[release-4.18] OCPBUGS-OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP

[MrSanketkumar]

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Summary by CodeRabbit

Release Notes

• New Features
  • Added header filtering to the router to prevent spoofing of mutual TLS identity claims. This security enhancement automatically filters headers that could be forged by clients, reducing unauthorized access risks. The feature is enabled by default but can be toggled if needed.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:

• expected dependent Jira Issue OCPBUGS-86716 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport of : #799

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The HAProxy config template gains conditional http-request del-header directives in three frontends (frontend public, frontend fe_sni, frontend fe_no_sni) to strip X-SSL and all X-SSL-Client-* headers from incoming requests. The behavior is gated on the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable, which defaults to true.

Changes

X-SSL Header Spoofing Mitigation

Layer / File(s)	Summary
Conditional X-SSL header stripping across all three frontends images/router/haproxy/conf/haproxy-config.template	Adds identical ROUTER_MUTUAL_TLS_HEADER_FILTER-gated blocks (default true) in the plain HTTP frontend (lines 254–270), TLS SNI frontend (lines 388–405), and TLS no-SNI frontend (lines 521–538), each issuing http-request del-header for X-SSL and all X-SSL-Client-* headers to prevent client spoofing of mutual-TLS identity headers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/router#787: Modifies the same HAProxy template file to add the same ROUTER_MUTUAL_TLS_HEADER_FILTER-gated http-request del-header stripping for X-SSL and X-SSL-Client-* headers in the same frontends.
• openshift/router#793: Directly overlaps — conditionally deletes X-SSL and X-SSL-Client-* (including X-SSL-Issuer) from the same three HAProxy frontends behind ROUTER_MUTUAL_TLS_HEADER_FILTER.
• openshift/router#795: Applies the same conditional X-SSL/X-SSL-Client-* header stripping via ROUTER_MUTUAL_TLS_HEADER_FILTER in frontend public, fe_sni, and fe_no_sni of the same template file.

Suggested labels

approved, lgtm, backport-risk-assessed, jira/valid-bug, verified

Suggested reviewers

• Miciah
• knobunc

🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is partially related to the changeset. It mentions stripping X-SSL headers for plain HTTP, which is one aspect of the change, but omits the critical context that this applies to multiple frontends (fe_sni and fe_no_sni) and downplays the overall security objective (mutual TLS header spoofing prevention).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.