-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use forwarded Host header without any changes #14319
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,7 +25,7 @@ func TestSchemeHost(t *testing.T) { | |
}, | ||
}, | ||
expectedScheme: "https", | ||
expectedHost: "example.com:443", | ||
expectedHost: "example.com", | ||
}, | ||
"X-Forwarded-Port overwrites X-Forwarded-Host port": { | ||
req: &http.Request{ | ||
|
@@ -51,7 +51,32 @@ func TestSchemeHost(t *testing.T) { | |
}, | ||
}, | ||
expectedScheme: "https", | ||
expectedHost: "example.com:443", | ||
expectedHost: "example.com", | ||
}, | ||
"stripped X-Forwarded-Host and X-Forwarded-Port with non-standard port": { | ||
req: &http.Request{ | ||
URL: &url.URL{Path: "/"}, | ||
Host: "127.0.0.1", | ||
Header: http.Header{ | ||
"X-Forwarded-Host": []string{"example.com"}, | ||
"X-Forwarded-Port": []string{"80"}, | ||
"X-Forwarded-Proto": []string{"https"}, | ||
}, | ||
}, | ||
expectedScheme: "https", | ||
expectedHost: "example.com:80", | ||
}, | ||
"detect scheme from X-Forwarded-Port": { | ||
req: &http.Request{ | ||
URL: &url.URL{Path: "/"}, | ||
Host: "127.0.0.1", | ||
Header: http.Header{ | ||
"X-Forwarded-Host": []string{"example.com"}, | ||
"X-Forwarded-Port": []string{"443"}, | ||
}, | ||
}, | ||
expectedScheme: "https", | ||
expectedHost: "example.com", | ||
}, | ||
|
||
"req host": { | ||
|
@@ -156,7 +181,7 @@ func TestSchemeHost(t *testing.T) { | |
}, | ||
}, | ||
expectedScheme: "http", | ||
expectedHost: "route-namespace.router.default.svc.cluster.local:80", | ||
expectedHost: "route-namespace.router.default.svc.cluster.local", | ||
}, | ||
"haproxy edge terminated route -> svc -> non-tls pod": { | ||
req: &http.Request{ | ||
|
@@ -171,6 +196,21 @@ func TestSchemeHost(t *testing.T) { | |
}, | ||
}, | ||
expectedScheme: "https", | ||
expectedHost: "route-namespace.router.default.svc.cluster.local", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. did you capture this via an actual request to haproxy and verify haproxy differentiates between an explicit port and an implicit one in the headers it sets? |
||
}, | ||
"haproxy edge terminated route -> svc -> non-tls pod with the explicit port": { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same question for this testcase... was this verified with actual backend capture through haproxy? |
||
req: &http.Request{ | ||
URL: &url.URL{Path: "/"}, | ||
Host: "route-namespace.router.default.svc.cluster.local:443", | ||
Header: http.Header{ | ||
"X-Forwarded-Host": []string{"route-namespace.router.default.svc.cluster.local:443"}, | ||
"X-Forwarded-Port": []string{"443"}, | ||
"X-Forwarded-Proto": []string{"https"}, | ||
"Forwarded": []string{"for=172.18.2.57;host=route-namespace.router.default.svc.cluster.local:443;proto=https"}, | ||
"X-Forwarded-For": []string{"172.18.2.57"}, | ||
}, | ||
}, | ||
expectedScheme: "https", | ||
expectedHost: "route-namespace.router.default.svc.cluster.local:443", | ||
}, | ||
"haproxy passthrough route -> svc -> tls pod": { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
restore this... this example was captured from live data and expects the explicit port to work
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't change the input, it still the same as it was captured. Why this example expects the explicit port? It's the reason of the bug with the Docker Server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
based on @miminar's explanation, this was likely captured while our router had the port-stripping bug. Can you set up a pod and access it through the current haproxy router and verify what
X-Forwarded-Host
is set to when accessing http://route, http://route:80, https://route and https://route:443?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
X-Forwarded-Host
is set to the hostname without a port, as it written in the test.If you use
docker pull route:80/foo/bar,
then it'll be with the port.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you make sure we have tests capturing all the headers we see for all four of those cases?