Details
-
New Feature
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
2.5.0
Description
Modern network infrastructures often implement centralised TLS offloaders (which operate as reverse proxies) for web-based services (eg., to facilitate centralised certificate management). These reverse proxies typically inform the server of the original client protocol using the X-Forwarded-Proto HTTP header, which may have the value of "http" or "https".
Currently, when MaxScale has no certificate configured, it only prints a short message over HTTP saying it needs HTTPS. The following is required to properly support TLS offloaders:
- When running without a certificate, MaxScale should check the presence of X-Forwarded-Proto HTTP header. If it is present and its value is "https", MaxScale should consider the client connection to be secure and should load the full GUI.
- To ensure only a trusted TLS offloader is allowed to set this header, MaxScale may implement a new configuration parameter with a name like "admin_trusted_proxy", which should take a (comma-separated) list of IP addresses, possibly in CIDR notation.
In addition to the mentioned header, a TLS offloader would usually also send the X-Forwarded-For HTTP header, containing the IP address of the actual client; this may be used to support TLS offloaders in a possible implementation of server-side ACL for using the MaxGUI.