-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IP Check Policy doesn't work on OpenShift #1061
Comments
Hi, I've tested this and this is working correctly: The configuration that I used is the following:
This is how I run apicast:
Tested with curl:
Also, tried with multiple uppercase values and all works:
So, if you can provide the full config, the request trace, and more info I'm Regards. |
Hello Eloy, |
Hi, There is no way to dump incoming request on Apicast, if you validate that curl works, I would recommend to get a packet trace on the host and see what HA-proxy is sending to APIcast. Regards |
Hi Eloycoto,
|
Hi,
As you could see there are 2 x-forwarded-for headers, not just one with multi-value. |
I have changed case name a bit to reflect that problem valid for all openshift installations. |
Ok, I can reproduce the issue now, I'll send the patch today. Regards |
This change allows to block traffic when multiple x-forwarder-for are defined in the same request. Resty creates an array with all duplicated headers, so in case of a array only the first heaeder will be used. Also, adds the integration test to make sure that no regression in this case. Example request to make it fail: ``` curl localhost:8080?user_key=123 -H "X-Forwarded-For: 1.2.3.4" \ -H "Host:one" \ -H "X-Forwarded-For: 1.2.3.44" \ -v ``` config: ``` { "services": [ { "id": 200, "endpoint": "http://localhost:8080", "backend_version": "1", "proxy": { "service_backend_version": "1", "hosts": [ "one" ], "api_backend": "https://echo-api.3scale.net:443", "proxy_rules": [ { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 1 } ], "policy_chain": [ { "name": "apicast.policy.apicast" }, { "name": "ip_check", "version": "builtin", "configuration": { "error_msg": "IP address not allowed", "client_ip_sources": [ "X-Forwarded-For" ], "ips": [ "1.2.3.4" ], "check_type": "blacklist" } } ] } } ] } ``` Fixes 3scale#1061 Signed-off-by: Eloy Coto <[email protected]>
This change allows to block traffic when multiple x-forwarder-for are defined in the same request. Resty creates an array with all duplicated headers, so in case of a array only the first heaeder will be used. Also, adds the integration test to make sure that no regression in this case. Example request to make it fail: ``` curl localhost:8080?user_key=123 -H "X-Forwarded-For: 1.2.3.4" \ -H "Host:one" \ -H "X-Forwarded-For: 1.2.3.44" \ -v ``` config: ``` { "services": [ { "id": 200, "endpoint": "http://localhost:8080", "backend_version": "1", "proxy": { "service_backend_version": "1", "hosts": [ "one" ], "api_backend": "https://echo-api.3scale.net:443", "proxy_rules": [ { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 1 } ], "policy_chain": [ { "name": "apicast.policy.apicast" }, { "name": "ip_check", "version": "builtin", "configuration": { "error_msg": "IP address not allowed", "client_ip_sources": [ "X-Forwarded-For" ], "ips": [ "1.2.3.4" ], "check_type": "blacklist" } } ] } } ] } ``` Fixes 3scale#1061 Signed-off-by: Eloy Coto <[email protected]>
This change allows to block traffic when multiple x-forwarder-for are defined in the same request. Resty creates an array with all duplicated headers, so in case of a array only the first heaeder will be used. Also, adds the integration test to make sure that no regression in this case. Example request to make it fail: ``` curl localhost:8080?user_key=123 -H "X-Forwarded-For: 1.2.3.4" \ -H "Host:one" \ -H "X-Forwarded-For: 1.2.3.44" \ -v ``` config: ``` { "services": [ { "id": 200, "endpoint": "http://localhost:8080", "backend_version": "1", "proxy": { "service_backend_version": "1", "hosts": [ "one" ], "api_backend": "https://echo-api.3scale.net:443", "proxy_rules": [ { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 1 } ], "policy_chain": [ { "name": "apicast.policy.apicast" }, { "name": "ip_check", "version": "builtin", "configuration": { "error_msg": "IP address not allowed", "client_ip_sources": [ "X-Forwarded-For" ], "ips": [ "1.2.3.4" ], "check_type": "blacklist" } } ] } } ] } ``` Fixes 3scale#1061 Signed-off-by: Eloy Coto <[email protected]>
We have following environment:
Internet -> haproxy -> 3scale(on openshift) -> echo app (on the same openshift)
echo app is from here(https://github.com/3scale/echo-api/tree/master/openshift), we use it for testing.
IP 1.1.1.1 below is machine from internet, but ip was changed for privacy reason.
I have configured test api service, corresponding to echo app, it's working, i.e. i see response from echo app.
I have also configured simple ip check policy and placed it before apicast policy.
But this doesn't work (i.e. it doesn't block 1.1.1.1). One could expect that x-forwarded-for is stripped by haproxy or openshift, but at the same time in response from echo app(this app returns all headers back) it gave back all headers and it returns x-forwarded-for header also:
{
"method": "GET",
"path": "/echo",
"args": "user_key=!stripped!",
"body": "",
"headers": {
"HTTP_VERSION": "HTTP/1.1",
"HTTP_X_REAL_IP": "10.129.0.1",
"HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "!striped!",
"HTTP_CACHE_CONTROL": "max-age=0",
"HTTP_UPGRADE_INSECURE_REQUESTS": "1",
"HTTP_USER_AGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"HTTP_ACCEPT": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3",
"HTTP_ACCEPT_ENCODING": "gzip, deflate, br",
"HTTP_ACCEPT_LANGUAGE": "en,ru;q=0.9,cs;q=0.8,en-US;q=0.7",
"HTTP_X_FORWARDED_FOR": "1.1.1.1, 172.20.1.54, 172.20.4.232",
"HTTP_FORWARDED": "for=172.20.1.54;host=apicast-br.;proto=https;proto-version=, for=172.20.4.232;host=echo-api-test.;proto=http;proto-version=",
"HTTP_UBER_TRACE_ID": "71e3131832617a9e:6caeea202a2f70bd:71e3131832617a9e:1",
"HTTP_HOST": "echo-api-test.!stripped domain!",
"HTTP_X_FORWARDED_HOST": "echo-api-test.!stripped domain!",
"HTTP_X_FORWARDED_PORT": "80",
"HTTP_X_FORWARDED_PROTO": "http"
},
"uuid": "d7c9c1ad-efdc-48c8-bb87-087a96df632b"
}
So, x-forwarded-for header is definitively there, app on openshift see it, so it's not stripped, so 3scale should see it also, but it doesn't react to this header.
Mapping rules and service definition works correctly, because if i define IP Check policy "block all, but allow only defined" it blocks access to api, so it just can't read header for some reason.
How to debug this situation, debug mode in apicast wasn't useful?
Version
Latest 2.5
nginx version: openresty/1.13.6.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.1.0h 27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.13 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.5 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-dtrace-probes --with-stream --with-stream_ssl_module --with-http_ssl_module
[root@qeobo-vs dc]# oc describe is amp-apicast
Name: amp-apicast
Namespace: 3scale-api
Created: 3 months ago
Labels: 3scale.component=apicast
app=3scale-api-management
Annotations: openshift.io/display-name=AMP APIcast
openshift.io/generated-by=OpenShiftNewApp
openshift.io/image.dockerRepositoryCheck=2019-06-05T15:59:23Z
Docker Pull Spec: docker-registry.default.svc:5000/3scale-api/amp-apicast
Image Lookup: local=false
Unique Images: 3
Tags: 3
2.5.0 (latest)
tagged from registry.access.redhat.com/3scale-amp25/apicast-gateway
26 minutes ago
registry.access.redhat.com/3scale-amp25/apicast-gateway@sha256:92ae1bd025fa2a62beb09bb6a09ec2755bc39e938c75530e5c571eefca93101e
4 weeks ago
2.4.0
tagged from registry.access.redhat.com/3scale-amp24/apicast-gateway
3 months ago
Steps To Reproduce
install haproxy, define simple ip check policy
Current Result
Expected Result
ip check policy should filter based in ip check settings.
Additional Information
The text was updated successfully, but these errors were encountered: