[MXS-3085] Support external TLS offloaders in MaxGUI Created: 2020-07-21  Updated: 2020-08-26  Resolved: 2020-08-26

Status: Closed
Project: MariaDB MaxScale
Component/s: N/A
Affects Version/s: 2.5.0
Fix Version/s: N/A

Type: New Feature Priority: Major
Reporter: Assen Totin (Inactive) Assignee: Duong Thien Ly
Resolution: Fixed Votes: 0
Labels: GUI


 Description   

Modern network infrastructures often implement centralised TLS offloaders (which operate as reverse proxies) for web-based services (eg., to facilitate centralised certificate management). These reverse proxies typically inform the server of the original client protocol using the X-Forwarded-Proto HTTP header, which may have the value of "http" or "https".

Currently, when MaxScale has no certificate configured, it only prints a short message over HTTP saying it needs HTTPS. The following is required to properly support TLS offloaders:

  • When running without a certificate, MaxScale should check the presence of X-Forwarded-Proto HTTP header. If it is present and its value is "https", MaxScale should consider the client connection to be secure and should load the full GUI.
  • To ensure only a trusted TLS offloader is allowed to set this header, MaxScale may implement a new configuration parameter with a name like "admin_trusted_proxy", which should take a (comma-separated) list of IP addresses, possibly in CIDR notation.

In addition to the mentioned header, a TLS offloader would usually also send the X-Forwarded-For HTTP header, containing the IP address of the actual client; this may be used to support TLS offloaders in a possible implementation of server-side ACL for using the MaxGUI.



 Comments   
Comment by markus makela [ 2020-07-21 ]

admin_secure_gui=false can be used to disable the TLS requirement for the GUI. Could this work in the short term for cases where a proxy is doing the TLS verification?

Comment by markus makela [ 2020-07-22 ]

Apart from the client host authentication (which currently doesn't exist) I think it will work even currently as long as admin_secure_gui=false is configured.

The various relative links given by the REST API might have to be modified to support this. This is where the X-Forwarded-Proto header could be used.

Comment by Assen Totin (Inactive) [ 2020-07-22 ]

There is something broken here:

Jul 22 10:20:47 mariadb-59f24c1f-1012-0.xentio.lan maxscale[9271]: Unknown global parameter 'admin_secure_gui'.

[root@mariadb-59f24c1f-1012-0 ~]# rpm -q maxscale
maxscale-2.5.0-1.centos.7.x86_64

Comment by Duong Thien Ly [ 2020-07-22 ]

I believe 'admin_secure_gui' is only available from MaxScale 2.5.1 upward

Comment by Assen Totin (Inactive) [ 2020-07-22 ]

Adding features to a released mainilne is quite a bad habit - and much in discord with our claims to be "enterprise".

Generated at Thu Feb 08 04:18:50 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.