login-common: Use HAproxy provided proxy.ssl information

If the connection is proxied via system that can terminate
ssl for us, such as HAproxy, use that information only.

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 7686446d1abc727a3073dfda2c419c9eaf48fc0c..57257706917e2b3bee262e96bcecde67712f0886 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -190,10 +190,16 @@ client_create(int fd, bool ssl, pool_t pool,
        client->real_remote_ip = conn->real_remote_ip;
        client->real_remote_port = conn->real_remote_port;
        client->listener_name = p_strdup(client->pool, conn->name);
-
        client->trusted = client_is_trusted(client);
-       client->secured = ssl || client->trusted ||
-               net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip);
+
+       if (conn->proxied) {
+               client->secured = conn->proxy.ssl || client->trusted;
+               client->local_name = conn->proxy.hostname;
+               client->client_cert_common_name = conn->proxy.cert_common_name;
+       } else {
+               client->secured = ssl || client->trusted ||
+                       net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip);
+       }
        client->proxy_ttl = LOGIN_PROXY_TTL;
 
        if (last_client == NULL)

diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index 8250404e9bcb259db2af838a1e13f86eba25f779..b633d0e27a17794aaafab5da83fca00e8aa07feb 100644 (file)
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -147,6 +147,8 @@ struct client {
        const struct master_service_ssl_settings *ssl_set;
        const char *session_id, *listener_name, *postlogin_socket_path;
        const char *local_name;
+       const char *client_cert_common_name;
+
        string_t *client_id;
        string_t *forward_fields;
 

diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index 812d25c6ccfc31e58f6007cd338aadbe7ea6b41c..b27232e6296fd3f36f90701ac852ca3f221c0c20 100644 (file)
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -355,8 +355,10 @@ void sasl_server_auth_begin(struct client *client,
        info.mech = mech->name;
        info.service = service;
        info.session_id = client_get_session_id(client);
-       info.cert_username = client->ssl_proxy == NULL ? NULL :
-               ssl_proxy_get_peer_name(client->ssl_proxy);
+       if (client->client_cert_common_name != NULL)
+               info.cert_username = client->client_cert_common_name;
+       else if (client->ssl_proxy != NULL)
+               info.cert_username = ssl_proxy_get_peer_name(client->ssl_proxy);
        info.flags = client_get_auth_flags(client);
        info.local_ip = client->local_ip;
        info.remote_ip = client->ip;