cloud_controller_ng icon indicating copy to clipboard operation
cloud_controller_ng copied to clipboard
verified publisher icon cloudfoundry

Support in cloud controller for enabling mTLS for syslog-drains

Open stefanlay opened this issue 3 years ago • 1 comments

Issue

Currently, connections created by syslog-agents in Cloud Foundry only support TLS and HTTPS transport protocols for syslog drains without client certificate authentication. To protect the server from malicious syslog senders, it is only possible to filter the syslog sender according to the source ip-address or use basic auth when registering https drains.

Context

We have created a proposed solution to the issue as an issue in the loggregator-agent-release. Most changes would needed to be done there, but a part of it would need to be done in the internal syslog_drain_urls endpoint of the cloud controller. Therefore we create this issue here in order to invite cloud controller devs to look into and comment on the proposal, and to refer to it in upcoming PRs to this repo.

Possible Fix

Please see https://github.com/cloudfoundry/loggregator-agent-release/issues/97

stefanlay avatar May 05 '22 14:05 stefanlay

PR: https://github.com/cloudfoundry/cloud_controller_ng/pull/2903

stefanlay avatar Aug 04 '22 14:08 stefanlay

#2903 was merged by @philippthun. I suggest that we close this issue.

stefanlay avatar Sep 27 '22 06:09 stefanlay