Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[THREESCALE-11128] Prevent APIcast fallback to global proxy settings for direct connection #1478

Merged
merged 1 commit into from
Jun 27, 2024
Merged

[THREESCALE-11128] Prevent APIcast fallback to global proxy settings for direct connection #1478

merged 1 commit into from
Jun 27, 2024

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Jun 27, 2024
edited

What

Fix https://issues.redhat.com/browse/THREESCALE-11128

Notes

With the newer version of lua-resty-http (0.7.1), if a proxy options is not provided when calling the connect() method, it will fall back to using the global proxy settings set by the "set_proxy_option" function (has no effect in previous versions of the library). This then causes unexpected behavior where the direct connection will now go through the proxy server.

Verification steps

  • Build a new runtime image
make runtime-image IMAGE_NAME=apicast-test
  • Move into dev-environment
cd dev-environments/http-proxy-plain-http-upstream
  • Edit apicast-config.json as follow:
diff --git a/dev-environments/http-proxy-plain-http-upstream/apicast-config.json b/dev-environments/http-proxy-plain-http-upstream/apicast-config.json
index daa6967c..0e404d45 100644
--- a/dev-environments/http-proxy-plain-http-upstream/apicast-config.json
+++ b/dev-environments/http-proxy-plain-http-upstream/apicast-config.json
@@ -11,12 +11,6 @@
           "host": "backend"
         },
         "policy_chain": [
-          {
-            "name": "apicast.policy.http_proxy",
-            "configuration": {
-              "http_proxy": "http://proxy:8080/"
-            }
-          },
           {
             "name": "apicast.policy.apicast"
           }
  • Update docker-compose.yml
diff --git a/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml b/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml
index f1e461fb..c25fa61d 100644
--- a/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml
+++ b/dev-environments/http-proxy-plain-http-upstream/docker-compose.yml
@@ -15,6 +15,8 @@ services:
       APICAST_WORKERS: 1
       APICAST_LOG_LEVEL: debug
       APICAST_CONFIGURATION_CACHE: "0"
+      HTTP_PROXY: "http://proxy:8080"
+      NO_PROXY: "127.0.0.1,localhost"
     expose:
       - "8080"
       - "8090"
  • Start APIcast
make gateway IMAGE_NAME=apicast-test
  • Send a request
curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"

APIcast should response with 200

< HTTP/1.1 200 OK
< Server: openresty
< Date: Thu, 27 Jun 2024 02:59:58 GMT
< Content-Type: application/json
< Content-Length: 249
< Connection: keep-alive
< Via: 1.1 tinyproxy (tinyproxy/1.11.2)
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true

@tkan145
Prevent APIcast fallback to global proxy settings for direct connection
d4550af 
With the newer version of lua-resty-http (0.7.1), if a proxy options
is not provided when calling the connect() method, it will fall back to
using the global proxy settings set by the "set_proxy_option" function
(has no effect in previous versions of the library). This then causes
unexpected behavior where the direct connection will now go through
the proxy server.

This PR explicitly sets the proxy options to an empty table to bypass
global proxy settings when connecting directly.
@tkan145 tkan145 marked this pull request as ready for review June 27, 2024 03:01
@tkan145 tkan145 requested a review from a team as a code owner June 27, 2024 03:01
@eguzki
Copy link
Member

eguzki commented Jun 27, 2024

Good one.

I also tested without the NO_PROXY and the backend request goes via proxy as expected, which obviously fails as the proxy cannot resolve http://127.0.0.1:8081/transactions/authrep.xml

From docker compose -p http-proxy-plain-http-upstream logs -f proxy:


proxy  | 2024/06/27 08:36:02 socat[1] N accepting connection from AF=2 172.22.0.6:55516 on AF=2 172.22.0.4:8080
proxy  | 2024/06/27 08:36:02 socat[1] N forked off child process 7
proxy  | 2024/06/27 08:36:02 socat[1] N listening on AF=2 0.0.0.0:8080
proxy  | 2024/06/27 08:36:02 socat[7] N opening connection to AF=2 172.22.0.3:443
proxy  | 2024/06/27 08:36:02 socat[7] N successfully connected from local address AF=2 172.22.0.4:48682
proxy  | 2024/06/27 08:36:02 socat[7] N starting data transfer loop with FDs [6,6] and [5,5]
proxy  | > 2024/06/27 08:36:02.000476032  length=269 from=0 to=268
proxy  | GET http://127.0.0.1:8081/transactions/authrep.xml?service_id=1&usage%5Bhits%5D=1&user_key=123 HTTP/1.1\r
proxy  | Host: backend\r
proxy  | 3scale-Options: rejection_reason_header=1&limit_headers=1&no_body=1\r
proxy  | Connection: Keep-Alive\r
proxy  | User-Agent: APIcast/3.15.0 (Linux; x64; env:staging)\r
proxy  | \r
proxy  | < 2024/06/27 08:36:02.000476991  length=104 from=0 to=103
proxy  | HTTP/1.1 500 Unable to connect\r

HTTP/1.1 500 Unable to connect\

@tkan145 tkan145 merged commit 907db14 into 3scale:master Jun 27, 2024
14 checks passed
@tkan145 tkan145 deleted the THREESCALE-11128-no-proxy branch June 27, 2024 08:50
@tkan145 tkan145 changed the title Prevent APIcast fallback to global proxy settings for direct connection [THREESCALE-11128] Prevent APIcast fallback to global proxy settings for direct connection Jun 27, 2024
This was referenced Jun 27, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tkan145 @eguzki