haproxy obfuscated internal IP in routing cookie

pecameron · pecameron · commit 58aca5b0d7e8 · 2016-04-04T16:19:32.000-04:00
The cookie currently returns the openshift internal pod IP address. This is a security issue as an attacker can develop a map of the pods in the cluster just by observing the returned cookie. This change returns a hash of the internal address and internal service name to obfuscate the internal information. The service name is configured when the service is created and is not visible to outside users. This in combination with the internal ip:port is hashed and presented in the cookie. addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1318796
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -214,7 +214,7 @@ backend be_edge_http_{{$cfgIdx}}
   {{ end }}
   http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
                 {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.ID}}
+  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}}
                 {{ end }}
             {{ end }}
 
@@ -236,7 +236,7 @@ backend be_secure_{{$cfgIdx}}
   timeout check 5000ms
   cookie OPENSHIFT_REENCRYPT_{{$cfgIdx}}_SERVERID insert indirect nocache httponly secure
                 {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.ID}}
+  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}}
                 {{ end }}
             {{ end  }}
         {{ end  }}{{/* $serviceUnit.ServiceAliasConfigs*/}}
diff --git a/pkg/router/template/router.go b/pkg/router/template/router.go
@@ -1,6 +1,7 @@
 package templaterouter
 
 import (
+	"crypto/md5"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -502,6 +503,15 @@ func (r *templateRouter) AddEndpoints(id string, endpoints []Endpoint) bool {
 		return false
 	}
 
+	// IdHash contains an obfuscated internal IP address that is the value
+	// passed in the cookie. The IP address is made more difficult to extract
+	// by including other internal information in the hash.
+	for i := range endpoints {
+		endpoint := &endpoints[i]
+		s := endpoint.ID + endpoint.TargetName + endpoint.PortName
+		endpoint.IdHash = fmt.Sprintf("%x", md5.Sum([]byte(s)))
+	}
+
 	frontend.EndpointTable = endpoints
 	r.state[id] = frontend
 
diff --git a/pkg/router/template/types.go b/pkg/router/template/types.go
@@ -62,6 +62,7 @@ type Endpoint struct {
 	Port       string
 	TargetName string
 	PortName   string
+	IdHash     string
 }
 
 // certificateManager provides the ability to write certificates for a ServiceAliasConfig

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ type Endpoint struct {`
`62`	`62`	`Port string`
`63`	`63`	`TargetName string`
`64`	`64`	`PortName string`
	`65`	`+ IdHash string`
`65`	`66`	`}`
`66`	`67`
`67`	`68`	`// certificateManager provides the ability to write certificates for a ServiceAliasConfig`