search

gchq / stroom

Stroom is a highly scalable data storage, processing and analysis platform.
https://gchq.github.io/stroom-docs/
Apache License 2.0
435 stars 53 forks source link

Make name of header containing DN for certificate authentication configurable via props. #4338

Open gcdev373 opened 4 months ago

gcdev373 commented 4 months ago

When using mTLS (2-way SSL) certificate based authentication for datafeed, the SSL tunnel is terminated at a load balancer.

The DN is extracted by the LB and sent onto Stroom/Proxy in a special header. Currently, this header is hard coded to be the one used by NGIX. It must be made configurable to enable it to be used with other types of LB.

at055612 commented 4 months ago

See stroom.util.cert.CertificateExtractor, which is used to extract a DN for both datafeed and internal IDP auth.

This

    private static final String X_SSL_CLIENT_S_DN = "X-SSL-CLIENT-S-DN";

needs to be set in config.

gcdev373 commented 1 month ago

Possible overlap with this issue