[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Origin router and X-Forwarded-For



Hi Marcello.

on Mittwoch, 18. Oktober 2017 at 10:32 was written:

> Hi Aleks,
> I already configured the 4 values and if I miss the intermediate CA
> into the destinationCACertificate field the Origin GUI shows to me a
> warning related to the certificate. The export of the command is :

Are there any errors in the router logs?

oc logs -n dev-shared <POD> |egrep callcentergw

> apiVersion: v1
>   
> kind: Route
>   
> metadata:
>   
>   creationTimestamp: null
>   
>   name: callcentergw-dev-external
>   
> spec:
>   
>   host: callcenter.fineco.it
>   
>   port:
>   
>     targetPort: 443-tcp
>   
>   tls:
>   
>     caCertificate: |-
>   
>       -----BEGIN CERTIFICATE-----
>   
> ….
>   
>       -----END CERTIFICATE-----
>   
>       -----BEGIN CERTIFICATE-----
>   
> …
>   
>       -----END CERTIFICATE-----
>   
>     certificate: |-
>   
>       -----BEGIN CERTIFICATE-----
>   
> …
>   
>       -----END CERTIFICATE-----
>   
>     destinationCACertificate: |-
>   
>       -----BEGIN CERTIFICATE-----
>   
> …
>   
>       -----END CERTIFICATE-----
>   
>     key: |-
>   
>       -----BEGIN RSA PRIVATE KEY-----
>   
> …
>   
>       -----END RSA PRIVATE KEY-----
>   
>     termination: reencrypt
>   
>   to:
>   
>     kind: Service
>   
>     name: callcentergw-dev
>   
>     weight: 100
>   
>   wildcardPolicy: None
>   
> status:
>   
>   ingress:
>   
>   - conditions:
>   
>     - lastTransitionTime: 2017-10-18T07:54:22Z
>   
>       status: "True"
>   
>       type: Admitted
>   
>     host: callcenter.test.local
>   
>     routerName: router
>   
>     wildcardPolicy: None




> The second command results are the same in insecure and passing the
> cafile formed by intermediate + root CA certificates.




> * About to connect() to callcenter.test.local port 443 (#0)

> *   Trying 192.168.10.10...

> * Connected to callcenter.test.local (192.168.10.10) port 443 (#0)

> * Initializing NSS with certpath: sql:/etc/pki/nssdb

> *   CAfile: /tmp/new-cac.crt

>   CApath: none

> * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

> * Server certificate:

> *       subject:
> E=my.test.local,CN=callcenter.test.local,OU=test,O=Local=Milan,ST=Italy,C=IT

> *       start date: Mar 31 11:54:54 2016 GMT

> *       expire date: Mar 31 11:54:54 2018 GMT

> *       common name: callcenter.test.local

> *       issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it

>> GET / HTTP/1.1

>> User-Agent: curl/7.29.0

>> Host: callcenter.test.local

>> Accept: */*

>> 

> < HTTP/1.1 302 Found

> < Date: Wed, 18 Oct 2017 08:29:17 GMT

> < Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips

> < Location: https://callcenter.test.local/home

>  < Content-Length: 228

>                                               

> < Content-Type: text/html; charset=iso-8859-1




> Marcello









> On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic <aleks me2digital eu> wrote:

> Hi Marcello.

>  on Dienstag, 17. Oktober 2017 at 09:11 was written:

 >> Hi,
 >> I'm using a re-encrypt configuration to preserve the x-forwrded-for information. The configuration is:
 >>
 >> Name:                   callcentergw-dev-external
 >> Namespace:              dev-shared
 >> Created:                17 hours ago
 >> Labels:                 <none>
 >> Annotations:            <none>
 >> Requested Host:         callcenter.test.local
 >>                           exposed on router router 17 hours ago
 >> Path:                   <none>
 >> TLS Termination:        reencrypt
 >> Insecure Policy:        Redirect
 >> Endpoint Port:          443-tcp

 >> Service:        callcentergw-dev
 >> Weight:         100 (100%)
 >> Endpoints:      10.131.0.138:443, 10.131.0.138:80

> I miss the destinationCACertificate maybe it's shown with export.

>  oc export route -n dev-shared callcentergw-dev-external

>  You can add in the GUI (=> Webinterface ) all four values under
>  "Security" settings. There is a section "Certificates" .

>  key: [as in edge termination]
>  certificate: [as in edge termination]
>  caCertificate: [as in edge termination]
>  destinationCACertificate: ...

>  Please can you also show us the output of

>  curl -vk callcenter.test.local

 >> Marcello

>  Best Regards
>  Aleks


 >> Il 16 Ott 2017 20:45, "Aleksandar Lazic" <aleks me2digital eu> ha scritto:

 >> Hi Marcello.

 >>  on Montag, 16. Oktober 2017 at 15:23 was written:

  >>> Hi,
  >>> I have tried it and it worked fine but the problem is override the
  >>> default wildcard certificate and configure a different certificate,
  >>> because it's not possible to configure the intermediate CA chain into
  >>> the admin panel. I tried to configure the CA cert with the root CA and
  >>> the subordinate CA files and the router is ok but if I navigate the
  >>> new route I received a security error.

 >>  do you use reencrypted or passthrough route

 >>  please can you show us the output of.

 >>  oc get route -n your-project
 >>  oc describe route -n your-project your-route

 >>  Best Regards
 >>  Aleks


  >>> Marcello

  >>> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <aleks me2digital eu> wrote:

  >>>
  >>> Hi Marcello Lorenzi.

  >>>  have you used -servername in s_client?

  >>>  The ssl solution is based on sni (
  >>> https://en.wikipedia.org/wiki/Server_Name_Indication )

  >>> Regards
  >>>  Aleks

  >>> on Donnerstag, 12. Oktober 2017 at 13:02 was written:



  >>> Hi All,
  >>>  thanks for the response and we checked the configuration. If I tried
  >>> to check the certificated propagate with the passthrough configuration
  >>> with openssl s_client  and the certificate provided is the wilcard
  >>> domain certificate and not the pod itself. Is it normal?

  >>>  Thanks,
  >>>  Marcello

  >>>  On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <aleks me2digital eu> wrote:

  >>> Hi.

  >>>  Additionally to joel suggestion can you also use reencrypted route
  >>> if you want to talk encrypted with apache webserver.

  >>> https://docs.openshift.org/3.6/architecture/networking/routes.html#re-encryption-termination

  >>> Regards
  >>>  Aleks

  >>>  on Mittwoch, 11. Oktober 2017 at 15:51 was written:


  >>> Sorry I meant it say, it *cannot modify the http request in any way.
  >>>  On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson
  >>> <japearson agiledigital com au> wrote:

  >>> Hi Marcelo,

  >>>  If you use Passthrough termination then that means that OpenShift
  >>> cannot add the X-Forwarded-For header, because as the name suggests it
  >>> is just passing the packets through and because it’s encrypted it can
  >>> modify the http request in anyway.

  >>>  If you want X-Forwarded-For you will need to switch to Edge termination.

  >>>  Thanks,

  >>>  Joel
  >>>  On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cello86 gmail com> wrote:

  >>> Hi All,
  >>>  we tried to configure a route on Origin 3.6 with a Passthrough
  >>> termination to an Apache webserver present into a single POD but we
  >>> can't notice the X-Forwarded-Header to Apache logs. We tried to capture it without success.

  >>>  Could you confirm if there are some method to extract it from the POD side?

  >>>  Thanks,
  >>> Marcello
  >>> _______________________________________________
  >>>  users mailing list
  >>> users lists openshift redhat com
  >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users--
  >>> Kind Regards,

  >>>  Joel Pearson
  >>>  Agile Digital | Senior Software Consultant

  >>>  Love Your Software™ | ABN 98 106 361 273
  >>>  p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au--
  >>> Kind Regards,

  >>>  Joel Pearson
  >>>  Agile Digital | Senior Software Consultant

  >>>  Love Your Software™ | ABN 98 106 361 273
  >>>  p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au





-- 
Best Regards
Aleks

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]