Bug 1469633

Summary: Harden haproxy to prevent the PROXY header from being passed
Product: OpenShift Container Platform Reporter: Ben Bennett <bbennett>
Component: NetworkingAssignee: Phil Cameron <pcameron>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, bmeng, bperkins, smunilla
Version: 3.6.0   
Target Milestone: ---   
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Strip HTTP 'Proxy' headers Reason: To prevent the "httpoxy" (https://httpoxy.org/) vulnerability Result: Applications behind the router are protected from "httpoxy"
 Story Points: ---
Clone Of:
: 1484680 (view as bug list) Environment:
Last Closed: 2017-08-10 05:31:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Bennett 2017-07-11 14:57:57 UTC 
Description of problem:

The "httpoxy" https://httpoxy.org/ vulnerability found that since CGI passes headers as environment variables, if there is header named PROXY it turns into $HTTP_PROXY... and many frameworks use that environment variable to indicate that traffic should be passed to a proxy when outgoing.  This allows an attacker to interpose themselves into requests they should not see.

We should consider adding a rule to screen out the header from requests we see.   In general it would be nice to allow an arbitrary list of headers to be removed.  So we should set up an environment variable to contain the list (separated by something) and then add a set of rules to haproxy to remove them.  We should also consider whether routes can request further headers to be removed via an annotation... but we could do that later.

Then we should set the default, if there is no env set, up to drop PROXY.


Version-Release number of selected component (if applicable):

All.


How reproducible:

Always.


Steps to Reproduce:
1. Make a route
2. Curl the route with a custom Proxy header
3. Sniff the traffic at the endpoint (or run an endpoint that dumps the env)

Actual results:

You can see that PROXY is passed as a header.

Expected results:

We should strip it.


Additional info:
Comment 1 Ben Bennett 2017-07-12 17:45:01 UTC 
Reference https://github.com/openshift/origin/issues/14516
Comment 3 zhaozhanqi 2017-07-24 02:48:02 UTC 
From the fixed PR https://github.com/openshift/origin/pull/15146, seems it did not update for passthrough route.

1. Create pod/service/passthrough route
2. Access the route with 'proxy' header

curl -H 'proxy: 10.11.11.11' https://pass-z1.0723-ihz.qe.rhcloud.com -k
<pre>
  host: pass-z1.0723-ihz.qe.rhcloud.com
  user-agent: curl/7.47.1
  accept: */*
  proxy: 10.11.11.11
</pre>


you can see the proxy still in the header

FYI. Checked the unsecure/edge/reencrypty routes, they are work well.
Comment 4 Phil Cameron 2017-07-24 12:52:38 UTC 
A passthrough route passes encrypted traffic directly to the backend. It does not have the certs needed to decrypt the packets so it can't strip the proxy header.

This is intended operation, not a bug.
Comment 5 zhaozhanqi 2017-07-24 13:08:00 UTC 
@ phil Cameron

Thanks for your reply and confirm. Verified this bug on oc v3.6.153
Comment 7 errata-xmlrpc 2017-08-10 05:31:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716