Please enable Javascript to view the contents

 ·  ☕ 2 分钟

x-forwarded-client-cert

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert

x-forwarded-client-cert (XFCC) is a proxy header which indicates certificate information of part or all of the clients or proxies that a request has flowed through, on its way from the client to the server. A proxy may choose to sanitize/append/forward the XFCC header before proxying the request.

The XFCC header value is a comma (",") separated string. Each substring is an XFCC element, which holds information added by a single proxy. A proxy can append the current client certificate information as an XFCC element, to the end of the request’s XFCC header after a comma.

The following keys are supported:

  1. By The Subject Alternative Name (URI type) of the current proxy’s certificate.

  2. Hash The SHA 256 digest of the current client certificate.

  3. Cert The entire client certificate in URL encoded PEM format.

  4. Chain The entire client certificate chain (including the leaf certificate) in URL encoded PEM format.

  5. Subject The Subject field of the current client certificate. The value is always double-quoted.

  6. URI The URI type Subject Alternative Name field of the current client certificate.

  7. DNS The DNS type Subject Alternative Name field of the current client certificate. A client certificate may contain multiple DNS type Subject Alternative Names, each will be a separate key-value pair.

Some examples of the XFCC header are:

  1. For one client certificate with only URI type Subject Alternative Name: 
x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com`

check mtls traffic

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

for from in "mtls-test" "legacy"; do for to in "mtls-test"; do echo "sleep.${from} to httpbin.${to}";kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/headers  -s  -w "response code: %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$';  echo -n "\n"; done; done

sleep.mtls-test to httpbin.mtls-test
URI=spiffe://cluster.local/ns/mtls-test/sa/sleep
response code: 200
sleep.legacy to httpbin.mtls-test
response code: 200
sleep.full to httpbin.mtls-test
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
分享
Mark Zhu
作者
Mark Zhu
An old developer