Page MenuHomePhabricator
Create Task
Maniphest T274386

Allow encrypting connection from the shared Cloud VPS web proxy to the backend
Closed, ResolvedPublic
Actions

Description

I attempted to create an webproxy service to a backend service which had TLS enabled however i noticed that the webproxy always makes requests to the backend using clear text http. It would be nice if there was a way to indicate to the webproxy that the backend has TLS and it should expect to establish a TLS session before talking HTTP.

For now and as this is an internal service i think its fine to blindly trusting any CA as the addition of encryption would still be an improvement.

The proxies config file is here
The lua code that needs to be rechecked so it can handle http/https protocols is here

This also includes adding an option to the horizon proxy UI to choose the protocol (http/https).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Support specifying a protocolopenstack/horizon/wmf-proxy-dashboardmain+24 -5
Customize query in gerrit

Event Timeline

jbond created this task.Feb 10 2021, 4:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 10 2021, 4:13 PM
taavi subscribed.Feb 10 2021, 4:13 PM
bd808 renamed this task from Enable end to end encryption on the cloud web proxy to Allow end to end encryption through the shared web proxy.Feb 10 2021, 4:26 PM
bd808 edited projects, added Cloud-VPS, cloud-services-team (Kanban); removed Cloud-Services.
bd808 subscribed.Feb 10 2021, 5:47 PM

I think a reasonable first step towards true end-to-end encryption would be supporting "multi-hop" encryption where the communication looks something like UserTLSshared proxyTLSupstream service with the shared proxy to upstream service leg being an unverified TLS connection.

This would not be the final perfect outcome, but it feels like a reasonable starting step. It would not support more advanced use cases such as x509 cert authentication between the user and the upstream service. It would also not add any real trust between the shared proxy and the upstream services without cert chain verification. It would however provide a way to transit traffic from the front proxy to a service in another Cloud VPS project with TLS protection for that traffic stream to help prevent shared network eavesdropping attacks.

bd808 added a comment.Feb 10 2021, 5:58 PM

Untested idea for multi-hop:

--- i/modules/dynamicproxy/templates/domainproxy.conf
+++ w/modules/dynamicproxy/templates/domainproxy.conf
@@ -148,6 +148,11 @@ server {
         proxy_pass $backend;
         proxy_set_header Host $vhost;

+        # T274386: allow unverified TLS to upstream when $backend starts with
+        # `https://` to trigger TLS usage by `proxy_pass`.
+        proxy_ssl_verify off;
+        proxy_ssl_session_reuse on;
+
         proxy_set_header X-Forwarded-Proto $scheme;

         proxy_http_version 1.1;

This would also need changes in the data retrieved via domainproxy.lua to allow it to return an https:// prefixed upstream route when appropriate. We may also want to add proxy_ssl_protocols and proxy_ssl_ciphers settings in this block to tune the "internal" TLS connection configuration.

aborrero triaged this task as Low priority.Feb 11 2021, 5:12 PM
aborrero subscribed.
In T274386#6819605, @bd808 wrote:

Untested idea for multi-hop:

--- i/modules/dynamicproxy/templates/domainproxy.conf
+++ w/modules/dynamicproxy/templates/domainproxy.conf
@@ -148,6 +148,11 @@ server {
         proxy_pass $backend;
         proxy_set_header Host $vhost;

+        # T274386: allow unverified TLS to upstream when $backend starts with
+        # `https://` to trigger TLS usage by `proxy_pass`.
+        proxy_ssl_verify off;
+        proxy_ssl_session_reuse on;
+
         proxy_set_header X-Forwarded-Proto $scheme;

         proxy_http_version 1.1;

This would also need changes in the data retrieved via domainproxy.lua to allow it to return an https:// prefixed upstream route when appropriate. We may also want to add proxy_ssl_protocols and proxy_ssl_ciphers settings in this block to tune the "internal" TLS connection configuration.

This sounds really interesting, thanks @bd808

We have been talking about this in our triaging meeting, and might look into this in details in the future.

fgiunchedi subscribed.Feb 23 2021, 1:09 PM
fgiunchedi added a comment.Feb 23 2021, 1:13 PM

My two cents / use case for this: production frontend reverse proxy has moved to https for all its backends, so having the web proxy talk https would allow as-is reuse of the same vhosts / configs in prod and cloud vps

taavi moved this task from Unsorted to Web proxy on the Cloud-VPS board.Feb 23 2021, 1:30 PM
dcaro updated the task description. (Show Details)Mar 23 2022, 10:01 AM
dcaro updated the task description. (Show Details)Mar 23 2022, 10:04 AM
dcaro updated the task description. (Show Details)Mar 23 2022, 10:07 AM
Slst2020 added a project: User-Slst2020.Mar 24 2022, 9:16 AM
Slst2020 moved this task from To Do to Doing on the User-Slst2020 board.Mar 24 2022, 3:02 PM
Slst2020 moved this task from Doing to To Do on the User-Slst2020 board.Apr 5 2022, 8:58 AM
Slst2020 removed a project: User-Slst2020.May 16 2022, 10:30 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:53 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
taavi renamed this task from Allow end to end encryption through the shared web proxy to Allow encrypting connection from the shared Cloud VPS web proxy to the backend.Sep 28 2024, 12:50 PM
fgiunchedi added a comment.Apr 29 2025, 3:32 PM

Just a quick note/reminder that having the shared Cloud VPS web proxy speak https to its backends would be very nice and welcome

taavi edited projects, added Horizon; removed Cloud-VPS.Apr 30 2025, 9:30 AM
In T274386#6819605, @bd808 wrote:

Untested idea for multi-hop:

Based on https://nginx.org/en/docs/http/ngx_http_proxy_module.html those are already the defaults. So basically we only need to expose this setting in Horizon and document it, otherwise the infrastructure should already support https:// backends as is.

taavi claimed this task.May 8 2025, 11:54 AM
gerritbot added a comment.May 8 2025, 12:02 PM

Change #1143541 had a related patch set uploaded (by Majavah; author: Majavah):

[openstack/horizon/wmf-proxy-dashboard@main] Support specifying a protocol

https://gerrit.wikimedia.org/r/1143541

gerritbot added a project: Patch-For-Review.May 8 2025, 12:02 PM
gerritbot added a comment.May 13 2025, 9:26 AM

Change #1143541 merged by jenkins-bot:

[openstack/horizon/wmf-proxy-dashboard@main] Support specifying a protocol

https://gerrit.wikimedia.org/r/1143541

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 9:31 AM
taavi closed this task as Resolved.May 13 2025, 9:52 AM

Horizon change deployed, and documented at https://wikitech.wikimedia.org/wiki/Help:Using_a_web_proxy_to_reach_Cloud_VPS_servers_from_the_internet#TLS_for_backend_traffic.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits