Compare commits
1 Commits
efb8fd7589
...
25b1796ba2
| Author | SHA1 | Date | |
|---|---|---|---|
|
25b1796ba2 |
@ -1,83 +0,0 @@
|
|||||||
From 7d1bc439a07c51b5f4f37405b6b27a1990b8cb28 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon Pichugin <spichugi@redhat.com>
|
|
||||||
Date: Tue, 27 Feb 2024 16:30:47 -0800
|
|
||||||
Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine
|
|
||||||
configuration (#6107)
|
|
||||||
|
|
||||||
Description: Improve how we handle HAProxy connections to work better when
|
|
||||||
the DS and HAProxy are on the same machine.
|
|
||||||
Ensure the client and header destination IPs are checked against the trusted IP list.
|
|
||||||
|
|
||||||
Additionally, this change will also allow configuration having
|
|
||||||
HAProxy is listening on a different subnet than the one used to forward the request.
|
|
||||||
|
|
||||||
Related: https://github.com/389ds/389-ds-base/issues/3527
|
|
||||||
|
|
||||||
Reviewed by: @progier389, @jchapma (Thanks!)
|
|
||||||
---
|
|
||||||
ldap/servers/slapd/connection.c | 35 +++++++++++++++++++++++++--------
|
|
||||||
1 file changed, 27 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
|
|
||||||
index d28a39bf7..10a8cc577 100644
|
|
||||||
--- a/ldap/servers/slapd/connection.c
|
|
||||||
+++ b/ldap/servers/slapd/connection.c
|
|
||||||
@@ -1187,6 +1187,8 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int *
|
|
||||||
char str_ip[INET6_ADDRSTRLEN + 1] = {0};
|
|
||||||
char str_haproxy_ip[INET6_ADDRSTRLEN + 1] = {0};
|
|
||||||
char str_haproxy_destip[INET6_ADDRSTRLEN + 1] = {0};
|
|
||||||
+ int trusted_matches_ip_found = 0;
|
|
||||||
+ int trusted_matches_destip_found = 0;
|
|
||||||
struct berval **bvals = NULL;
|
|
||||||
int proxy_connection = 0;
|
|
||||||
|
|
||||||
@@ -1245,21 +1247,38 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int *
|
|
||||||
normalize_IPv4(conn->cin_addr, buf_ip, sizeof(buf_ip), str_ip, sizeof(str_ip));
|
|
||||||
normalize_IPv4(&pr_netaddr_dest, buf_haproxy_destip, sizeof(buf_haproxy_destip),
|
|
||||||
str_haproxy_destip, sizeof(str_haproxy_destip));
|
|
||||||
+ size_t ip_len = strlen(buf_ip);
|
|
||||||
+ size_t destip_len = strlen(buf_haproxy_destip);
|
|
||||||
|
|
||||||
/* Now, reset RC and set it to 0 only if a match is found */
|
|
||||||
haproxy_rc = -1;
|
|
||||||
|
|
||||||
- /* Allow only:
|
|
||||||
- * Trusted IP == Original Client IP == HAProxy Header Destination IP */
|
|
||||||
+ /*
|
|
||||||
+ * We need to allow a configuration where DS instance and HAProxy are on the same machine.
|
|
||||||
+ * In this case, we need to check if
|
|
||||||
+ * the HAProxy client IP (which will be a loopback address) matches one of the the trusted IP addresses,
|
|
||||||
+ * while still checking that
|
|
||||||
+ * the HAProxy header destination IP address matches one of the trusted IP addresses.
|
|
||||||
+ * Additionally, this change will also allow configuration having
|
|
||||||
+ * HAProxy listening on a different subnet than one used to forward the request.
|
|
||||||
+ */
|
|
||||||
for (size_t i = 0; bvals[i] != NULL; ++i) {
|
|
||||||
- if ((strlen(bvals[i]->bv_val) == strlen(buf_ip)) &&
|
|
||||||
- (strlen(bvals[i]->bv_val) == strlen(buf_haproxy_destip)) &&
|
|
||||||
- (strncasecmp(bvals[i]->bv_val, buf_ip, strlen(buf_ip)) == 0) &&
|
|
||||||
- (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, strlen(buf_haproxy_destip)) == 0)) {
|
|
||||||
- haproxy_rc = 0;
|
|
||||||
- break;
|
|
||||||
+ size_t bval_len = strlen(bvals[i]->bv_val);
|
|
||||||
+
|
|
||||||
+ /* Check if the Client IP (HAProxy's machine IP) address matches the trusted IP address */
|
|
||||||
+ if (!trusted_matches_ip_found) {
|
|
||||||
+ trusted_matches_ip_found = (bval_len == ip_len) && (strncasecmp(bvals[i]->bv_val, buf_ip, ip_len) == 0);
|
|
||||||
+ }
|
|
||||||
+ /* Check if the HAProxy header destination IP address matches the trusted IP address */
|
|
||||||
+ if (!trusted_matches_destip_found) {
|
|
||||||
+ trusted_matches_destip_found = (bval_len == destip_len) && (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, destip_len) == 0);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (trusted_matches_ip_found && trusted_matches_destip_found) {
|
|
||||||
+ haproxy_rc = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (haproxy_rc == -1) {
|
|
||||||
slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n");
|
|
||||||
disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO);
|
|
||||||
--
|
|
||||||
2.43.0
|
|
||||||
|
|
||||||
@ -48,7 +48,7 @@ ExcludeArch: i686
|
|||||||
Summary: 389 Directory Server (base)
|
Summary: 389 Directory Server (base)
|
||||||
Name: 389-ds-base
|
Name: 389-ds-base
|
||||||
Version: 1.4.3.39
|
Version: 1.4.3.39
|
||||||
Release: %{?relprefix}3%{?prerel}%{?dist}
|
Release: %{?relprefix}2%{?prerel}%{?dist}
|
||||||
License: GPLv3+ and (ASL 2.0 or MIT)
|
License: GPLv3+ and (ASL 2.0 or MIT)
|
||||||
URL: https://www.port389.org
|
URL: https://www.port389.org
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -297,7 +297,6 @@ Patch01: 0001-issue-5647-covscan-memory-leak-in-audit-log-when-add.patc
|
|||||||
Patch02: 0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch
|
Patch02: 0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch
|
||||||
Patch03: 0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch
|
Patch03: 0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch
|
||||||
Patch04: 0004-Issue-5547-automember-plugin-improvements.patch
|
Patch04: 0004-Issue-5547-automember-plugin-improvements.patch
|
||||||
Patch05: 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
389 Directory Server is an LDAPv3 compliant server. The base package includes
|
389 Directory Server is an LDAPv3 compliant server. The base package includes
|
||||||
@ -919,10 +918,6 @@ exit 0
|
|||||||
%doc README.md
|
%doc README.md
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Mar 14 2024 Simon Pichugin <spichugi@redhat.com> - 1.4.3.39-3
|
|
||||||
- Bump version to 1.4.3.39-3
|
|
||||||
- Resolves: RHEL-19240 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix
|
|
||||||
|
|
||||||
* Mon Feb 05 2024 Thierry Bordaz <tbordaz@redhat.com> - 1.4.3.39-2
|
* Mon Feb 05 2024 Thierry Bordaz <tbordaz@redhat.com> - 1.4.3.39-2
|
||||||
- Bump version to 1.4.3.39-2
|
- Bump version to 1.4.3.39-2
|
||||||
- Resolves: RHEL-23209 - CVE-2024-1062 389-ds:1.4/389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
|
- Resolves: RHEL-23209 - CVE-2024-1062 389-ds:1.4/389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user