[release-4.19] OCPBUGS-86716: Strip X-SSL-* headers for plain HTTP

[MrSanketkumar]

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport of : #797

Summary by CodeRabbit

• Bug Fixes
  • Added conditional mutual-TLS header filtering to prevent identity spoofing attacks when mutual authentication is disabled. The feature is controlled via a configuration flag (enabled by default).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f326a7fe-cd0e-4877-ac73-20ae20628c75

📥 Commits

Reviewing files that changed from the base of the PR and between 0b3d3db and e6744e3.

📒 Files selected for processing (1)

• images/router/haproxy/conf/haproxy-config.template

---

Walkthrough

The HAProxy config template gains a ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable (defaulting to true) that, when enabled, deletes X-SSL and all associated X-SSL-Client-*/X-SSL-Issuer headers from incoming requests across three frontend sections: plain HTTP, public_ssl, and fe_no_sni.

Changes

mTLS Header Filtering Across HAProxy Frontends

Layer / File(s)

Summary

X-SSL* header deletion in plain HTTP, public_ssl, and fe_no_sni frontends images/router/haproxy/conf/haproxy-config.template

Inserts identical ROUTER_MUTUAL_TLS_HEADER_FILTER-gated http-request del-header blocks (lines 254–270, 388–405, 521–538) into the plain HTTP frontend, the public_ssl TLS frontend, and the fe_no_sni non-SNI TLS frontend, stripping X-SSL, X-SSL-Client-Cert, X-SSL-Client-Cert-Chain, X-SSL-Client-DN, X-SSL-Client-NotAfter, X-SSL-Client-NotBefore, X-SSL-Client-Serial, X-SSL-Client-Verify, and X-SSL-Issuer from incoming requests when the variable is set to true.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/router#787: Modifies the same HAProxy template to add ROUTER_MUTUAL_TLS_HEADER_FILTER-gated http-request del-header rules stripping X-SSL* headers in HAProxy HTTP frontends.
• openshift/router#793: Modifies the same HAProxy template to conditionally delete X-SSL* spoofing headers across the same set of frontends (public, public_ssl, fe_no_sni).
• openshift/router#795: Adds the same environment-gated http-request del-header stripping of X-SSL* headers across the plain HTTP and TLS frontends controlled by ROUTER_MUTUAL_TLS_HEADER_FILTER.

Suggested labels

approved, lgtm, backport-risk-assessed, verified

Suggested reviewers

• alebedev87
• knobunc

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main security fix by specifying the primary action (stripping X-SSL-* headers) and the context (plain HTTP), directly reflecting the changeset's core objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies HAProxy configuration templates and Go code files, but contains NO Ginkgo test definitions. The check for Ginkgo test name stability is not applicable since no Ginkgo tests are pre...
Test Structure And Quality	✅ Passed	The PR does not modify or add Ginkgo test code; it contains only traditional Go unit tests using testing.T and a HAProxy template change. The check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies HAProxy configuration and includes unit tests (using standard Go testing package). The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds no Ginkgo e2e tests; it only modifies the HAProxy configuration template to implement mTLS header filtering. The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only HAProxy configuration template (images/router/haproxy/conf/haproxy-config.template), not Kubernetes deployment manifests, operator code, or controllers. No scheduling constraints,...
Ote Binary Stdout Contract	✅ Passed	PR changes are primarily to HAProxy config template (haproxy-config.template), not OTE test extension code. The router binary is not an OTE binary communicating test results via JSON stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. PR only modifies a HAProxy configuration template file (images/router/haproxy/conf/haproxy-config.template), which is not subject to IPv6/disconnected network co...
No-Weak-Crypto	✅ Passed	PR adds header-stripping directives using HAProxy's http-request del-header commands to mitigate CVE-2026-46579. Changes contain no weak crypto algorithms, custom implementations, or secret compari...
Container-Privileges	✅ Passed	PR only modifies haproxy-config.template (a HAProxy configuration file, not a K8s manifest) with security header filtering logic. No container/K8s manifests with privilege settings were modified.
No-Sensitive-Data-In-Logs	✅ Passed	PR strips X-SSL headers from requests via http-request del-header directives; no logging statements expose sensitive data, only headers are deleted for security.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86716, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-86717 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-86717 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport of : #797

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign gcs278 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86716, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-86717 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-86717 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport of : #797

Summary by CodeRabbit

• Bug Fixes
• Added conditional mutual-TLS header filtering to prevent identity spoofing attacks when mutual authentication is disabled. The feature is controlled via a configuration flag (enabled by default).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[UdayYendva]

I’ve created a cluster using the PR that includes the merged fix from PR #799. The corresponding ClusterVersion is: 4.19.0-0-2026-06-22-062713-test-ci-ln-9xytvib-latest

oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0-2026-06-22-062713-test-ci-ln-9xytvib-latest   True        False         7m39s   Cluster version is 4.19.0-0-2026-06-22-062713-test-ci-ln-9xytvib-latest
oc project openshift-ingress
Now using project "openshift-ingress" on server "https://api.ci-ln-nx25ys2-76ef8.aws-4.ci.openshift.org:6443".
oc get pods
NAME                              READY   STATUS    RESTARTS      AGE
router-default-76c5fd84cc-4c7s5   1/1     Running   2 (23m ago)   33m
router-default-76c5fd84cc-5zqzj   1/1     Running   2 (22m ago)   33m

After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed
These are the changes from the PR are correctly reflected in the running ingress/router pods.

oc rsh pods/router-default-76c5fd84cc-4c7s5
sh-5.1$ cat haproxy
haproxy-config.template  haproxy.config           
sh-5.1$ cat haproxy-config.template 

These are the same changes that were introduced in #799

  # Strip off X-SSL* headers for plain HTTP if not explicitly disabled.
  # This prevents unauthenticated spoofing of mutual TLS client identities.
  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
  http-request del-header X-SSL
  http-request del-header X-SSL-Client-CN
  http-request del-header X-SSL-Client-DER
  http-request del-header X-SSL-Client-DN
  http-request del-header X-SSL-Client-NotAfter
  http-request del-header X-SSL-Client-NotBefore
  http-request del-header X-SSL-Client-SHA1
  http-request del-header X-SSL-Client-Serial
  http-request del-header X-SSL-Client-Subject
  http-request del-header X-SSL-Client-Verify
  http-request del-header X-SSL-Client-Version
  http-request del-header X-SSL-Issuer
  {{- end }}

/Verified by ci

[openshift-ci-robot]

@UdayYendva: This PR has been marked as verified by ci.

Details

In response to this:

I’ve created a cluster using the PR that includes the merged fix from PR #799. The corresponding ClusterVersion is: 4.19.0-0-2026-06-22-062713-test-ci-ln-9xytvib-latest

oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0-2026-06-22-062713-test-ci-ln-9xytvib-latest   True        False         7m39s   Cluster version is 4.19.0-0-2026-06-22-062713-test-ci-ln-9xytvib-latest
oc project openshift-ingress
Now using project "openshift-ingress" on server "https://api.ci-ln-nx25ys2-76ef8.aws-4.ci.openshift.org:6443".
oc get pods
NAME                              READY   STATUS    RESTARTS      AGE
router-default-76c5fd84cc-4c7s5   1/1     Running   2 (23m ago)   33m
router-default-76c5fd84cc-5zqzj   1/1     Running   2 (22m ago)   33m

After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed
These are the changes from the PR are correctly reflected in the running ingress/router pods.

oc rsh pods/router-default-76c5fd84cc-4c7s5
sh-5.1$ cat haproxy
haproxy-config.template  haproxy.config           
sh-5.1$ cat haproxy-config.template 

These are the same changes that were introduced in #799

  # Strip off X-SSL* headers for plain HTTP if not explicitly disabled.
  # This prevents unauthenticated spoofing of mutual TLS client identities.
  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
  http-request del-header X-SSL
  http-request del-header X-SSL-Client-CN
  http-request del-header X-SSL-Client-DER
  http-request del-header X-SSL-Client-DN
  http-request del-header X-SSL-Client-NotAfter
  http-request del-header X-SSL-Client-NotBefore
  http-request del-header X-SSL-Client-SHA1
  http-request del-header X-SSL-Client-Serial
  http-request del-header X-SSL-Client-Subject
  http-request del-header X-SSL-Client-Verify
  http-request del-header X-SSL-Client-Version
  http-request del-header X-SSL-Issuer
  {{- end }}

/Verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.