Re: Setting up haproxy for tomcat SSL Valve
Hi, On Thu, 2021-02-25 at 03:24 +0100, Aleksandar Lazic wrote: > Hi. > > I try to setup HAProxy (precisely OpenShift Router :-)) to send the TLS/SSL > Client > Information's to tomcat. > > On the SSL Valve page are the following parameters available. > > http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve > > SSL_CLIENT_CERT string PEM-encoded client certificate > ? > > The only missing parameter is "SSL_CLIENT_CERT in PEM format". There is one > in DER Format > ssl_c_der in HAProxy but the code in SSL-Valve expects the PEM format. > > https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/valves/SSLValve.java#L125 > > Have I overseen something in the HAProxy code or doc or isn't there > currently an option to get > the client certificate out of HAProxy in PEM format? It should be possible (had this working years ago): (https://www.mail-archive.com/haproxy@formilux.org/msg20883.html http://shibboleth.net/pipermail/users/2015-July/022674.html) Something like: http-request add-header X-SSL-Client-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space -Jarno -- Jarno Huuskonen
Re: [PATCH] BUG/MEDIUM: contrib/prometheus-exporter: fix segfault in listener name dump
Le 25/02/2021 à 00:53, William Dauchy a écrit :
We need to check whether listener is empty before doing anything; in
that case, we were trying to dump listerner name while name is null. So
simply move the counters check above, which validate all possible cases
when the listener is empty. This is very similar to what is done in
stats.c
see also the trace:
Thread 1 "haproxy" received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
120 ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
(gdb) bt
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
#1 0x555b716b in promex_dump_listener_metrics (htx=0x558fadf0,
appctx=0x55926070) at contrib/prometheus-exporter/service-prometheus.c:722
#2 promex_dump_metrics (htx=0x558fadf0, si=0x55925920,
appctx=0x55926070) at contrib/prometheus-exporter/service-prometheus.c:1200
#3 promex_appctx_handle_io (appctx=0x55926070) at
contrib/prometheus-exporter/service-prometheus.c:1477
#4 0x556f0c94 in task_run_applet (t=0x55926180,
context=0x55926070, state=) at src/applet.c:88
#5 0x556bc6d8 in run_tasks_from_lists
(budgets=budgets@entry=0x7fffe374) at src/task.c:548
#6 0x556bd1a0 in process_runnable_tasks () at src/task.c:750
#7 0x55696cdd in run_poll_loop () at src/haproxy.c:2870
#8 0x55697025 in run_thread_poll_loop (data=data@entry=0x0) at
src/haproxy.c:3035
#9 0x55596c90 in main (argc=, argv=0x7fffe818)
at src/haproxy.c:3723
quit)
this bug was introduced by commit
e3f7bd5ae9e969cbfe87e4130d06bff7a3e814c6 ("MEDIUM:
contrib/prometheus-exporter: add listen stats"), which is present for
2.4 only, so no backport needed.
Thanks William, now merged !
--
Christopher Faulet
Setting up haproxy for tomcat SSL Valve
Hi. I try to setup HAProxy (precisely OpenShift Router :-)) to send the TLS/SSL Client Information's to tomcat. On the SSL Valve page are the following parameters available. http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve ``` sslClientCertHeader: Allows setting a custom name for the ssl_client_cert header. If not specified, the default of "ssl_client_cert" is used. sslCipherHeader: Allows setting a custom name for the ssl_cipher header. If not specified, the default of "ssl_cipher" is used. sslSessionIdHeader: Allows setting a custom name for the ssl_session_id header. If not specified, the default of "ssl_session_id" is used. sslCipherUserKeySizeHeader: Allows setting a custom name for the ssl_cipher_usekeysize header. If not specified, the default of "ssl_cipher_usekeysize" is used. ``` I have found some corresponding variables on the mod_ssl page and the HAProxy samples, at least I hope I found the right one on HAProxy site. https://httpd.apache.org/docs/current/mod/mod_ssl.html#envvars SSL_CLIENT_CERT string PEM-encoded client certificate ? SSL_CIPHER string The cipher specification name http-request set-header ssl_cipher %[ssl_fc_cipher] http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.4-ssl_fc_cipher SSL_SESSION_ID string The hex-encoded SSL session id http-request set-header ssl_session_id %[ssl_fc_session_id,hex] http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.4-ssl_fc_session_id SSL_CIPHER_USEKEYSIZE number Number of cipher bits (actually used) http-request set-header ssl_cipher_usekeysize %[ssl_fc_alg_keysize] http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.4-ssl_fc_alg_keysize The only missing parameter is "SSL_CLIENT_CERT in PEM format". There is one in DER Format ssl_c_der in HAProxy but the code in SSL-Valve expects the PEM format. https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/valves/SSLValve.java#L125 Have I overseen something in the HAProxy code or doc or isn't there currently an option to get the client certificate out of HAProxy in PEM format? Regards Alex
[PATCH] BUG/MEDIUM: contrib/prometheus-exporter: fix segfault in listener name dump
We need to check whether listener is empty before doing anything; in
that case, we were trying to dump listerner name while name is null. So
simply move the counters check above, which validate all possible cases
when the listener is empty. This is very similar to what is done in
stats.c
see also the trace:
Thread 1 "haproxy" received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
120 ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
(gdb) bt
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
#1 0x555b716b in promex_dump_listener_metrics (htx=0x558fadf0,
appctx=0x55926070) at contrib/prometheus-exporter/service-prometheus.c:722
#2 promex_dump_metrics (htx=0x558fadf0, si=0x55925920,
appctx=0x55926070) at contrib/prometheus-exporter/service-prometheus.c:1200
#3 promex_appctx_handle_io (appctx=0x55926070) at
contrib/prometheus-exporter/service-prometheus.c:1477
#4 0x556f0c94 in task_run_applet (t=0x55926180,
context=0x55926070, state=) at src/applet.c:88
#5 0x556bc6d8 in run_tasks_from_lists
(budgets=budgets@entry=0x7fffe374) at src/task.c:548
#6 0x556bd1a0 in process_runnable_tasks () at src/task.c:750
#7 0x55696cdd in run_poll_loop () at src/haproxy.c:2870
#8 0x55697025 in run_thread_poll_loop (data=data@entry=0x0) at
src/haproxy.c:3035
#9 0x55596c90 in main (argc=, argv=0x7fffe818) at
src/haproxy.c:3723
quit)
this bug was introduced by commit
e3f7bd5ae9e969cbfe87e4130d06bff7a3e814c6 ("MEDIUM:
contrib/prometheus-exporter: add listen stats"), which is present for
2.4 only, so no backport needed.
Signed-off-by: William Dauchy
---
contrib/prometheus-exporter/service-prometheus.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/contrib/prometheus-exporter/service-prometheus.c
b/contrib/prometheus-exporter/service-prometheus.c
index 7cf30c1f3..e6023d353 100644
--- a/contrib/prometheus-exporter/service-prometheus.c
+++ b/contrib/prometheus-exporter/service-prometheus.c
@@ -718,12 +718,12 @@ static int promex_dump_listener_metrics(struct appctx
*appctx, struct htx *htx)
li = appctx->ctx.stats.obj2;
list_for_each_entry_from(li, >conf.listeners,
by_fe) {
- labels[1].name = ist("listener");
- labels[1].value = ist2(li->name,
strlen(li->name));
-
if (!li->counters)
continue;
+ labels[1].name = ist("listener");
+ labels[1].value = ist2(li->name,
strlen(li->name));
+
if (!stats_fill_li_stats(px, li, 0, stats,
ST_F_TOTAL_FIELDS,
&(appctx->st2)))
return -1;
--
2.30.0
