Skip to content

9.0.0
Compare
Choose a tag to compare
@rra rra released this 09 Jan 21:49
· 1069 commits to main since this release
9.0.0
This tag was signed with the committer’s verified signature. The key has expired.
rra Russ Allbery
GPG key ID: 7D80315C5736DE75
Expired
Learn about vigilant mode.
9697b70
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Backwards-incompatible changes

  • Gafaelfawr now takes over 403 error responses from any protected service using a Gafaelfawr-generated ingress. 403 responses generated by the service itself will be passed to the client, but the body of the response and any WWW-Authenticate headers will be lost.
  • User errors from the /auth route (not syntax errors like missing parameters) now uniformly return 403, since the NGINX auth_request module can only handle 401 and 403 responses. The actual status code is put in the X-Error-Status response header, and the JSON body (if relevant) in X-Error-Body.
  • All ingresses created by Gafaelfawr use an @autherror error page for 403 responses that is added to each NGINX server scope by Phalanx. This custom location uses the X-Error-Status and X-Error-Body headers to tell NGINX to generate the correct error response.
  • Remove the /auth/forbidden route, since a Cache-Control header is now automatically added via ingress-nginx to all errors. The config.rewrite403 parameter to GafaelfawrIngress is still supported but does nothing, since its behavior is now the default.

New features

  • Gafaelfawr now accepts tokens in either the username or password portion of HTTP Basic Auth without requiring the other field be x-oath-basic. If both components are tokens, they must match; if they do not, Gafaelfawr raises an error.
Assets 2
Loading