TrueCloudLab/frostfs-s3-gw
17
3
Fork 20
Code Issues 29 Pull requests 9 Projects Releases 33 Packages 1 Activity Actions

Support TLS termination on a proxy-level for SSE-C #562

New issue
Closed
opened 2024-11-25 14:49:42 +00:00 by alexvanin · 3 comments
alexvanin commented 2024-11-25 14:49:42 +00:00
Owner
Copy link

Is your feature request related to a problem? Please describe.

Encryption parameters are processed by gateway when TLS is enabled.

func formEncryptionParamsBase(r *http.Request, ...){
	...
	if r.TLS == nil {
		return enc, apierr.GetAPIError(apierr.ErrInsecureSSECustomerRequest)
	}
	...
}

However, there might be an option, when TLS is terminated by the reverse-proxy server before gateway

proxy-tls.svg

Source

Describe the solution you'd like

Add a setting to disable TLS check.

Describe alternatives you've considered

  • Consider having such setting a dangerous thing and use self-signed cert for reverse proxy anyway.

  • Do not terminate TLS on proxy level at all.

Additional context

Minio restricts encryption headers without TLS and does not configure it, see 9a39f8ad4d/cmd/generic-handlers.go (L439)

## Is your feature request related to a problem? Please describe. Encryption parameters are processed by gateway when TLS is enabled. ```go func formEncryptionParamsBase(r *http.Request, ...){ ... if r.TLS == nil { return enc, apierr.GetAPIError(apierr.ErrInsecureSSECustomerRequest) } ... } ``` However, there might be an option, when TLS is terminated by the reverse-proxy server before gateway ![proxy-tls.svg](/attachments/9eb9956d-c032-42dd-8cb1-4e877a10d6f7) [Source](https://www.plantuml.com/plantuml/uml/TP31JiCm38RlUGhJqoOXE6n7X2R6nWuSfcMSnbI5rbs3MhjANBOAyUwurSO1GKw9Ft-_hSoYk21jNPahJrdLvWXtsVHsFatdJE8yORXf5D__mUk62KdEtDWk2jRf0xUKkz2DYY9UGx8C76LfOP5n71gICNmQqFCJC6e2dphjtU07XeWml1CjqC7JAHd_QeyJHNO2Jqxmw3hbNsQj8jEeLV8ICMZDRB1ADttb4hzRRRTh2yAmqft8rRX_fNKhm6_lc0aSlPHWxKBbtdsyxANppdBlLfovgjI0VsL3B0Z17qgb1Uo6cBq1s3xhT0or9oUU2KhND4WHIWnea7BeHMDcUjKl_GO0) ## Describe the solution you'd like Add a setting to disable TLS check. ## Describe alternatives you've considered * Consider having such setting a dangerous thing and use self-signed cert for reverse proxy anyway. * Do not terminate TLS on proxy level at all. ## Additional context Minio restricts encryption headers without TLS and does not configure it, see https://github.com/minio/minio/blob/9a39f8ad4d40b53dc4c73196e75570df23a01257/cmd/generic-handlers.go#L439
proxy-tls.svg
10 KiB
alexvanin added the
discussion
 label 2024-11-25 14:49:42 +00:00
r.loginov was assigned by alexvanin 2024-11-25 14:49:42 +00:00
dkirillov commented 2024-11-26 12:46:49 +00:00
Member
Copy link

Maybe we can disable TLS check if poxy will provide specific header.

Maybe we can disable TLS check if poxy will provide specific header.
alexvanin commented 2024-11-28 06:36:15 +00:00
Author
Owner
Copy link

Maybe we can disable TLS check if poxy will provide specific header.

Yes, that makes sense.

> Maybe we can disable TLS check if poxy will provide specific header. Yes, that makes sense.
alexvanin added this to the v0.32.0 milestone 2024-12-10 14:51:53 +00:00
alexvanin commented 2024-12-11 14:24:27 +00:00
Author
Owner
Copy link

I reopen this, because by default this feature is enabled as soon as client attaches proper HTTP header. It should be disabled by default. Consider having empty setting for this header. This should disable TLS check skip for SSE operations.

I reopen this, because by default this feature is enabled as soon as client attaches proper HTTP header. It should be disabled by default. Consider having empty setting for this header. This should disable TLS check skip for SSE operations.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
support/v0.32
support/v0.31
support/v0.30
support/v0.29
support/v0.28
support/v0.27
v0.32.10
v0.32.9
v0.32.8
v0.32.7
v0.32.6
v0.32.5
v0.32.4
v0.32.3
v0.32.2
v0.32.1
v0.33.0-pre
v0.32.0
v0.31.3
v0.31.2
v0.30.9
v0.31.1
v0.31.0
v0.31.0-rc.6
v0.31.0-rc.5
v0.31.0-rc.4
v0.30.8
v0.31.0-rc.3
v0.30.7
v0.31.0-rc.2
v0.31.0-rc.1
v0.30.6
v0.30.5
v0.30.4
v0.30.3
v0.30.2
v0.30.1
v0.30.0
v0.29.3
v0.30.0-rc.5
v0.29.2
v0.30.0-rc.4
v0.30.0-rc.3
v0.30.0-rc.2
v0.29.1
v0.30.0-rc.1
v0.29.0
v0.28.2
v0.29.0-rc.11
v0.29.0-rc.10
v0.29.0-rc.9
v0.29.0-rc.8
v0.29.0-rc.7
v0.29.0-rc.6
v0.29.0-rc.5
v0.29.0-rc.4
v0.29.0-rc.3
v0.29.0-rc.2
v0.29.0-rc.1
v0.28.1
v0.28.0
v0.28.0-rc.1
v0.27.0
v0.27.0-rc.2
v0.27.0-rc.1
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
good first issue

Good for newcomers

  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
good first issue
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
v0.32.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
r.loginov
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#562
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?