Bug 1469633
Summary: | Harden haproxy to prevent the PROXY header from being passed | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ben Bennett <bbennett> | |
Component: | Networking | Assignee: | Phil Cameron <pcameron> | |
Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | high | |||
Priority: | high | CC: | aos-bugs, bmeng, bperkins, smunilla | |
Version: | 3.6.0 | |||
Target Milestone: | --- | |||
Target Release: | 3.6.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Enhancement | ||
Doc Text: |
Feature: Strip HTTP 'Proxy' headers
Reason: To prevent the "httpoxy" (https://httpoxy.org/) vulnerability
Result: Applications behind the router are protected from "httpoxy"
|
Story Points: | --- | |
Clone Of: | ||||
: | 1484680 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-10 05:31:01 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Ben Bennett
2017-07-11 14:57:57 UTC
From the fixed PR https://github.com/openshift/origin/pull/15146, seems it did not update for passthrough route. 1. Create pod/service/passthrough route 2. Access the route with 'proxy' header curl -H 'proxy: 10.11.11.11' https://pass-z1.0723-ihz.qe.rhcloud.com -k <pre> host: pass-z1.0723-ihz.qe.rhcloud.com user-agent: curl/7.47.1 accept: */* proxy: 10.11.11.11 </pre> you can see the proxy still in the header FYI. Checked the unsecure/edge/reencrypty routes, they are work well. A passthrough route passes encrypted traffic directly to the backend. It does not have the certs needed to decrypt the packets so it can't strip the proxy header. This is intended operation, not a bug. @ phil Cameron Thanks for your reply and confirm. Verified this bug on oc v3.6.153 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716 |