3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/config
History
Kenneth Jenkins 04585af9ef
config: generate fallback cert only as last resort (#5250) 
Currently Pomerium will always generate a wildcard certificate for use 
as a fallback certificate.

If any other certificate is configured, this fallback certificate will 
not normally be presented, except in the case of a TLS connection where 
the client does not include the Server Name Indication (SNI) extension.
All modern browsers support SNI, so in practice this certificate should
never be presented to end users.

However, some network scanning tools will probe connections by IP 
addresses (without SNI), and so this fallback certificate may be
presented. The presence of this certificate may be flagged as a problem
in some automated vulnerability scans.

Let's avoid generating this fallback certificate if Pomerium has any 
other certificate configured (unless specifically requested by the Auto
TLS option). This should prevent false positive reports from these
particular vulnerability scans.
2024-12-19 09:46:59 -08:00
..
envoyconfig config: generate fallback cert only as last resort (#5250) 2024-12-19 09:46:59 -08:00
testdata
autocert.go core/ci: update linting (#4844) 2023-12-14 09:07:54 -08:00
autocert_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
codec_type.go HTTP/3 Support (#5349) 2024-11-19 08:48:30 -07:00
codec_type_test.go
config.go config: minor cleanup in GenerateCatchAllCertificate (#5397) 2024-12-18 13:21:48 -08:00
config_source.go Fix many instances of contexts and loggers not being propagated (#5340) 2024-10-25 14:50:56 -04:00
config_source_test.go Fix many instances of contexts and loggers not being propagated (#5340) 2024-10-25 14:50:56 -04:00
config_test.go config: minor cleanup in GenerateCatchAllCertificate (#5397) 2024-12-18 13:21:48 -08:00
constants.go core/config: implement direct response (#4960) 2024-02-15 14:33:56 -07:00
custom.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
custom_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
doc.go
from.go core/config: add support for stripping the port for matching routes (#5085) 2024-04-26 08:24:46 -06:00
from_test.go change Policy.Matches to accept a URL pointer (#5360) 2024-11-07 14:55:44 -05:00
helpers.go core/redis: remove redis (#4768) 2023-11-28 13:14:36 -07:00
helpers_test.go
http.go core/logging: change log.Error function (#5251) 2024-09-05 15:42:46 -06:00
http_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
identity.go change Policy.Matches to accept a URL pointer (#5360) 2024-11-07 14:55:44 -05:00
layered.go core/logging: change log.Error function (#5251) 2024-09-05 15:42:46 -06:00
layered_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
log.go core/config: remove debug option, always use json logs (#4857) 2023-12-15 11:29:05 -07:00
log_level.go
metrics.go logging: remove ctx from global log methods (#5337) 2024-10-23 14:18:52 -06:00
metrics_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
mtls.go Core-Zero Import (#5288) 2024-10-09 18:51:56 -04:00
mtls_test.go add mTLS UserPrincipalName SAN match (#5177) 2024-07-26 10:23:19 -07:00
options.go config: fix lost branding settings when there are multiple configuration sources (#5401) 2024-12-19 08:47:28 -07:00
options_check.go config: suppress unused warnings for all fields in embedded route envoy options (#5330) 2024-10-22 16:46:22 -04:00
options_test.go config: fix lost branding settings when there are multiple configuration sources (#5401) 2024-12-19 08:47:28 -07:00
policy.go UDP support (#5390) 2024-12-11 13:07:31 -07:00
policy_ppl.go ppl: fix empty/no-op allow block added in some cases to converted PPL policies (#5289) 2024-09-16 18:52:54 -04:00
policy_ppl_test.go ppl: more flexible matchers (#5336) 2024-10-25 07:56:57 -06:00
policy_test.go UDP support (#5390) 2024-12-11 13:07:31 -07:00
runtime_flags.go proxy: deprecate the /.pomerium/jwt endpoint (#5254) 2024-09-04 11:22:18 -07:00
session.go core/proxy: support loading sessions from headers and query string (#5291) 2024-09-19 09:23:13 -06:00
session_test.go core/proxy: support loading sessions from headers and query string (#5291) 2024-09-19 09:23:13 -06:00
trace.go logging: remove ctx from global log methods (#5337) 2024-10-23 14:18:52 -06:00
trace_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
validate.go