From 2e0ec41b3e12be9b845afb567d56cf027aefa581 Mon Sep 17 00:00:00 2001
From: Brett Tofel <btofel@redhat.com>
Date: Thu, 4 Jun 2026 12:05:50 -0400
Subject: [PATCH 1/5] OCPBUGS-86718: Strip X-SSL-Client-* headers for plain
 HTTP

This prevents unauthenticated spoofing of mutual TLS client identities by deleting X-SSL-Client headers in the fe_http frontend before they can reach the backend.

It introduces a new environment variable ROUTER_MUTUAL_TLS_AUTH_FILTER
which defaults to true. Setting this to false allows external load balancers
to inject these headers.
---
 .../haproxy/conf/haproxy-config.template      | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index 280b5c61d..7b0821d42 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -273,6 +273,17 @@ frontend public
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
+  # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
+  # This prevents unauthenticated spoofing of mutual TLS client identities.
+  {{- if isTrue (env "ROUTER_MUTUAL_TLS_AUTH_FILTER" "true") }}
+  http-request del-header X-SSL-Client-DN
+  http-request del-header X-SSL-Client-DER
+  http-request del-header X-SSL-Client-NotAfter
+  http-request del-header X-SSL-Client-NotBefore
+  http-request del-header X-SSL-Client-SHA1
+  http-request del-header X-SSL-Client-Subject
+  {{- end }}
+
   # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase
   # before matching, or any requests containing uppercase characters will never match.
   http-request set-header Host %[req.hdr(Host),lower]
@@ -390,6 +401,17 @@ frontend fe_sni
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
+  # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
+  # This prevents unauthenticated spoofing of mutual TLS client identities.
+  {{- if isTrue (env "ROUTER_MUTUAL_TLS_AUTH_FILTER" "true") }}
+  http-request del-header X-SSL-Client-DN
+  http-request del-header X-SSL-Client-DER
+  http-request del-header X-SSL-Client-NotAfter
+  http-request del-header X-SSL-Client-NotBefore
+  http-request del-header X-SSL-Client-SHA1
+  http-request del-header X-SSL-Client-Subject
+  {{- end }}
+
   # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase
   # before matching, or any requests containing uppercase characters will never match.
   http-request set-header Host %[req.hdr(Host),lower]
@@ -505,6 +527,17 @@ frontend fe_no_sni
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
+  # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
+  # This prevents unauthenticated spoofing of mutual TLS client identities.
+  {{- if isTrue (env "ROUTER_MUTUAL_TLS_AUTH_FILTER" "true") }}
+  http-request del-header X-SSL-Client-DN
+  http-request del-header X-SSL-Client-DER
+  http-request del-header X-SSL-Client-NotAfter
+  http-request del-header X-SSL-Client-NotBefore
+  http-request del-header X-SSL-Client-SHA1
+  http-request del-header X-SSL-Client-Subject
+  {{- end }}
+
   # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase
   # before matching, or any requests containing uppercase characters will never match.
   http-request set-header Host %[req.hdr(Host),lower]

From ef98dff0345d92fc27ab28ae378d0b09f53b886e Mon Sep 17 00:00:00 2001
From: Brett Tofel <btofel@redhat.com>
Date: Thu, 4 Jun 2026 13:09:39 -0400
Subject: [PATCH 2/5] Rename env var to ROUTER_MUTUAL_TLS_HEADER_FILTER

This avoids a collision with the existing ROUTER_MUTUAL_TLS_AUTH_FILTER regex.
---
 images/router/haproxy/conf/haproxy-config.template | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index 7b0821d42..23f2cddf5 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -275,7 +275,7 @@ frontend public
 
   # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
-  {{- if isTrue (env "ROUTER_MUTUAL_TLS_AUTH_FILTER" "true") }}
+  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
   http-request del-header X-SSL-Client-DN
   http-request del-header X-SSL-Client-DER
   http-request del-header X-SSL-Client-NotAfter
@@ -403,7 +403,7 @@ frontend fe_sni
 
   # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
-  {{- if isTrue (env "ROUTER_MUTUAL_TLS_AUTH_FILTER" "true") }}
+  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
   http-request del-header X-SSL-Client-DN
   http-request del-header X-SSL-Client-DER
   http-request del-header X-SSL-Client-NotAfter
@@ -529,7 +529,7 @@ frontend fe_no_sni
 
   # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
-  {{- if isTrue (env "ROUTER_MUTUAL_TLS_AUTH_FILTER" "true") }}
+  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
   http-request del-header X-SSL-Client-DN
   http-request del-header X-SSL-Client-DER
   http-request del-header X-SSL-Client-NotAfter

From fca5221b8e14aaa12016f0fd0c2419928d930da7 Mon Sep 17 00:00:00 2001
From: Brett Tofel <btofel@redhat.com>
Date: Thu, 4 Jun 2026 16:04:54 -0400
Subject: [PATCH 3/5] Expand list of stripped X-SSL-Client-* headers

Expands the list of mTLS headers stripped from plain HTTP requests to include all headers set natively by the router (X-SSL, X-SSL-Client-Verify, X-SSL-Client-Serial, X-SSL-Client-Version, X-SSL-Client-CN, X-SSL-Issuer). This fully mitigates the risk of spoofing any of these headers.
---
 .../haproxy/conf/haproxy-config.template      | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index 23f2cddf5..18077dd48 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -276,12 +276,18 @@ frontend public
   # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
-  http-request del-header X-SSL-Client-DN
+  http-request del-header X-SSL
+  http-request del-header X-SSL-Client-CN
   http-request del-header X-SSL-Client-DER
+  http-request del-header X-SSL-Client-DN
   http-request del-header X-SSL-Client-NotAfter
   http-request del-header X-SSL-Client-NotBefore
   http-request del-header X-SSL-Client-SHA1
+  http-request del-header X-SSL-Client-Serial
   http-request del-header X-SSL-Client-Subject
+  http-request del-header X-SSL-Client-Verify
+  http-request del-header X-SSL-Client-Version
+  http-request del-header X-SSL-Issuer
   {{- end }}
 
   # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase
@@ -404,12 +410,18 @@ frontend fe_sni
   # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
-  http-request del-header X-SSL-Client-DN
+  http-request del-header X-SSL
+  http-request del-header X-SSL-Client-CN
   http-request del-header X-SSL-Client-DER
+  http-request del-header X-SSL-Client-DN
   http-request del-header X-SSL-Client-NotAfter
   http-request del-header X-SSL-Client-NotBefore
   http-request del-header X-SSL-Client-SHA1
+  http-request del-header X-SSL-Client-Serial
   http-request del-header X-SSL-Client-Subject
+  http-request del-header X-SSL-Client-Verify
+  http-request del-header X-SSL-Client-Version
+  http-request del-header X-SSL-Issuer
   {{- end }}
 
   # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase
@@ -530,12 +542,18 @@ frontend fe_no_sni
   # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
-  http-request del-header X-SSL-Client-DN
+  http-request del-header X-SSL
+  http-request del-header X-SSL-Client-CN
   http-request del-header X-SSL-Client-DER
+  http-request del-header X-SSL-Client-DN
   http-request del-header X-SSL-Client-NotAfter
   http-request del-header X-SSL-Client-NotBefore
   http-request del-header X-SSL-Client-SHA1
+  http-request del-header X-SSL-Client-Serial
   http-request del-header X-SSL-Client-Subject
+  http-request del-header X-SSL-Client-Verify
+  http-request del-header X-SSL-Client-Version
+  http-request del-header X-SSL-Issuer
   {{- end }}
 
   # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase

From 861e7c2a9367a2d44d858c709c341a7488b03460 Mon Sep 17 00:00:00 2001
From: Brett Tofel <btofel@redhat.com>
Date: Thu, 4 Jun 2026 16:47:58 -0400
Subject: [PATCH 4/5] Update images/router/haproxy/conf/haproxy-config.template

Co-authored-by: Miciah Dashiel Butler Masters <mmasters@redhat.com>
---
 images/router/haproxy/conf/haproxy-config.template | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index 18077dd48..49fff3ab3 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -407,8 +407,9 @@ frontend fe_sni
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
-  # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
-  # This prevents unauthenticated spoofing of mutual TLS client identities.
+  # Strip off X-SSL-Client-* headers if not explicitly disabled.
+  # This prevents unauthenticated spoofing of mutual TLS client identities
+  # when mutual TLS is not enabled and so the headers are not set below.  
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
   http-request del-header X-SSL
   http-request del-header X-SSL-Client-CN

From d180c82101db36548c5f5c11bee0ab3dea6c15f1 Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <katz@redhat.com>
Date: Mon, 8 Jun 2026 18:21:01 -0300
Subject: [PATCH 5/5] OCPBUGS-87205: fix comments on template

---
 images/router/haproxy/conf/haproxy-config.template | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index 49fff3ab3..33fc45901 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -273,7 +273,7 @@ frontend public
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
-  # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
+  # Strip off X-SSL* headers for plain HTTP if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities.
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
   http-request del-header X-SSL
@@ -407,7 +407,7 @@ frontend fe_sni
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
-  # Strip off X-SSL-Client-* headers if not explicitly disabled.
+  # Strip off X-SSL* headers if not explicitly disabled.
   # This prevents unauthenticated spoofing of mutual TLS client identities
   # when mutual TLS is not enabled and so the headers are not set below.  
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
@@ -540,8 +540,9 @@ frontend fe_no_sni
   # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
   http-request del-header Proxy
 
-  # Strip off X-SSL-Client-* headers for plain HTTP if not explicitly disabled.
-  # This prevents unauthenticated spoofing of mutual TLS client identities.
+  # Strip off X-SSL* headers if not explicitly disabled.
+  # This prevents unauthenticated spoofing of mutual TLS client identities
+  # when mutual TLS is not enabled and so the headers are not set below.
   {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
   http-request del-header X-SSL
   http-request del-header X-SSL-Client-CN