[Release-4.22] OCPBUGS-87167: Strip X-SSL-* headers for plain HTTP by MrSanketkumar · Pull Request #793 · openshift/router

MrSanketkumar · 2026-06-10T07:39:43Z

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
Secure by default - header stripping enabled unless explicitly disabled

Cherry-picked from: d180c82

Summary by CodeRabbit

Bug Fixes
- Added security filtering for inbound TLS identity headers across HTTP and HTTPS traffic flows. This prevents potential header spoofing and is enabled by default, with an option to disable via the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable if needed.

coderabbitai · 2026-06-10T07:39:51Z

Walkthrough

This PR adds security-focused mutual-TLS header filtering to the HAProxy router configuration. The change conditionally strips inbound X-SSL and related identity headers across all three HTTP and HTTPS frontends to prevent client-side header spoofing, controlled by the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable (enabled by default).

Changes

Mutual-TLS Header Spoofing Prevention

Layer / File(s)	Summary
Conditional header deletion across HTTP and HTTPS frontends `images/router/haproxy/conf/haproxy-config.template`	Plain HTTP `frontend public`, TLS SNI (`frontend fe_sni`), and TLS no-SNI (`frontend fe_no_sni`) frontends each gain conditional `http-request del-header` directives that strip `X-SSL-*` and `X-SSL-Issuer` headers when `ROUTER_MUTUAL_TLS_HEADER_FILTER` is enabled (default), preventing client-side header spoofing before routing logic executes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

openshift/router#787: Both PRs modify images/router/haproxy/conf/haproxy-config.template to conditionally http-request del-header mutual-TLS spoofing headers (X-SSL/X-SSL-Client-* and X-SSL-Issuer) in the same HAProxy frontends (public, fe_sni, fe_no_sni) under ROUTER_MUTUAL_TLS_HEADER_FILTER.

Suggested reviewers

frobware

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This repository does not use Ginkgo testing framework. All test files use Go's standard testing.T framework. The check is not applicable to this codebase.
Test Structure And Quality	✅ Passed	The PR modifies the HAProxy template file to add header stripping logic; no Ginkgo tests exist in the codebase, making the check not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. All new test files use standard Go testing framework (func Test*). MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added. All 31 test files are standard Go unit tests with zero Ginkgo imports. PR modifies HAProxy config for CVE-2026-46579, not tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only HAProxy config template to strip X-SSL headers. No Kubernetes deployment manifests, controllers, or pod scheduling constraints were modified.
Ote Binary Stdout Contract	✅ Passed	This is the OpenShift router production binary, not an OTE test binary. The OTE Binary Stdout Contract check is not applicable to production routers.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies the HAProxy config template file. The custom check is not applicable.
No-Weak-Crypto	✅ Passed	PR only modifies HAProxy configuration template to add HTTP header deletion rules; no weak cryptography, custom crypto implementations, or secret comparisons introduced.
Container-Privileges	✅ Passed	PR modifies HAProxy config for security hardening; deploy/router.yaml only adds hostNetwork: true (standard requirement). No privileged containers, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	PR adds header deletion (not logging) to prevent mTLS spoofing. No new logging statements expose sensitive X-SSL-Client-* headers; headers deleted via http-request rules before capture/logging.
Title check	✅ Passed	The title clearly describes the main change: stripping X-SSL-* headers for plain HTTP as part of a security fix for CVE-2026-46579, and correctly identifies the release branch target.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2026-06-10T07:39:52Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-87167, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected dependent Jira Issue OCPBUGS-87205 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is Closed (Done) instead
expected dependent Jira Issue OCPBUGS-87205 to target a version in 5.0.0, but it targets "5.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)

Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`

Secure by default - header stripping enabled unless explicitly disabled

Cherry-picked from: d180c82

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

MrSanketkumar · 2026-06-10T07:41:54Z

@coderabbitai review

coderabbitai · 2026-06-10T07:42:00Z

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

openshift-ci · 2026-06-10T11:32:14Z

@MrSanketkumar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial-2of2	`f599dae`	link	true	`/test e2e-aws-serial-2of2`
ci/prow/e2e-aws-serial-1of2	`f599dae`	link	true	`/test e2e-aws-serial-1of2`
ci/prow/e2e-upgrade	`f599dae`	link	true	`/test e2e-upgrade`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rikatz · 2026-06-10T11:41:36Z

/jira refresh

openshift-ci-robot · 2026-06-10T11:41:41Z

@rikatz: This pull request references Jira Issue OCPBUGS-87167, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected dependent Jira Issue OCPBUGS-87205 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is Closed (Done) instead
expected dependent Jira Issue OCPBUGS-87205 to target a version in 5.0.0, but it targets "5.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rikatz · 2026-06-10T11:44:47Z

/jira refresh

openshift-ci-robot · 2026-06-10T11:44:52Z

@rikatz: This pull request references Jira Issue OCPBUGS-87167, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rikatz · 2026-06-10T12:10:03Z

/jira refresh

openshift-ci-robot · 2026-06-10T12:10:08Z

@rikatz: This pull request references Jira Issue OCPBUGS-87167, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rikatz · 2026-06-10T12:11:03Z

/jira refresh
/retest-required

openshift-ci-robot · 2026-06-10T12:11:09Z

@rikatz: This pull request references Jira Issue OCPBUGS-87167, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-87205 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
dependent Jira Issue OCPBUGS-87205 targets the "5.0.0" version, which is one of the valid target versions: 5.0.0
bug has dependents

Details

In response to this:

/jira refresh
/retest-required

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rikatz · 2026-06-10T13:24:47Z

/lgtm
/approve

needs backport-risk-assessed from @Miciah

openshift-ci · 2026-06-10T13:30:05Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

UdayYendva · 2026-06-10T13:54:47Z

/jira refresh

openshift-ci-robot · 2026-06-10T13:54:54Z

@UdayYendva: This pull request references Jira Issue OCPBUGS-87167, which is invalid:

expected dependent Jira Issue OCPBUGS-87205 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

MrSanketkumar · 2026-06-10T13:57:34Z

/jira refresh

openshift-ci-robot · 2026-06-10T13:57:41Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-87167, which is valid.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-87205 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
dependent Jira Issue OCPBUGS-87205 targets the "5.0.0" version, which is one of the valid target versions: 5.0.0
bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

OCPBUGS-87167: Strip X-SSL-Client-* headers for plain HTTP

f599dae

openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jun 10, 2026

openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jun 10, 2026

openshift-ci Bot requested review from gcs278 and ironcladlou June 10, 2026 07:40

MrSanketkumar changed the title ~~[Release-4.22] OCPBUGS-87167: Strip X-SSL-Client-* headers for plain HTTP~~ [Release-4.22] OCPBUGS-87167: Strip X-SSL-* headers for plain HTTP Jun 10, 2026

openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 10, 2026

openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jun 10, 2026

openshift-ci Bot assigned rikatz Jun 10, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 10, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 10, 2026

openshift-ci-robot added jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 10, 2026

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 10, 2026

Conversation

MrSanketkumar commented Jun 10, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Suggested reviewers

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

MrSanketkumar commented Jun 10, 2026

Uh oh!

coderabbitai Bot commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci Bot commented Jun 10, 2026

Uh oh!

rikatz commented Jun 10, 2026

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

rikatz commented Jun 10, 2026

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

rikatz commented Jun 10, 2026

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

rikatz commented Jun 10, 2026

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

rikatz commented Jun 10, 2026

Uh oh!

openshift-ci Bot commented Jun 10, 2026

Uh oh!

UdayYendva commented Jun 10, 2026

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

MrSanketkumar commented Jun 10, 2026

Uh oh!

openshift-ci-robot commented Jun 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

MrSanketkumar commented Jun 10, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 10, 2026 •

edited

Loading

coderabbitai Bot commented Jun 10, 2026 •

edited

Loading