From 202f35e73531ea2c3424217e993481ba221d4db9 Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Tue, 27 Feb 2024 18:15:03 -0800 Subject: [PATCH] Bump version to 1.4.3.39-3 Resolves: RHEL-19240 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix --- ...rt-HAProxy-and-Instance-on-the-same-.patch | 83 +++++++++++++++++++ 389-ds-base.spec | 7 +- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch diff --git a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch b/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch new file mode 100644 index 0000000..40dba66 --- /dev/null +++ b/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch @@ -0,0 +1,83 @@ +From 7d1bc439a07c51b5f4f37405b6b27a1990b8cb28 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Tue, 27 Feb 2024 16:30:47 -0800 +Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine + configuration (#6107) + +Description: Improve how we handle HAProxy connections to work better when +the DS and HAProxy are on the same machine. +Ensure the client and header destination IPs are checked against the trusted IP list. + +Additionally, this change will also allow configuration having +HAProxy is listening on a different subnet than the one used to forward the request. + +Related: https://github.com/389ds/389-ds-base/issues/3527 + +Reviewed by: @progier389, @jchapma (Thanks!) +--- + ldap/servers/slapd/connection.c | 35 +++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c +index d28a39bf7..10a8cc577 100644 +--- a/ldap/servers/slapd/connection.c ++++ b/ldap/servers/slapd/connection.c +@@ -1187,6 +1187,8 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int * + char str_ip[INET6_ADDRSTRLEN + 1] = {0}; + char str_haproxy_ip[INET6_ADDRSTRLEN + 1] = {0}; + char str_haproxy_destip[INET6_ADDRSTRLEN + 1] = {0}; ++ int trusted_matches_ip_found = 0; ++ int trusted_matches_destip_found = 0; + struct berval **bvals = NULL; + int proxy_connection = 0; + +@@ -1245,21 +1247,38 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int * + normalize_IPv4(conn->cin_addr, buf_ip, sizeof(buf_ip), str_ip, sizeof(str_ip)); + normalize_IPv4(&pr_netaddr_dest, buf_haproxy_destip, sizeof(buf_haproxy_destip), + str_haproxy_destip, sizeof(str_haproxy_destip)); ++ size_t ip_len = strlen(buf_ip); ++ size_t destip_len = strlen(buf_haproxy_destip); + + /* Now, reset RC and set it to 0 only if a match is found */ + haproxy_rc = -1; + +- /* Allow only: +- * Trusted IP == Original Client IP == HAProxy Header Destination IP */ ++ /* ++ * We need to allow a configuration where DS instance and HAProxy are on the same machine. ++ * In this case, we need to check if ++ * the HAProxy client IP (which will be a loopback address) matches one of the the trusted IP addresses, ++ * while still checking that ++ * the HAProxy header destination IP address matches one of the trusted IP addresses. ++ * Additionally, this change will also allow configuration having ++ * HAProxy listening on a different subnet than one used to forward the request. ++ */ + for (size_t i = 0; bvals[i] != NULL; ++i) { +- if ((strlen(bvals[i]->bv_val) == strlen(buf_ip)) && +- (strlen(bvals[i]->bv_val) == strlen(buf_haproxy_destip)) && +- (strncasecmp(bvals[i]->bv_val, buf_ip, strlen(buf_ip)) == 0) && +- (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, strlen(buf_haproxy_destip)) == 0)) { +- haproxy_rc = 0; +- break; ++ size_t bval_len = strlen(bvals[i]->bv_val); ++ ++ /* Check if the Client IP (HAProxy's machine IP) address matches the trusted IP address */ ++ if (!trusted_matches_ip_found) { ++ trusted_matches_ip_found = (bval_len == ip_len) && (strncasecmp(bvals[i]->bv_val, buf_ip, ip_len) == 0); ++ } ++ /* Check if the HAProxy header destination IP address matches the trusted IP address */ ++ if (!trusted_matches_destip_found) { ++ trusted_matches_destip_found = (bval_len == destip_len) && (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, destip_len) == 0); + } + } ++ ++ if (trusted_matches_ip_found && trusted_matches_destip_found) { ++ haproxy_rc = 0; ++ } ++ + if (haproxy_rc == -1) { + slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n"); + disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO); +-- +2.43.0 + diff --git a/389-ds-base.spec b/389-ds-base.spec index 83f9851..903fcf4 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -48,7 +48,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.3.39 -Release: %{?relprefix}2%{?prerel}%{?dist} +Release: %{?relprefix}3%{?prerel}%{?dist} License: GPLv3+ and (ASL 2.0 or MIT) URL: https://www.port389.org Group: System Environment/Daemons @@ -297,6 +297,7 @@ Patch01: 0001-issue-5647-covscan-memory-leak-in-audit-log-when-add.patc Patch02: 0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch Patch03: 0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch Patch04: 0004-Issue-5547-automember-plugin-improvements.patch +Patch05: 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -918,6 +919,10 @@ exit 0 %doc README.md %changelog +* Thu Mar 14 2024 Simon Pichugin - 1.4.3.39-3 +- Bump version to 1.4.3.39-3 +- Resolves: RHEL-19240 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix + * Mon Feb 05 2024 Thierry Bordaz - 1.4.3.39-2 - Bump version to 1.4.3.39-2 - Resolves: RHEL-23209 - CVE-2024-1062 389-ds:1.4/389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)