DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/examples/auth/client-certs/haproxy/README.md
Joao Morais 9d807a843d Remove pre-release messages
2017-04-02 09:50:52 -03:00

181 lines
6.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# HAProxy Ingress Client Certificate Authentication
This example demonstrates how to configure client certificate
authentication on HAProxy Ingress controller.
## Prerequisites
This document has the following prerequisites:
* Deploy [HAProxy Ingress](/examples/deployment/haproxy) controller, you should
end up with controller, a sample web app and an ingress resource named `app` to
the `foo.bar` domain
* Configure [TLS termination](/examples/tls-termination/haproxy)
* Create a [CA, certificate and private key](/examples/PREREQUISITES.md#ca-authentication),
following these steps you should have a secret named `caingress`, a certificate file
`client.crt` and it's private key `client.key`
* Use these same steps and create another CA and generate another certificate and private
key `fake.crt` and `fake.key` just for testing
As mentioned in the deployment instructions, you MUST turn down any existing
ingress controllers before running HAProxy Ingress.
Secret, certificates and keys can be created using these shortcuts:
CA and it's secret:
```console
$ openssl req -x509 -newkey rsa:2048 -nodes -subj '/CN=example-ca' -keyout ca.key -out ca.crt
$ kubectl create secret generic caingress --from-file=ca.crt
```
Valid certificate and private key:
```console
$ openssl req -new -newkey rsa:2048 -nodes -subj '/CN=client' -keyout client.key | \
openssl x509 -req -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt
```
Another CA, certificate and private key that should be refused by ingress:
```console
$ openssl req -x509 -newkey rsa:2048 -nodes -subj '/CN=example-ca' -keyout ca-fake.key -out ca-fake.crt
$ openssl req -new -newkey rsa:2048 -nodes -subj '/CN=client' -keyout fake.key | \
openssl x509 -req -CA ca-fake.crt -CAkey ca-fake.key -set_serial 1 -out fake.crt
```
## Using Client Certificate Authentication
HAProxy Ingress read one or a bundle of certificate authorities from a secret.
Only client certificates signed by one of these certificate authorities should be
allowed to make requests.
Annotate the ingress resource to use our valid certificate authority. The ingress resource and the
secret `caingress` were created on the prerequisites.
```console
$ kubectl annotate ingress/app ingress.kubernetes.io/auth-tls-secret=default/caingress
```
Make some SSL requests against domain `foo.bar`. Change `31692:172.17.4.99` below to the IP and
port of HAProxy Ingress controller.
Note: `curl`'s `--cert` and `-k` options on macOS (since 10.9 Mavericks) doesn't work as
expected, see troubleshooting below if using macOS.
Connect without a certificate:
```console
$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99'
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
```
Connect using the correct certificate and private key:
```console
$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' --cert client.crt --key client.key
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Fri, 26 Mar 2017 13:41:26 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=15768000
CLIENT VALUES:
...
```
Now connect using a private key and certificate signed by another CA:
```console
$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' --cert fake.crt --key fake.key
curl: (35) error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
```
## Troubleshooting
`curl` on macOS since 10.9 Mavericks has some issues regarding certificate on command line
parameters:
* [sni](https://en.wikipedia.org/wiki/Server_Name_Indication) TLS extension isn't used
if `-k` (unsecure connection) is provided. The sni extension is used by HAProxy to identify
the host of the request. Without sni, the default backend will be used. The TLS
certificate should be added to Keychain instead and `-k` should be avoided.
* `--cert` option is broken.
These issues and it's workarounds are described on
[this message](https://curl.haxx.se/mail/archive-2013-10/0036.html) from curl mailing list.
In short, in order to test client auth use a Linux VM or the options below on macOS.
### Using wget
Add `foo.bar` to `/etc/hosts` and change `31692` below to the
port of HAProxy Ingress controller:
```console
$ wget https://foo.bar:31692 -S -nv -O- --no-check-certificate
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Unable to establish SSL connection.
```
Now with certificate and private key:
```console
$ wget https://foo.bar:31692 -S -nv -O- --no-check-certificate --certificate client.crt --private-key client.key
WARNING: cannot verify foo.bar's certificate, issued by /CN=foo.bar:
Self-signed certificate encountered.
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Sun, 26 Mar 2017 13:57:53 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=15768000
CLIENT VALUES:
```
### Using openssl
Change `31692` below to the port of HAProxy Ingress controller:
```console
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
CONNECTED(00000003)
depth=0 /CN=foo.bar
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=foo.bar
verify return:1
91929:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL alert number 40
91929:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185:
```
Now with certificate and private key - copy these two lines to the clipboard
(HAProxy will timeout after 5 seconds waiting a http request):
```
GET / HTTP/1.0
Host: foo.bar
```
Type the command below, paste the http request (two lines above) and send a blank line
pressing enter twice:
```console
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar -cert client.crt -key client.key
...
---
GET / HTTP/1.0
Host: foo.bar
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Sun, 26 Mar 2017 14:06:30 GMT
Content-Type: text/plain
Content-Length: 268
Connection: close
Strict-Transport-Security: max-age=15768000
CLIENT VALUES:
...
```
Reference in a new issue View git blame Copy permalink