Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running fleet telemetry behind a trusted proxy #171

Open
bramp opened this issue May 20, 2024 · 4 comments · May be fixed by #181
Open

Running fleet telemetry behind a trusted proxy #171

bramp opened this issue May 20, 2024 · 4 comments · May be fixed by #181

Comments

@bramp
Copy link

bramp commented May 20, 2024

I would like to run this software behind a HTTP proxy that would terminate the mTLS connections. Because the proxy terminates the connections, the fleet-telemetry server would not see the client cert. However, many proxies can forward the client certificate, or common name to the backend via HTTP headers, e.g SSL_CLIENT_CERT/SSL_CLIENT_S_DN for Apache.

Would you accept a patch, that adds a config to enable reading the cert, from the HTTP headers, instead of from the SSL connection? If so, I'd be happy to contribute. Reading from headers would be purely optional, and need to be enabled to avoid the security risk of letting clients providing unauthenticated certs.
@patrickdemers6
Copy link
Collaborator

@sethterashima care to comment from a security perspective?

@sethterashima
Copy link
Collaborator

sethterashima commented May 29, 2024
edited
Loading

@bramp @patrickdemers6 no objection on my end, but I'd ask that: (1) the setting should be off by default and (2) if the setting is on and the server does receive a matching TLS client certificate, the connection should be (noisily) rejected with a call to action to disable the setting in the server configuration. The second requirement will prevent a user from inadvertently copy+pasting a configuration that makes them silently insecure. (Of course the second requirement is moot if it only accepts non-TLS connections).

@bramp
Copy link
Author

bramp commented May 29, 2024

I think those are both fair requirements.

To clarify #2, 'matching TLS client certificate', matching meanings a valid Tesla client cert? Should we instead just reject all client certs?

@sethterashima
Copy link
Collaborator

If the connection is over a trusted network and the telemetry server is only listening for HTTP (not HTTPS), then client certs are a moot point.

If the telemetry server is still using HTTPS (I'll defer to you and @patrickdemers6 on how likely this would be in contexts where there's a proxy), then rejecting all connections that use a client certificate is fine by me; if someone comes along who wants the proxy to authenticate with with the telemetry server using mTLS, then they're welcome to put in a feature request or PR.

@virtualzone virtualzone linked a pull request Jun 19, 2024 that will close this issue
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ability to disable mTLS virtualzone/fleet-telemetry
3 participants
@bramp @sethterashima @patrickdemers6