envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

Add mTLS Failure Response filter

Open arulthileeban opened this issue 1 year ago • 9 comments

Commit Message: Addition of a network filter to respond with a non-SSL failure response for client cert verification failure (close connection abruptly or tarpit)

Risk Level: Low Testing: Unit/Integration/Manual Docs Changes: Done Release Notes: TBD Fixes #34617

@ggreenway Thanks for the initial direction. I had a couple of initial questions:

  • Does this look okay at a high level? Any preliminary changes before we get into the actual code review?
  • As per extension policy, adding a filter requires a sponsor for this to be part of the repository (non-contrib). Would you be willing to help with that?
  • I was thinking of adding another option to respond with a HTTP 403/401 like how NGINX helps handle mTLS, but that wouldn't be ideal since this is a network filter. Is there any recommendation you have on adding an option like "SET_METADATA_AND_CONTINUE" for eg. where we set some metadata for a filter higher in the stack like the CustomResponseFilter to match against it and issue a 403 or redirect to a standard error page? Or do we want to maybe take care of that in the core code by adding the validated/presented values in the matchers

arulthileeban avatar Jul 02 '24 00:07 arulthileeban

As a reminder, PRs marked as draft will not be automatically assigned reviewers, or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

:cat:

Caused by: https://github.com/envoyproxy/envoy/pull/35006 was opened by arulthileeban.

see: more, trace.

repokitteh-read-only[bot] avatar Jul 02 '24 00:07 repokitteh-read-only[bot]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/). envoyproxy/api-shepherds assignee is @abeyad CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

:cat:

Caused by: https://github.com/envoyproxy/envoy/pull/35006 was opened by arulthileeban.

see: more, trace.

repokitteh-read-only[bot] avatar Jul 02 '24 00:07 repokitteh-read-only[bot]

/wait

abeyad avatar Jul 02 '24 16:07 abeyad

I just unassigned myself as I'll be OOO for a couple weeks.

abeyad avatar Jul 10 '24 16:07 abeyad

@ggreenway friendly ping for any thoughts here

arulthileeban avatar Jul 11 '24 01:07 arulthileeban

I'd also like to hear @alyssawilk 's feedback on this, as she was also involved in the discussion about creating it.

ggreenway avatar Jul 11 '24 18:07 ggreenway

I'd say +1 on docs as I'm a bit confused between API and code how this all works, and move to contrib unless there's a maintainer volunteer for ownership

alyssawilk avatar Jul 22 '24 15:07 alyssawilk

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

github-actions[bot] avatar Aug 21 '24 16:08 github-actions[bot]

Not stale. Will address above comments

arulthileeban avatar Aug 24 '24 23:08 arulthileeban

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

github-actions[bot] avatar Sep 24 '24 00:09 github-actions[bot]

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

github-actions[bot] avatar Oct 01 '24 04:10 github-actions[bot]