-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS and Connection information through headers #280
Comments
Since these are not fabio but protocol specific headers I'd prefer to drop the I'm reluctant for a general Opinions welcome. |
@hkolk What if we add the fields to the |
This patch adds an 'httpproto' field which contains the lower case version of the HTTP protocol to the Forwarded header of all upstream requests. When fabio terminates the TLS connection two additional fields 'tlsver' and 'tlscipher' are added to the Forwarded field. 'tlsver' contains the TLS version as 'tlscipher' the chosen cipher suite. The cipher suite is formatted as a hex number from https://golang.org/pkg/crypto/tls/#pkg-constants. Fixes #280
@hkolk I've pushed a change which adds the fields to the |
Example:
|
This patch adds an 'httpproto' field which contains the lower case version of the HTTP protocol to the Forwarded header of all upstream requests. When fabio terminates the TLS connection two additional fields 'tlsver' and 'tlscipher' are added to the Forwarded field. 'tlsver' contains the TLS version as 'tlscipher' the chosen cipher suite. The cipher suite is formatted as a hex number from https://golang.org/pkg/crypto/tls/#pkg-constants. Fixes #280
Don't forget the TLS client authentication information like Common Name |
In our setup, we are terminating TLS traffic on Fabio. This means that Fabio is the main/only place where we know which protocol was used.
My suggestion is to add Info headers to the backend request, to facilitate logging within the application.
Current concept:
Because these are not really universal, I prefer to prefix them with
Fabio-
. The ID used for the cipher is from the IANA list:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
https://golang.org/src/crypto/tls/cipher_suites.go#L368
For enabling/disabling these headers, I propose the
proxy.header.info.enabled
as a boolean, defaulting to true.Later on, we can add additional informational headers, such as what Cloudflare has done with the
CF-0RTT-Unique
header for TLS1.3I have the commits for this on my cloned branch. I'll create a pull request in a couple of days based on the input from this issue
The text was updated successfully, but these errors were encountered: