[release-4.17] OCPBUGS-86714: Strip X-SSL-* headers for plain HTTP#804
[release-4.17] OCPBUGS-86714: Strip X-SSL-* headers for plain HTTP#804MrSanketkumar wants to merge 1 commit into
Conversation
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86714, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughThe HAProxy configuration template adds conditional ChangesmTLS Header Spoof Prevention
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
images/router/haproxy/conf/haproxy-config.template (1)
244-260: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsolidate the repeated
X-SSL*deletions. Replace the 12 explicitdel-headerlines in each frontend withhttp-request del-header X-SSL -m begto keep the behavior the same while removing the duplicated allowlist.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/router/haproxy/conf/haproxy-config.template` around lines 244 - 260, Consolidate the repeated X-SSL header removals in the HAProxy template: the current block in haproxy-config.template uses many explicit http-request del-header directives for each X-SSL-* variant, but it should be replaced with a single prefix-based delete so the behavior stays the same while removing the duplicated allowlist. Update the header-filter block guarded by ROUTER_MUTUAL_TLS_HEADER_FILTER in the template to use the broader X-SSL match, and keep the surrounding conditional and comment intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@images/router/haproxy/conf/haproxy-config.template`:
- Around line 244-260: Consolidate the repeated X-SSL header removals in the
HAProxy template: the current block in haproxy-config.template uses many
explicit http-request del-header directives for each X-SSL-* variant, but it
should be replaced with a single prefix-based delete so the behavior stays the
same while removing the duplicated allowlist. Update the header-filter block
guarded by ROUTER_MUTUAL_TLS_HEADER_FILTER in the template to use the broader
X-SSL match, and keep the surrounding conditional and comment intact.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 75f46c42-ddb5-465b-967a-0c9d975be79b
📒 Files selected for processing (1)
images/router/haproxy/conf/haproxy-config.template
|
/test e2e-aws-serial |
|
@MrSanketkumar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
I’ve created a cluster using the PR that includes the merged fix from PR #804. The corresponding ClusterVersion is: 4.17.0-0-2026-06-30-072506-test-ci-ln-3gbws4k-latest After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed These are the same changes that were introduced in #804 # Strip off X-SSL* headers for plain HTTP if not explicitly disabled. /Verified by ci |
|
@UdayYendva: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection
Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.
Changes:
Backport : #800
Summary by CodeRabbit