Support PROXY protocol #799
Comments
|
For context, we discussed |
|
Perhaps, as with #291 (X-Forwarded-For), trust could be extended to proxies in an IP whitelist. |
|
(Moved from a reply on #291) @mfischer-zd it doesn't fix the spoofing problem if the load balancer is not configured to strip existing X-Forwarded-For headers or, in this case, PROXY info. Although at some point you have to put the onus on the user to handle such things. I think an IP whitelist is a reasonable approach. I'd be interested in the PR in #291 being resurrected with a configurable IP whitelist, support for X-Forwarded-For and PROXY, and if not yet support for https://tools.ietf.org/html/rfc7239, at least the codebase being friendly to later inclusion of it. |
|
I'd like to add a vote for this. AWS ELBs are PCI compliant, but only if you don't terminate SSL at the ELB. The only way to have a usable audit trail when using an ELB in a PCI environment is to support the PROXY protocol and terminate SSL at the Vault instance. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html |
|
There should be a big warning in the documentation that App-ID auth is totally unusable behind a load balancer/proxy because of this issue. Or at least App-ID with source address restrictions. In other words, HA setup via LB/proxy (the common case) and App-ID authentication with source address restrictions (also fairly common) are incompatible. |
|
I'd also vote for this. Let's also keep in mind that the implications are vastly different for auth vs logging. I think there would still be value in adding the X-Forwarded-For to the log as a separate field... |
|
I was just giving this a bit of thought... I'm not sure how much it would complicate the implementation, but it seems like the most flexible would be if this could be enabled on a per-listener basis. For those who wish to allow both proxy connections (i.e. from a load balancer, with parsing of the PROXY header) and direct connections, proper use of firewalling or access control rules would allow both options (albeit on separate listeners) without the security risk of directly-connecting clients being able to spoof the PROXY header. |
|
Are there any updates on this? I know logging of the headers was recently released, but this doesn't solve the issue with AppRole CIDR restriction when behind a proxy... |
|
@ruhkopf discussion at #1340 (comment) is most relevant. |
|
(Logging of headers also doesn't solve this for the PROXY use case...) That (comment on 1340) is a really good discussion. However, for what it's worth, one part of the "problem" really struck me:
This concern around whitelisting IPs seems strange to me... if I was fronting Vault with a load balancer (whether an ELB in AWS, or an F5, or whatever), I would be only allowing traffic from the load balancer - i.e. my SG in AWS (or firewall, or similar tool elsewhere) would only be allowing traffic in from the ELB, I wouldn't be allowing clients to bypass the LB and hit Vault directly. Is there really a significant portion of the user base that would want to front Vault with a load balancer and also allow direct traffic? If Vault is fronted with a LB and there's not also a requirement to support direct traffic, it seems to me that IP whitelisting and concerns around X-Forwarded-For or PROXY accuracy are moot, since traffic can only reach Vault from the LB, and the LB would be configured to strip/replace such headers... |
|
I don't think it's really necessary, but I also don't think that it's a real part of the problem. |
|
Hi!
|
You're mixing up administratively-set options with client-set options. The latter has a long history of causing serious vulnerabilities even when administratively set options are correct. As a recent example, see https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ It is one thing for an administrator to purposefully disable security, and quite another to circumvent administratively set security by blindly accepting what a client gives you. To @jantman 's point ("Is there really a significant portion of the user base that would want to front Vault with a load balancer and also allow direct traffic?") we see this regularly with cases where outside traffic goes through a load balancer but internal traffic goes direct. Not all cases, but it happens. However, if you have two interfaces on a machine and can firewall one off to only allow traffic from an LB that helps quite a bit. If the PROXY protocol would have put its information within TLS encapsulation this would be easy -- simply create a listener that requires client certificate verification and the only valid certificate be on the LB. Since it doesn't, you have to find alternative methods to enhance security, such as whitelisting IPs. Given that you can have multiple Vault listeners this isn't necessarily a problem, but it's fragile. |
|
@jefferai Hi! So can you clarify your opinion? Are you ok with this optional feature (considering the above drawbacks) or not? Please take into account point # 1 from the my comment above. |
|
I've never been against it, but it depends on the implementation. |
|
+1 |
Amazon ELBs and haproxy support the PROXY protocol for layer 4 (TCP level) load balancing. This protocol presents client IP information to the server upon connecting, before sending the first bytes provided by the actual client (typically the start of a TLS handshake).
Support for this protocol could improve the quality of Vault's audit logs by logging the actual client IP address instead of a proxy's.
References:
The text was updated successfully, but these errors were encountered: