Currently, client certificate validation is performed within the
authorize service, after user login. Instead, configure Envoy to perform
certificate validation itself, at the time of the initial connection.
When a client certificate authority is configured, Envoy will reject any
connection attempts that do not present a valid client certificate with
a trust chain rooted at the configured certificate authority.
For end users without a client certificate configured in their browser,
after this change they will see a browser default error page, rather
than an HTML error page served by Pomerium.
When multiple client CAs are configured for different routes on the same
domain, we will create a bundle from these client CAs, so that a
certificate issued by any of these CAs will be accepted during the
initial connection. If the presented certificate is not valid for the
specific route, then we serve an HTTP 495 response.
Add a separate method buildDownstreamTLSContextWithValidation(), so we
can make these changes only for the main HTTP listener, and not for the
internal gRPC listener. Move the existing unit tests for
buildDownstreamTLSContext() over to test
buildDownstreamTLSContextWithValidation() instead.
Update the existing Envoy configuration test cases, add unit tests for
the new clientCAForDomain() function, and add integration test cases.
* add support for proxy protocol on HTTP listener (#1777)
* add support for proxy protocol on HTTP listener
* rename option, add doc
* reduce memory usage by handling http/2 coalescing via a lua script
* move script to file
* use wellknown
* fix integration test
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.
Fixes#702
* config: add RemoveRequestHeaders
Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.
This is also a preparation for future PRs to implement disable user
identity in request headers feature.
* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
* integration-tests: switch to go for backends to support TLS scenarios
* fix apply order
* generate additional tls certs
* integration-tests: tls_skip_verify option
* integration-tests: wait for openid to come up before starting authenticate
* add tls_server_name test
* add test for tls_custom_ca
* increase setup timeout to 15 minutes
* fix secret name reference
* mtls wip
* mtls wip
* add test for client_cert
