panel. I tried to configure the CA cert with the root CA and
 >> the subordinate CA files and the router is ok but if I navigate the
 >> new route I received a security error.

>  do you use reencrypted or passthrough route

>  please can you show us the output of.

>  oc get route -n your-project
>  oc describe route -n your-project your-route

>  Best Regards
>  Aleks


 >> Marcello

 >> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <aleks me2digital eu> wrote:

 >>
 >> Hi Marcello Lorenzi.

 >>  have you used -servername in s_client?

 >>  The ssl solution is based on sni (
 >> https://en.wikipedia.org/wiki/Server_Name_Indication )

 >> Regards
 >>  Aleks

 >> on Donnerstag, 12. Oktober 2017 at 13:02 was written:



 >> Hi All,
 >>  thanks for the response and we checked the configuration. If I tried
 >> to check the certificated propagate with the passthrough configuration
 >> with openssl s_client  and the certificate provided is the wilcard
 >> domain certificate and not the pod itself. Is it normal?

 >>  Thanks,
 >>  Marcello

 >>  On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <aleks me2digital eu> wrote:

 >> Hi.

 >>  Additionally to joel suggestion can you also use reencrypted route
 >> if you want to talk encrypted with apache webserver.

 >> https://docs.openshift.org/3.6/architecture/networking/routes.html#re-encryption-termination

 >> Regards
 >>  Aleks

 >>  on Mittwoch, 11. Oktober 2017 at 15:51 was written:


 >> Sorry I meant it say, it *cannot modify the http request in any way.
 >>  On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson
 >> <japearson agiledigital com au> wrote:

 >> Hi Marcelo,

 >>  If you use Passthrough termination then that means that OpenShift
 >> cannot add the X-Forwarded-For header, because as the name suggests it
 >> is just passing the packets through and because it’s encrypted it can
 >> modify the http request in anyway.

 >>  If you want X-Forwarded-For you will need to switch to Edge termination.

 >>  Thanks,

 >>  Joel
 >>  On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cello86 gmail com> wrote:

 >> Hi All,
 >>  we tried to configure a route on Origin 3.6 with a Passthrough
 >> termination to an Apache webserver present into a single POD but we
 >> can't notice the X-Forwarded-Header to Apache logs. We tried to capture it without success.

 >>  Could you confirm if there are some method to extract it from the POD side?

 >>  Thanks,
 >> Marcello
 >> _______________________________________________
 >>  users mailing list
 >> users lists openshift redhat com
 >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users--
 >> Kind Regards,

 >>  Joel Pearson
 >>  Agile Digital | Senior Software Consultant

 >>  Love Your Software™ | ABN 98 106 361 273
 >>  p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au--
 >> Kind Regards,

 >>  Joel Pearson
 >>  Agile Digital | Senior Software Consultant

 >>  Love Your Software™ | ABN 98 106 361 273
 >>  p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]