Bug 1469633 - Harden haproxy to prevent the PROXY header from being passed
Harden haproxy to prevent the PROXY header from being passed
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing (Show other bugs)
3.6.0
Unspecified Unspecified
high Severity high
: ---
: 3.6.z
Assigned To: Phil Cameron
zhaozhanqi
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 10:57 EDT by Ben Bennett
Modified: 2017-11-29 05:22 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Strip HTTP 'Proxy' headers Reason: To prevent the "httpoxy" (https://httpoxy.org/) vulnerability Result: Applications behind the router are protected from "httpoxy"
Story Points: ---
Clone Of:
: 1484680 (view as bug list)
Environment:
Last Closed: 2017-08-10 01:31:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 14516 None None None 2017-07-12 13:45 EDT

  None (edit)
Description Ben Bennett 2017-07-11 10:57:57 EDT
Description of problem:

The "httpoxy" https://httpoxy.org/ vulnerability found that since CGI passes headers as environment variables, if there is header named PROXY it turns into $HTTP_PROXY... and many frameworks use that environment variable to indicate that traffic should be passed to a proxy when outgoing.  This allows an attacker to interpose themselves into requests they should not see.

We should consider adding a rule to screen out the header from requests we see.   In general it would be nice to allow an arbitrary list of headers to be removed.  So we should set up an environment variable to contain the list (separated by something) and then add a set of rules to haproxy to remove them.  We should also consider whether routes can request further headers to be removed via an annotation... but we could do that later.

Then we should set the default, if there is no env set, up to drop PROXY.


Version-Release number of selected component (if applicable):

All.


How reproducible:

Always.


Steps to Reproduce:
1. Make a route
2. Curl the route with a custom Proxy header
3. Sniff the traffic at the endpoint (or run an endpoint that dumps the env)

Actual results:

You can see that PROXY is passed as a header.

Expected results:

We should strip it.


Additional info:
Comment 1 Ben Bennett 2017-07-12 13:45:01 EDT
Reference https://github.com/openshift/origin/issues/14516
Comment 3 zhaozhanqi 2017-07-23 22:48:02 EDT
From the fixed PR https://github.com/openshift/origin/pull/15146, seems it did not update for passthrough route.

1. Create pod/service/passthrough route
2. Access the route with 'proxy' header

curl -H 'proxy: 10.11.11.11' https://pass-z1.0723-ihz.qe.rhcloud.com -k
<pre>
  host: pass-z1.0723-ihz.qe.rhcloud.com
  user-agent: curl/7.47.1
  accept: */*
  proxy: 10.11.11.11
</pre>


you can see the proxy still in the header

FYI. Checked the unsecure/edge/reencrypty routes, they are work well.
Comment 4 Phil Cameron 2017-07-24 08:52:38 EDT
A passthrough route passes encrypted traffic directly to the backend. It does not have the certs needed to decrypt the packets so it can't strip the proxy header.

This is intended operation, not a bug.
Comment 5 zhaozhanqi 2017-07-24 09:08:00 EDT
@ phil Cameron

Thanks for your reply and confirm. Verified this bug on oc v3.6.153
Comment 7 errata-xmlrpc 2017-08-10 01:31:01 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.