Clear Ssl-Client-* headers when no client certificate is present

pkg/middlewares/ingressnginx/authtlspasscertificatetoupstream/auth_tls_pass_certificate_to_upstream.go

@@ -65,6 +65,10 @@ func (p *authTLSPassCertificateToUpstream) ServeHTTP(rw http.ResponseWriter, req
 	if req.TLS == nil || len(req.TLS.PeerCertificates) == 0 {
 		logger.Debug().Msg("Tried to extract a certificate on a request without mutual TLS")
 		req.Header.Set(sslClientVerify, "NONE")
+		// Prevent client-supplied values from reaching the upstream on the no-mTLS path.
+		req.Header.Del(sslClientCert)
+		req.Header.Del(sslClientSubjectDN)
+		req.Header.Del(sslClientIssuerDN)
 		p.next.ServeHTTP(rw, req)
 		return
 	}

pkg/middlewares/ingressnginx/authtlspasscertificatetoupstream/auth_tls_pass_certificate_to_upstream_test.go

@@ -360,6 +360,26 @@ func TestAuthTLSPassCertificateToUpstream(t *testing.T) {
 	}
 }
 
+func TestAuthTLSNoMTLSClearsCertHeaders(t *testing.T) {
+	config := dynamic.AuthTLSPassCertificateToUpstream{
+		ClientAuthType: tls.VerifyClientCertIfGiven,
+	}
+	handler, err := NewAuthTLSPassCertificateToUpstream(t.Context(), next, config, "test")
+	require.NoError(t, err)
+
+	req := testhelpers.MustNewRequest(http.MethodGet, "http://example.com/foo", nil)
+	req.Header.Set(sslClientCert, "client-cert")
+	req.Header.Set(sslClientSubjectDN, "CN=client")
+	req.Header.Set(sslClientIssuerDN, "CN=client-CA")
+
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+
+	assert.Equal(t, "NONE", req.Header.Get(sslClientVerify))
+	assert.Empty(t, req.Header.Get(sslClientCert))
+	assert.Empty(t, req.Header.Get(sslClientSubjectDN))
+	assert.Empty(t, req.Header.Get(sslClientIssuerDN))
+}
+
 func buildTLSWith(certContents []string) *cryptoTLS.ConnectionState {
 	var peerCertificates []*x509.Certificate