Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3085

Support external TLS offloaders in MaxGUI

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.0
    • Fix Version/s: N/A
    • Component/s: N/A
    • Labels:

      Description

      Modern network infrastructures often implement centralised TLS offloaders (which operate as reverse proxies) for web-based services (eg., to facilitate centralised certificate management). These reverse proxies typically inform the server of the original client protocol using the X-Forwarded-Proto HTTP header, which may have the value of "http" or "https".

      Currently, when MaxScale has no certificate configured, it only prints a short message over HTTP saying it needs HTTPS. The following is required to properly support TLS offloaders:

      • When running without a certificate, MaxScale should check the presence of X-Forwarded-Proto HTTP header. If it is present and its value is "https", MaxScale should consider the client connection to be secure and should load the full GUI.
      • To ensure only a trusted TLS offloader is allowed to set this header, MaxScale may implement a new configuration parameter with a name like "admin_trusted_proxy", which should take a (comma-separated) list of IP addresses, possibly in CIDR notation.

      In addition to the mentioned header, a TLS offloader would usually also send the X-Forwarded-For HTTP header, containing the IP address of the actual client; this may be used to support TLS offloaders in a possible implementation of server-side ACL for using the MaxGUI.

        Attachments

          Activity

            People

            Assignee:
            thien.ly Duong Thien Ly
            Reporter:
            assen.totin Assen Totin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: