Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy misdirecting valid URLs when Envoy HTTP/S default ports are not used #2568

Closed
ashirvadgupta opened this issue Jun 4, 2020 · 6 comments · Fixed by #2576
Closed

Envoy misdirecting valid URLs when Envoy HTTP/S default ports are not used #2568

ashirvadgupta opened this issue Jun 4, 2020 · 6 comments · Fixed by #2576
Assignees
@jpeach
Labels
kind/regression Categorizes issue or PR as related to a regression from a prior release. lifecycle/accepted Denotes an issue that has been triaged and determined to be valid. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
1.6.0

Comments

@ashirvadgupta
Copy link

ashirvadgupta commented Jun 4, 2020
edited
Loading

What steps did you take and what happened:
Envoy misdirecting valid URLs when Envoy HTTP/S default ports are not used.
In my setup, I am changing the envoy https port from 443 to 8443. Its trying to match the host portal.example.com but its getting host as portal.example.com:8443.

Here is curl output

curl https://portal.devtest.example.com:8443/devtest -v

Trying xx.xx.xx.xx...
TCP_NODELAY set
Connected to portal.devtest.example.com (xx.xx.xx.xx) port 8443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
successfully set certificate verify locations:
CAfile: /etc/ssl/cert.pem
CApath: none
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
ALPN, server accepted to use h2
Server certificate:
subject: C=US; ST=California; L=San Jose; O=example Inc; OU=ESD; CN=.devtest.example.com
start date: May 19 00:00:00 2020 GMT
expire date: May 20 12:00:00 2022 GMT
subjectAltName: host "portal.devtest.example.com" matched cert's ".devtest.example.com"
issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
SSL certificate verify ok.
Using HTTP2, server supports multi-use
Connection state changed (HTTP/2 confirmed)
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
Using Stream ID: 1 (easy handle 0x7ffb20806600)
GET /devtest HTTP/2
Host: portal.devtest.example.com:8443
User-Agent: curl/7.54.0
Accept: /

Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 421
< content-length: 0
< date: Wed, 03 Jun 2020 20:19:13 GMT
< server: envoy
<
Connection #0 to host portal.devtest.example.com left intact

What did you expect to happen:
It should take into account Envoy HTTP/S ports while validating hosts before throwing 421 Redirection error.

Anything else you would like to add:

Environment:

  • Contour version: v1.5.0
  • Kubernetes version: (use kubectl version): Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"darwin/amd64"}
    Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.10-gke.36", GitCommit:"34a615f32e9a0c9e97cdb9f749adb392758349a6", GitTreeState:"clean", BuildDate:"2020-04-06T16:33:17Z", GoVersion:"go1.12.12b4", Compiler:"gc", Platform:"linux/amd64"}
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration: GKE
  • OS (e.g. from /etc/os-release):
@jpeach
Copy link
Contributor

jpeach commented Jun 5, 2020

@ashirvadgupta Does this configuration work as expected in Contour 1.4?

For curl, you can do

$ curl -H "Host: portal.devtest.example.com" https://portal.devtest.example.com:8443/devtest

But depending on the application, it might not be feasible to do this in the general case

@ashirvadgupta
Copy link
Author

ashirvadgupta commented Jun 5, 2020
edited
Loading

@ashirvadgupta Does this configuration work as expected in Contour 1.4?

For curl, you can do

$ curl -H "Host: portal.devtest.example.com" https://portal.devtest.example.com:8443/devtest

But depending on the application, it might not be feasible to do this in the general case

Output of two commands is same. So its working in Contour 1.4
curl -H "Host: portal.devtest.example.com" https://portal.devtest.example.com:8443/devtest -v
curl https://portal.devtest.example.com:8443/devtest -v

$curl -H "Host: portal.devtest.example.com" https://portal.devtest.example.com:8443/devtest -v

  • Trying xx.xx.xx.xx...
  • TCP_NODELAY set
  • Connected to portal.devtest.example.com (xx.xx.xx.xx) port 8443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/cert.pem
    CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Jose; O=example Inc; OU=ESD; CN=*.devtest.example.com
  • start date: May 19 00:00:00 2020 GMT
  • expire date: May 20 12:00:00 2022 GMT
  • subjectAltName: host "portal.devtest.example.com" matched cert's "*.devtest.example.com"
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x7fe18f00d800)

GET /devtest HTTP/2
Host: portal.devtest.example.com
User-Agent: curl/7.54.0
Accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    < HTTP/2 302
    < date: Fri, 05 Jun 2020 05:38:17 GMT
    < location: https://portal.devtest.example.com/devtest/
    < content-length: 0
    < server: envoy
    < x-envoy-upstream-service-time: 5
    <
  • Connection #0 to host portal.devtest.example.com left intact

@ashirvadgupta
Copy link
Author

You can add an extra OR condition if envoy port HTTP/S ports are different than 80/443, then if those ports are present in the host authority header, then do not misdirect.

@WillPlatnick
Copy link

I am experiencing this issue as well. In my case, I didn't change the envoy port, I have haproxy in front of contour, reverse proxying 8443 traffic to port 443 in contour.

@jpeach jpeach self-assigned this Jun 10, 2020
@jpeach jpeach added kind/regression Categorizes issue or PR as related to a regression from a prior release. lifecycle/accepted Denotes an issue that has been triaged and determined to be valid. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jun 10, 2020
jpeach added a commit to jpeach/contour that referenced this issue Jun 11, 2020
@jpeach
internal/envoy: ignore ports for misdirected requests
5825f54 
Since Contour configures virtual host matches to ignore the port
specifier, it should do the same when matching for misdirected requests.

This fixes projectcontour#2568.

Signed-off-by: James Peach <jpeach@vmware.com>
@jpeach jpeach mentioned this issue Jun 11, 2020
Merged
@jpeach jpeach added this to the 1.6.0 milestone Jun 11, 2020
jpeach added a commit that referenced this issue Jun 12, 2020
@jpeach
internal/envoy: ignore ports for misdirected requests (#2576)
8f4f22e 
Since Contour configures virtual host matches to ignore the port
specifier, it should do the same when matching for misdirected requests.

This fixes #2568.

Signed-off-by: James Peach <jpeach@vmware.com>
@ashirvadgupta
Copy link
Author

Thanks @jpeach for fixing it

@jpeach
Copy link
Contributor

jpeach commented Jun 15, 2020

xref #1493
xref #2483

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jpeach jpeach

Labels
kind/regression Categorizes issue or PR as related to a regression from a prior release. lifecycle/accepted Denotes an issue that has been triaged and determined to be valid. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
1.6.0
Development

Successfully merging a pull request may close this issue.

internal/envoy: ignore ports for misdirected requests jpeach/contour
3 participants
@jpeach @WillPlatnick @ashirvadgupta