forked from projectcontour/contour
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
internal: filter misdirected TLS requests
TLS routes are specialized to a unique virtual hostname. However, if wildcard certificates are being used, browsers will aggressively coalesce and reuse server connections even when the full origin hostname doesn't match. This results on 404 responses because each TLS virtual host only has routes for one host. We can avoid this behaviour bleeding out to users by generating a 421 Misdirected Request response if the request authority doesn't match the FQDN of the virtual host. In this case, the browser is supposed to understand that the request wasn't processed and re-send it on a new connection. This fixes projectcontour#1493. Signed-off-by: James Peach <jpeach@vmware.com>
- Loading branch information
Showing
11 changed files
with
314 additions
and
92 deletions.
There are no files selected for viewing
204 changes: 204 additions & 0 deletions
204
_integration/testsuite/httpproxy/009-https-misdirected-request.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,204 @@ | ||
# Copyright 2020 VMware, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
import data.contour.resources | ||
|
||
# Ensure that cert-manager is installed. | ||
# Version check the certificates resource. | ||
|
||
Group := "cert-manager.io" | ||
Version := "v1alpha2" | ||
|
||
have_certmanager_version { | ||
v := resources.versions["certificates"] | ||
v[_].Group == Group | ||
v[_].Version == Version | ||
} | ||
|
||
skip[msg] { | ||
not resources.is_supported("certificates") | ||
msg := "cert-manager is not installed" | ||
} | ||
|
||
skip[msg] { | ||
not have_certmanager_version | ||
|
||
avail := resources.versions["certificates"] | ||
|
||
msg := concat("\n", [ | ||
sprintf("cert-manager version %s/%s is not installed", [Group, Version]), | ||
"available versions:", | ||
yaml.marshal(avail) | ||
]) | ||
} | ||
|
||
--- | ||
|
||
# Create a self-signed issuer to give us secrets. | ||
|
||
apiVersion: cert-manager.io/v1alpha2 | ||
kind: Issuer | ||
metadata: | ||
name: selfsigned | ||
spec: | ||
selfSigned: {} | ||
|
||
--- | ||
|
||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: ingress-conformance-echo | ||
$apply: | ||
fixture: | ||
as: echo | ||
|
||
--- | ||
|
||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: ingress-conformance-echo | ||
$apply: | ||
fixture: | ||
as: echo | ||
|
||
--- | ||
|
||
apiVersion: cert-manager.io/v1alpha2 | ||
kind: Certificate | ||
metadata: | ||
name: echo-cert | ||
spec: | ||
dnsNames: | ||
- echo.projectcontour.io | ||
secretName: echo | ||
issuerRef: | ||
name: selfsigned | ||
|
||
--- | ||
|
||
apiVersion: projectcontour.io/v1 | ||
kind: HTTPProxy | ||
metadata: | ||
name: echo | ||
spec: | ||
virtualhost: | ||
fqdn: echo.projectcontour.io | ||
tls: | ||
secretName: echo | ||
routes: | ||
- services: | ||
- name: echo | ||
port: 80 | ||
|
||
--- | ||
|
||
import data.contour.resources | ||
|
||
Name := "echo" | ||
|
||
fatal_proxy_is_not_present[msg] { | ||
not resources.is_present("httpproxies", Name) | ||
msg := sprintf("HTTPProxy for %q is not present", [ Name ]) | ||
} | ||
|
||
--- | ||
|
||
import data.contour.resources | ||
|
||
Name := "echo" | ||
|
||
fatal_proxy_is_not_valid[msg] { | ||
status := resources.status("httpproxies", Name) | ||
|
||
object.get(status, "currentStatus", "") != "valid" | ||
|
||
msg := sprintf("HTTPProxy %q is not valid\n%s", [ | ||
Name, yaml.marshal(status) | ||
]) | ||
} | ||
|
||
--- | ||
|
||
import data.contour.http.client | ||
import data.contour.http.request | ||
import data.contour.http.response | ||
|
||
Response := client.Get({ | ||
"url": sprintf("https://%s/misdirected/%d", [ | ||
client.target_addr, time.now_ns() | ||
]), | ||
"headers": { | ||
"Host": "echo.projectcontour.io", | ||
"User-Agent": client.ua("misdirected-request"), | ||
}, | ||
"tls_insecure_skip_verify": true, | ||
}) | ||
|
||
error_non_200_response [msg] { | ||
not Response | ||
msg := "no response" | ||
} | ||
|
||
error_non_200_response [msg] { | ||
status := object.get(Response, "status_code", 000) | ||
status != 200 | ||
msg := sprintf("got status %d, wanted %d", [status, 200]) | ||
} | ||
|
||
error_wrong_routing [msg] { | ||
not response.has_testid(Response) | ||
msg := "response has missing body or test ID" | ||
} | ||
|
||
error_wrong_routing[msg] { | ||
wanted := "echo" | ||
testid := response.testid(Response) | ||
testid != wanted | ||
msg := sprintf("got test ID %q, wanted %q", [testid, wanted]) | ||
} | ||
|
||
--- | ||
|
||
import data.contour.http.client | ||
import data.contour.http.request | ||
import data.contour.http.response | ||
|
||
# Send a request with a Host header that doesn't match the SNI name that | ||
# we have for the proxy document. We expect the mismatch will generate a | ||
# 421 respnse, not 404. | ||
|
||
Response := client.Get({ | ||
"url": sprintf("https://%s/misdirected/%d", [ | ||
client.target_addr, time.now_ns() | ||
]), | ||
"headers": { | ||
"Host": "echo-two.projectcontour.io", | ||
"User-Agent": client.ua("misdirected-request"), | ||
}, | ||
"tls_server_name": "echo.projectcontour.io", | ||
"tls_insecure_skip_verify": true, | ||
}) | ||
|
||
error_non_421_response [msg] { | ||
not Response | ||
msg := "no response" | ||
} | ||
|
||
error_non_421_response [msg] { | ||
status := object.get(Response, "status_code", 000) | ||
status != 421 | ||
msg := sprintf("got status %d, wanted %d", [status, 421]) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.