Bug 1469633 - Harden haproxy to prevent the PROXY header from being passed
Summary: Harden haproxy to prevent the PROXY header from being passed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.6.z
Assignee: Phil Cameron
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-11 14:57 UTC by Ben Bennett
Modified: 2022-08-04 22:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Strip HTTP 'Proxy' headers Reason: To prevent the "httpoxy" (https://httpoxy.org/) vulnerability Result: Applications behind the router are protected from "httpoxy"
Clone Of:
: 1484680 (view as bug list)
Environment:
Last Closed: 2017-08-10 05:31:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 14516 0 None None None 2017-07-12 17:45:12 UTC
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Ben Bennett 2017-07-11 14:57:57 UTC 
Description of problem:

The "httpoxy" https://httpoxy.org/ vulnerability found that since CGI passes headers as environment variables, if there is header named PROXY it turns into $HTTP_PROXY... and many frameworks use that environment variable to indicate that traffic should be passed to a proxy when outgoing.  This allows an attacker to interpose themselves into requests they should not see.

We should consider adding a rule to screen out the header from requests we see.   In general it would be nice to allow an arbitrary list of headers to be removed.  So we should set up an environment variable to contain the list (separated by something) and then add a set of rules to haproxy to remove them.  We should also consider whether routes can request further headers to be removed via an annotation... but we could do that later.

Then we should set the default, if there is no env set, up to drop PROXY.


Version-Release number of selected component (if applicable):

All.


How reproducible:

Always.


Steps to Reproduce:
1. Make a route
2. Curl the route with a custom Proxy header
3. Sniff the traffic at the endpoint (or run an endpoint that dumps the env)

Actual results:

You can see that PROXY is passed as a header.

Expected results:

We should strip it.


Additional info:
Comment 1 Ben Bennett 2017-07-12 17:45:01 UTC 
Reference https://github.com/openshift/origin/issues/14516
Comment 3 zhaozhanqi 2017-07-24 02:48:02 UTC 
From the fixed PR https://github.com/openshift/origin/pull/15146, seems it did not update for passthrough route.

1. Create pod/service/passthrough route
2. Access the route with 'proxy' header

curl -H 'proxy: 10.11.11.11' https://pass-z1.0723-ihz.qe.rhcloud.com -k
<pre>
  host: pass-z1.0723-ihz.qe.rhcloud.com
  user-agent: curl/7.47.1
  accept: */*
  proxy: 10.11.11.11
</pre>


you can see the proxy still in the header

FYI. Checked the unsecure/edge/reencrypty routes, they are work well.
Comment 4 Phil Cameron 2017-07-24 12:52:38 UTC 
A passthrough route passes encrypted traffic directly to the backend. It does not have the certs needed to decrypt the packets so it can't strip the proxy header.

This is intended operation, not a bug.
Comment 5 zhaozhanqi 2017-07-24 13:08:00 UTC 
@ phil Cameron

Thanks for your reply and confirm. Verified this bug on oc v3.6.153
Comment 7 errata-xmlrpc 2017-08-10 05:31:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Note You need to log in before you can comment on or make changes to this bug.