[v14] Revert rejecting connection if PROXY header is signed with non-local cluster#32068
Merged
AntonAM merged 1 commit intobranch/v14from Sep 18, 2023
Merged
Conversation
…cluster Temporary reverting before we implement proper fix. This caused clusters with changed name (but not updated CA) to become unaccesible.
capnspacehook
approved these changes
Sep 18, 2023
tigrato
approved these changes
Sep 18, 2023
public-teleport-github-review-bot
Bot
removed the request for review
from zmb3
jentfoo
reviewed
Sep 18, 2023
| m.WithFields(log.Fields{ | ||
| "src_addr": conn.RemoteAddr(), | ||
| "dst_addr": conn.LocalAddr(), | ||
| }).Debugf("%s - signed by non local cluster", invalidProxySignatureError) |
Contributor
There was a problem hiding this comment.
Should this log level be higher? This seems like a warning condition to me
Contributor
Author
There was a problem hiding this comment.
Users who changed cluster name would have a lot of these warnings and they can't really do anything about it, and understanding it also is not simple. It's more of an error level, we just don't have a proper fix for it yet.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR temporarily reverts rejecting connection if PROXY header is signed with non-local cluster for branch v14, because it leads to an issue when cluster's name is changed in the config ( #32066 ). This is to make sure our v14 release is not affected by this issue while we're working on proper fix.