Support path routes with port number in Host header #8490
Conversation
This will ensure things don't break if openshift/origin#8490 is merged.
|
LGTM, @ramr PTAL |
|
HAProxy doesn't handle this automatically? |
| @@ -254,6 +254,7 @@ backend be_secure_{{$cfgIdx}} | |||
| {{ range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }} | |||
| {{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "")}} | |||
| {{$cfg.Host}}{{$cfg.Path}} {{$idx}} | |||
| {{$cfg.Host}}{{env "ROUTER_SERVICE_HTTP_PORT" "80"}}{{$cfg.Path}} {{$idx}} | |||
There was a problem hiding this comment.
Missing separator between host and port. {{$cfg.Host}}:{{env "ROUTER_SERVICE_HTTP_PORT" "80"}}{{$cfg.Path}}.
|
So one issue I can see here (apart from the missing separator between host and port) is that we are adding another rule for the |
|
I would expect HAProxy to have some normalization possible. On Wed, Apr 20, 2016 at 10:11 PM, Ram Ranganathan [email protected]
|
|
@smarterclayton currently the |
|
Is there no specific host method in haproxy that performs normalization? On Wed, Apr 20, 2016 at 10:20 PM, Ram Ranganathan [email protected]
|
|
Good catch on the missing port separator. Fixed. I agree that finding a way to normalize |
elyscape
force-pushed
the
8471-path-route-port
branch
from
310dc6c to
fa4ca04
Compare
|
Hmm, gave this some thought - we might be able to simplify this to use the existing map file entry. So what we really want here is that For a first pass, I'd suggest verifying that if you do something like add: Now, we could very well use that as as solution - because the XFF headers to the backend would anyway indicate what port the request arrived on + the host. Other alternatives here would be:
I'll mull on this a wee bit and see if any other ideas crop up. Edited typos |
I'm pretty sure I tried this and it didn't work, but I'll try it again. |
|
@elyscape I tried that this am and it worked for me - so give it a whirl. |
|
@ramr I just tried that again and it didn't work for me. Where in the |
|
Adding a link to the changes on a gist (was on https://paste.fedoraproject.org/359696/16206581/): |
|
It doesn't work regardless of whether I put |
|
As far as I can tell, |
|
This is interesting. That does change the value of |
|
Looks like the problem was that the |
elyscape
force-pushed
the
8471-path-route-port
branch
from
fa4ca04 to
7a73124
Compare
|
Updated to use |
elyscape
force-pushed
the
8471-path-route-port
branch
from
7a73124 to
429f3d0
Compare
|
I also went ahead and rebased it onto master. |
|
@elyscape thanks, those changes look good. An integration test for this would be good - something in this test: https://github.com/openshift/origin/blob/master/test/integration/router_test.go#L390 The simplest check might be to do something similar to this test at: https://github.com/openshift/origin/blob/master/test/integration/router_test.go#L610 The fourth parameter to the |
|
Added some integration tests. Please review. I'll squash the commits if everything checks out. |
| @@ -464,6 +464,10 @@ func TestRouterPathSpecificity(t *testing.T) { | |||
| if _, err := getRoute(routeAddress, "www.example.com", "http", nil, ""); err != ErrUnavailable { | |||
| t.Fatalf("unexpected response: %q", err) | |||
| } | |||
| //ensure you can curl path with port in Host header | |||
| if err := waitForRoute(routeTestAddress, "www.example.com:80", "http", nil, tr.HelloPodPath); err != nil { | |||
There was a problem hiding this comment.
The second argument here gets put into the Request.Host field, which is what determines the Host header.
|
As a side note, I noticed that the router's path-based integration tests only really go in-depth via HTTP. Since the issue can manifest on HTTP without manifesting on HTTPS and vice versa, it would be a good idea to add testing on that as well. Additionally, there is no path-based route testing for WebSockets. I'll add these in a separate pull request once this is merged. |
| @@ -526,6 +533,9 @@ func TestRouterPathSpecificity(t *testing.T) { | |||
| if err := waitForRoute(routeAddress, "www.example.com", "http", nil, tr.HelloPod); err != nil { | |||
| t.Fatalf("unexpected response: %q", err) | |||
| } | |||
| if err := waitForRoute(routeTestAddress, "www.example.com:80", "http", nil, tr.HelloPodPath); err != nil { | |||
There was a problem hiding this comment.
expected response should be tr.HelloPod - same as above and not tr.HelloPodPath.
There was a problem hiding this comment.
I'm not sure I understand. These new lines should be making requests against the path route. That's why it's testing against routeTestAddress instead of routeAddress. It looks like I should probably be using getRoute() instead of waitForRoute(), but that's a minor thing that I can fix.
There was a problem hiding this comment.
my bad - its late ... ignore my comments - I glossed over the routeTestAddress part.
|
@elyscape some comments re: the tests. Running them for you here so you can see the results. |
|
[test] |
This is done to support path-based routing for clients that include the port number in the Host header. While unusual, doing so isn't against the HTTP spec, and some clients force it. Fixes openshift#8471.
elyscape
force-pushed
the
8471-path-route-port
branch
from
41b80f5 to
7b25ad6
Compare
| @@ -610,6 +626,9 @@ func TestRouterPathSpecificity(t *testing.T) { | |||
| if err := waitForRoute(routeAddress, "www.example.com", "http", nil, tr.HelloPodAlternate); err != nil { | |||
| t.Fatalf("unexpected response: %q", err) | |||
| } | |||
| if err := waitForRoute(routeTestAddress, "www.example.com:80", "http", nil, tr.HelloPodPath); err != nil { | |||
There was a problem hiding this comment.
Aha, I see. This needed to be tr.HelloPodAlternate. Fixed.
|
@ramr, the tests should be fixed now. |
|
re[test] |
|
[test] |
|
Evaluated for origin test up to 7b25ad6 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3357/) |
|
changes LGTM |
|
LGTM [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3357/) (Image: devenv-rhel7_4057) |
|
Evaluated for origin merge up to 7b25ad6 |
This deals with #8471 by adding a duplicate entry to the map files that also includes the port, which will match values ofbasethat result when a client includes the port number in theHostheader.This deals with #8471 by removing ports from the
Hostheader send by clients.Fixes #8471.