Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-27 Thread Emmanuel Hocdet


> Le 27 sept. 2019 à 12:23, Geoff Simmons  a écrit :
> 
> On 9/26/19 19:27, Emmanuel Hocdet wrote:
> 
>>> And I wonder if there are situations in which someone will want to
>>> specifically choose one source of truth for authority over the other.
>>> Suppose an incoming connection uses TLS with an SNI, and the peer
>>> component also sends an authority TLV via Proxy. Is a situation
>>> imaginable in which only one of them is getting it "right", for the
>>> purposes of haproxy, and the config author wants to be sure to catch
>>> that one only?
>> 
>> You can with the sample fetch from transport layer, « ssl_fc_sni » for TLS.
> 
> Then if I understand correctly:
> 
> - when you prefer the authority value from TLS, use the ssl_fc_sni fetch
> 

yes, or fix authority value with  tcp-request content set-authority ssl_fc_sni

> - if you prefer the value from the Proxy TLV, just use the authority
> fetch, since that one prefers the TLV over the value from TLS, according
> to the rules described above.
> 
> Is that right?
> 

yes

++
Manu




Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-27 Thread Geoff Simmons
On 9/26/19 19:27, Emmanuel Hocdet wrote:
> 
>>>
>>> Proposal reworking after playing with « authority » and look at how « src 
>>> »/« dst » are working.
>>>
>>> Authority » can come from transport layer (TLS), ProxyV2 TLV or « 
>>> set-authority ».
>>> « src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol 
>>> and « set-{src,dst} »
>>> I propose to do the same for « authority » sample fetch:
>>> pick « authority » from « set-authority, Proxy-protocol, and transport 
>>> layer (in this order)
>>> . It’s already what authority is in « proxy-v2-options authority"
>>>  => « fc_pp_authority » disappears in favour of the generic « authority » 
>>> sample fetch
>>
>> Some thoughts that come to mind -- it sounds like there will be a bit of
>> "magic" at work here, so will it be transparent to the user? Will users
>> find that the authority field is being set and they wonder where it came
>> from?
> 
> I think we can. It will simplify the usage in the vast majority of cases.

OK

>> And I wonder if there are situations in which someone will want to
>> specifically choose one source of truth for authority over the other.
>> Suppose an incoming connection uses TLS with an SNI, and the peer
>> component also sends an authority TLV via Proxy. Is a situation
>> imaginable in which only one of them is getting it "right", for the
>> purposes of haproxy, and the config author wants to be sure to catch
>> that one only?
> 
> You can with the sample fetch from transport layer, « ssl_fc_sni » for TLS.

Then if I understand correctly:

- when you prefer the authority value from TLS, use the ssl_fc_sni fetch

- if you prefer the value from the Proxy TLV, just use the authority
fetch, since that one prefers the TLV over the value from TLS, according
to the rules described above.

Is that right?


Best,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de



signature.asc
Description: OpenPGP digital signature


Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Emmanuel Hocdet


> Le 26 sept. 2019 à 18:10, Geoff Simmons  a écrit :
> 
> On 9/26/19 11:43, Emmanuel Hocdet wrote:
>> 
>> Proposal reworking after playing with « authority » and look at how « src 
>> »/« dst » are working.
>> 
>> Authority » can come from transport layer (TLS), ProxyV2 TLV or « 
>> set-authority ».
>> « src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol 
>> and « set-{src,dst} »
>> I propose to do the same for « authority » sample fetch:
>> pick « authority » from « set-authority, Proxy-protocol, and transport layer 
>> (in this order)
>> . It’s already what authority is in « proxy-v2-options authority"
>>  => « fc_pp_authority » disappears in favour of the generic « authority » 
>> sample fetch
> 
> Some thoughts that come to mind -- it sounds like there will be a bit of
> "magic" at work here, so will it be transparent to the user? Will users
> find that the authority field is being set and they wonder where it came
> from?
> 

I think we can. It will simplify the usage in the vast majority of cases.
Proxy-protocol is done to restore the initial context from a
connection. And should be used between trusted client/server.
typicaly:
client  --TLS (sni)--> haproxy  —TLS(with internal sni)--> haproxy 
--TLS(sni)--> backend

> And I wonder if there are situations in which someone will want to
> specifically choose one source of truth for authority over the other.
> Suppose an incoming connection uses TLS with an SNI, and the peer
> component also sends an authority TLV via Proxy. Is a situation
> imaginable in which only one of them is getting it "right", for the
> purposes of haproxy, and the config author wants to be sure to catch
> that one only?
> 

You can with the sample fetch from transport layer, « ssl_fc_sni » for TLS.

> To be honest I'm not sure, I'm still a bit of an "outsider" around here,
> and other readers of the list will have better intuitions about what's
> common and possible. So I'd be happy to be assured that this will be fine.
> 
I'm not sure me too :)
Thank’s for the report!

Manu




Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Tim Düsterhus
Geoff,

Am 26.09.19 um 18:10 schrieb Geoff Simmons:
> Incidentally, I too have not seen a patch on this thread since September
> 10th (not sure if you meant to send a new one today).
> 

see my sibling emails to this thread:
https://www.mail-archive.com/haproxy@formilux.org/msg35005.html

Best regards
Tim Düsterhus



Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Geoff Simmons
On 9/26/19 11:43, Emmanuel Hocdet wrote:
> 
> Proposal reworking after playing with « authority » and look at how « src »/« 
> dst » are working.
> 
> Authority » can come from transport layer (TLS), ProxyV2 TLV or « 
> set-authority ».
> « src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol 
> and « set-{src,dst} »
> I propose to do the same for « authority » sample fetch:
> pick « authority » from « set-authority, Proxy-protocol, and transport layer 
> (in this order)
>  . It’s already what authority is in « proxy-v2-options authority"
>   => « fc_pp_authority » disappears in favour of the generic « authority » 
> sample fetch

Some thoughts that come to mind -- it sounds like there will be a bit of
"magic" at work here, so will it be transparent to the user? Will users
find that the authority field is being set and they wonder where it came
from?

And I wonder if there are situations in which someone will want to
specifically choose one source of truth for authority over the other.
Suppose an incoming connection uses TLS with an SNI, and the peer
component also sends an authority TLV via Proxy. Is a situation
imaginable in which only one of them is getting it "right", for the
purposes of haproxy, and the config author wants to be sure to catch
that one only?

To be honest I'm not sure, I'm still a bit of an "outsider" around here,
and other readers of the list will have better intuitions about what's
common and possible. So I'd be happy to be assured that this will be fine.

Incidentally, I too have not seen a patch on this thread since September
10th (not sure if you meant to send a new one today).


Best,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de



signature.asc
Description: OpenPGP digital signature


Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Tim Düsterhus
Manu,

Am 26.09.19 um 17:40 schrieb Emmanuel Hocdet:
> I see it on my side.
> 

Ah, again it's the stupid Apple Mail issue at fault. It misconstructs
emails with attachments and the attachment is only visible when viewing
the HTML version. I can confirm the patch is there when showing HTML

Technical explanation
-

Apple Mail constructs the following structure:

/--\
| multipart/alternative|
+--+
| /--\ |
| | text/plain   | |
| +--+ |
| | Your message | |
| \--/ |
|  |
| /--\ |
| | multipart/mixed  | |
| +--+ |
| | /--\ | |
| | | application/octet-stream | | |
| | +--+ | |
| | | Your patch   | | |
| | \--/ | |
| |  | |
| | /--\ | |
| | | text/html| | |
| | +--+ | |
| | | Your message | | |
| | \--/ | |
| \--/ |
\--/

With Thunderbird selecting the text/plain "alternative" (because I
configured it to show the text/plain version). This alternative does not
include the patch.

Correct it needs to look like this:

/--\
| multipart/mixed  |
+--+
| /---\|
| | multipart/alternative ||
| +---+|
| | /--\  ||
| | | text/plain   |  ||
| | +--+  ||
| | | Your message |  ||
| | \--/  ||
| |   ||
| | /--\  ||
| | | text/html|  ||
| | +--+  ||
| | | Your message |  ||
| | \--/  ||
| \---/|
|  |
| /--\ |
| | application/octet-stream | |
| +--+ |
| | Your patch   | |
| \--/ |
\--/

With Thunderbird selecting the text/plain alternative, but still having
the patch in the "mixed" box, thus showing it.

Best regards
Tim Düsterhus



Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Emmanuel Hocdet


Hi Tim,

> Le 26 sept. 2019 à 15:11, Tim Düsterhus  a écrit :
> 
> Manu,
> 
> Am 26.09.19 um 11:43 schrieb Emmanuel Hocdet:
>> Included my patch for that proposal. (could be split with comments from this 
>> mail)
> 
> Did you forgot to actually attach the patch? I'm not seeing anything.
> 


I see it on my side.




Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Tim Düsterhus
Manu,

Am 26.09.19 um 11:43 schrieb Emmanuel Hocdet:
> Included my patch for that proposal. (could be split with comments from this 
> mail)

Did you forgot to actually attach the patch? I'm not seeing anything.

Best regards
Tim Düsterhus



Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-26 Thread Emmanuel Hocdet
Hi,Proposal reworking after playing with « authority » and look at how « src »/« dst » are working.Authority » can come from transport layer (TLS), ProxyV2 TLV or « set-authority ».« src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol and « set-{src,dst} »I propose to do the same for « authority » sample fetch:pick « authority » from « set-authority, Proxy-protocol, and transport layer (in this order) . It’s already what authority is in « proxy-v2-options authority"  => « fc_pp_authority » disappears in favour of the generic « authority » sample fetchExample:listen offload       mode tcp       bind :80       bind :443 ssl crt-list /etc/haproxy/crtbindlist.cfg       server bla 127.0.0.1:8080 send-proxy-v2 proxy-v2-options authoritylisten onload       mode tcp       bind 127.0.0.1:8080 accept-proxy       acl has_authority authority -m found       tcp-request inspect-delay 5s       tcp-request content set-authority hdr(Host),lower if !has_authority       tcp-request content reject if !has_authority       server srvssl 0.0.0.0:443 ssl verify none sni authority  Note: in case of:   tcp-request connection set-authority str(authbla)   « authority » is set before  ProxyV2, and will be overwritten by TLV authority.Included my patch for that proposal. (could be split with comments from this mail)++Manu

0001-MINOR-connection-add-set-authority-and-normalize-aut.patch
Description: Binary data


Re: [PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-12 Thread Emmanuel Hocdet

patch update with bug fix

> Le 10 sept. 2019 à 14:19, Emmanuel Hocdet  a écrit :
> 
> 
> Hi,
> 
> Included, my first proposal for « set-authority » action, to set 
> custom "authority" sample  fetch.
> 
> Use case could be to use « sni authority » in server line.
> For "proxy-v2-options authority », authority is pick from custom
> authority (« set-authority »), ppv2 authority or ssl_fc_sni.
> Sample fetch « authority » could be do the same, but i don’t
> know if it’s a good idea.
> 
> ++
> Manu
> 
> 



0001-MINOR-connection-add-set-authority-and-authority-sam.patch
Description: Binary data



[PATCH] MINOR: connection: add "set-authority" and "authority" sample fetch

2019-09-10 Thread Emmanuel Hocdet

Hi,

Included, my first proposal for « set-authority » action, to set 
custom "authority" sample  fetch.

Use case could be to use « sni authority » in server line.
For "proxy-v2-options authority », authority is pick from custom
authority (« set-authority »), ppv2 authority or ssl_fc_sni.
Sample fetch « authority » could be do the same, but i don’t
know if it’s a good idea.

++
Manu




0001-MINOR-connection-add-set-authority-and-authority-sam.patch
Description: Binary data