[release-4.12] OCPBUGS-86709: Strip X-SSL-* headers for plain HTTP

[MrSanketkumar]

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport of : #808

Summary by CodeRabbit

• Bug Fixes
  • Improved request header handling to remove sensitive client identity headers in more routing paths.
  • Reduced the risk of leaking mutual-TLS-related information when traffic is processed over plain HTTP or after TLS termination.
  • Existing header sanitization behavior is now applied more consistently before requests are routed onward.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86709, which is invalid:

• expected dependent Jira Issue OCPBUGS-86710 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport of : #808

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4051ac18-cd5f-4044-b42e-f796b35997d0

📥 Commits

Reviewing files that changed from the base of the PR and between 2b29329 and d49eb78.

📒 Files selected for processing (1)

• images/router/haproxy/conf/haproxy-config.template

---

Walkthrough

The HAProxy config template gains conditional X-SSL and X-SSL-Client-* header deletion on all three frontends (public, fe_sni, fe_no_sni), gated by the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable (default enabled), preventing clients from spoofing mutual-TLS identity headers.

Changes

mTLS Header Spoofing Prevention

Layer / File(s)	Summary
X-SSL header stripping across all frontends images/router/haproxy/conf/haproxy-config.template	Adds a ROUTER_MUTUAL_TLS_HEADER_FILTER-gated block to frontend public (HTTP), frontend fe_sni (TLS+SNI), and frontend fe_no_sni (TLS without SNI) that deletes X-SSL and X-SSL-Client-* request headers before backend selection.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	The PR adds deploy/router.yaml with hostNetwork: true in a Kubernetes Deployment, which this check explicitly flags.	Remove hostNetwork: true or document an approved exception if this host networking is truly required.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: stripping X-SSL-* headers for plain HTTP.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR only changes a HAProxy template file; no Ginkgo test files or test titles were added or modified.
Test Structure And Quality	✅ Passed	The PR only changes the HAProxy template; no Ginkgo test code was added or modified, so this check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes router template/config files, so MicroShift-incompatible test APIs aren’t implicated.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR only updates the HAProxy config template; no Ginkgo e2e tests or multi-node assumptions were added.
Topology-Aware Scheduling Compatibility	✅ Passed	Only HAProxy request-header stripping changed in a config template; no replicas, node selectors, anti-affinity, or topology-spread logic was added.
Ote Binary Stdout Contract	✅ Passed	The PR only adds HAProxy header-filter template directives; no main/init/suite code or stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PASS: The PR only changes the HAProxy template; no new Ginkgo/e2e tests were added, so there are no IPv4 or connectivity assumptions to check.
No-Weak-Crypto	✅ Passed	The patch only adds HAProxy header stripping; it introduces no new MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage, custom crypto, or secret comparisons.
No-Sensitive-Data-In-Logs	✅ Passed	The patch only adds X-SSL header stripping; it introduces no new log/capture statements that would expose sensitive data.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign alebedev87 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[MrSanketkumar]

/retest-required

[MrSanketkumar]

/retest-required

[openshift-ci]

@MrSanketkumar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial	d49eb78	link	true	/test e2e-aws-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.