Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[heartbeat][libbeat][metricbeat][filebeat] Pass TLS options to forward proxies #15516

Merged
merged 9 commits into from
Jan 27, 2020

Conversation

andrewvc
Copy link
Contributor

@andrewvc andrewvc commented Jan 13, 2020

Fixes a bug where TLS options would not be passed to forward proxies. This fixes a reported issue where x509 client cert auth doesn't work due to the cert parameters not being passed in.

Since this doesn't give us a full dialer we can't easily record TLS certificate expiry with proxies with this approach, so those fields would be missing. I think it makes sense to merge this change as-is and fix that secondary bug in a subsequent PR. I've opened a separate issue ( #15797 ) to cover that.

I've tested this manually against with the following config: https://github.com/elastic/uptime-contrib/tree/master/testing/configs/client-auth , note that you'll need the included client certs in that directory, and will need to alter the YAML to point at their actual path.

I think in this scenario I'm fine with only having unit tests because the complexity of setting of a forward proxy + a custom TLS backend is very high.

Fixes #15524

@andrewvc andrewvc added bug in progress Pull request is currently in progress. Heartbeat Team:obs-ds-hosted-services Label for the Observability Hosted Services team labels Jan 13, 2020
@andrewvc andrewvc requested a review from a team as a code owner January 13, 2020 21:05
@andrewvc andrewvc self-assigned this Jan 13, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/uptime (:uptime)

@andrewvc andrewvc added review and removed in progress Pull request is currently in progress. labels Jan 23, 2020
@andrewvc andrewvc requested a review from urso January 23, 2020 22:48
@@ -138,6 +138,7 @@ func newRoundTripper(config *Config, tls *transport.TLSConfig) (*http.Transport,
Proxy: proxy,
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
TLSClientConfig: tls.ToConfig(),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add this change to some other packages, please?

  • libbeat/output/elasticsearch
  • metricbeat/helper

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@urso I've done so 4 additional spots in 5a4e09c

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

@andrewvc andrewvc changed the title [Heartbeat] Pass TLS options to forward proxies [heartbeat][libbeat][metricbeat][filebeat] Pass TLS options to forward proxies Jan 24, 2020
@andrewvc
Copy link
Contributor Author

@urso should be ready for re-review, I added this setting to every other spot I saw DialTLS in the code.

Copy link

@urso urso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please add a changelog entry :)

@andrewvc andrewvc merged commit 0e57f6b into elastic:master Jan 27, 2020
@andrewvc andrewvc deleted the fix-forward-proxy-ssl branch January 27, 2020 17:56
andrewvc added a commit to andrewvc/beats that referenced this pull request Jan 27, 2020
…d proxies (elastic#15516)

Fixes a bug where TLS options would not be passed to forward proxies. This fixes a reported issue where x509 client cert auth doesn't work due to the cert parameters not being passed in.

Since this doesn't give us a full dialer we can't easily record TLS certificate expiry with proxies in heartbeat with this approach, so those fields would be missing. I think it makes sense to merge this change as-is and fix that secondary bug in a subsequent PR. I've opened a separate issue ( elastic#15797 ) to cover that.

I've tested this manually against with the following config: https://github.com/elastic/uptime-contrib/tree/master/testing/configs/client-auth , note that you'll need the included client certs in that directory, and will need to alter the YAML to point at their actual path.

I think in this scenario I'm fine with only having unit tests because the complexity of setting of a forward proxy + a custom TLS backend is very high.

Fixes elastic#15524

(cherry picked from commit 0e57f6b)
andrewvc added a commit to andrewvc/beats that referenced this pull request Jan 27, 2020
…d proxies (elastic#15516)

Fixes a bug where TLS options would not be passed to forward proxies. This fixes a reported issue where x509 client cert auth doesn't work due to the cert parameters not being passed in.

Since this doesn't give us a full dialer we can't easily record TLS certificate expiry with proxies in heartbeat with this approach, so those fields would be missing. I think it makes sense to merge this change as-is and fix that secondary bug in a subsequent PR. I've opened a separate issue ( elastic#15797 ) to cover that.

I've tested this manually against with the following config: https://github.com/elastic/uptime-contrib/tree/master/testing/configs/client-auth , note that you'll need the included client certs in that directory, and will need to alter the YAML to point at their actual path.

I think in this scenario I'm fine with only having unit tests because the complexity of setting of a forward proxy + a custom TLS backend is very high.

Fixes elastic#15524

(cherry picked from commit 0e57f6b)
simitt added a commit to simitt/apm-server that referenced this pull request Feb 3, 2020
Follow up on elastic/beats#15516 to pass TLS
options to forward proxies.
simitt added a commit to elastic/apm-server that referenced this pull request Feb 4, 2020
Follow up on elastic/beats#15516 to pass TLS
options to forward proxies.
simitt added a commit to simitt/apm-server that referenced this pull request Feb 4, 2020
Follow up on elastic/beats#15516 to pass TLS
options to forward proxies.
simitt added a commit to elastic/apm-server that referenced this pull request Feb 4, 2020
Follow up on elastic/beats#15516 to pass TLS
options to forward proxies.
simitt added a commit to simitt/apm-server that referenced this pull request Feb 4, 2020
Follow up on elastic/beats#15516 to pass TLS
options to forward proxies.
simitt added a commit to elastic/apm-server that referenced this pull request Feb 10, 2020
* Update beats framework to 32f1a9e

* Update TLS config for elasticsearch client (#3278)

Follow up on elastic/beats#15516 to pass TLS
options to forward proxies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Filebeat Filebeat Heartbeat libbeat Metricbeat Metricbeat review Team:obs-ds-hosted-services Label for the Observability Hosted Services team v7.6.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Heartbeat] TLS options ignored when forward proxy used
3 participants