Revert rejecting connection if PROXY header is signed with non-local …

…cluster (#32068) Temporary reverting before we implement proper fix. This caused clusters with changed name (but not updated CA) to become unaccesible.
gravitational · Sep 18, 2023 · 0473c5f · 0473c5f
1 parent ea788a8
commit 0473c5f
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/lib/multiplexer/multiplexer.go b/lib/multiplexer/multiplexer.go
@@ -500,6 +500,13 @@ func (m *Mux) detect(conn net.Conn) (*Conn, error) {
 					}).Warnf("%s - could not get host CA", invalidProxySignatureError)
 					continue
 				}
+				if errors.Is(err, ErrNonLocalCluster) {
+					m.WithFields(log.Fields{
+						"src_addr": conn.RemoteAddr(),
+						"dst_addr": conn.LocalAddr(),
+					}).Debugf("%s - signed by non local cluster", invalidProxySignatureError)
+					continue
+				}
 				if err != nil {
 					return nil, trace.Wrap(err, "%s %s -> %s", invalidProxySignatureError, conn.RemoteAddr(), conn.LocalAddr())
 				}