Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3085

Support external TLS offloaders in MaxGUI

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 2.5.0
    • N/A
    • N/A

    Description

      Modern network infrastructures often implement centralised TLS offloaders (which operate as reverse proxies) for web-based services (eg., to facilitate centralised certificate management). These reverse proxies typically inform the server of the original client protocol using the X-Forwarded-Proto HTTP header, which may have the value of "http" or "https".

      Currently, when MaxScale has no certificate configured, it only prints a short message over HTTP saying it needs HTTPS. The following is required to properly support TLS offloaders:

      • When running without a certificate, MaxScale should check the presence of X-Forwarded-Proto HTTP header. If it is present and its value is "https", MaxScale should consider the client connection to be secure and should load the full GUI.
      • To ensure only a trusted TLS offloader is allowed to set this header, MaxScale may implement a new configuration parameter with a name like "admin_trusted_proxy", which should take a (comma-separated) list of IP addresses, possibly in CIDR notation.

      In addition to the mentioned header, a TLS offloader would usually also send the X-Forwarded-For HTTP header, containing the IP address of the actual client; this may be used to support TLS offloaders in a possible implementation of server-side ACL for using the MaxGUI.

      Attachments

        Activity

          People

            thien.ly Thien Ly
            assen.totin Assen Totin (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.