Bug 1471255 - X-Forwarded-For and related headers send the IPv6 form of the source IPv4 address
X-Forwarded-For and related headers send the IPv6 form of the source IPv4 add...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity urgent
: ---
: 3.7.0
Assigned To: Phil Cameron
zhaozhanqi
:
Depends On:
Blocks: 1472976 1477673
  Show dependency treegraph
 
Reported: 2017-07-14 16:16 EDT by Ben Bennett
Modified: 2017-11-28 17:01 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: No doc change Consequence: Fix: Result:
Story Points: ---
Clone Of:
: 1472976 (view as bug list)
Environment:
Last Closed: 2017-11-28 17:01:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 15229 None None None 2017-07-17 07:25 EDT
Origin (Github) 15566 None None None 2017-07-31 15:52 EDT
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-28 21:34:54 EST

  None (edit)
Description Ben Bennett 2017-07-14 16:16:37 EDT
Description of problem:

The X-Forwarded-For and related headers send the IPv6 form of the source IPv4 address.

e.g.:

	Forwarded: for=::ffff:172.17.0.3;host=hello-openshift-default.router.default.svc.cluster.local;proto=http
	X-Forwarded-For: ::ffff:172.17.0.3



Version-Release number of selected component (if applicable):

3.6.0


How reproducible:

Always


Steps to Reproduce:
1. Set up a router and a route
2. Run tcpdump to sniff the traffic on the target node, and watch for the http request from the proxy
3. curl --ipv4 172.17.0.3 -H 'Host: hello-openshift-default.router.default.svc.cluster.local'


Actual results:

	GET / HTTP/1.1
	User-Agent: curl/7.51.0
	Accept: */*
	Host: hello-openshift-default.router.default.svc.cluster.local
	X-Forwarded-Host: hello-openshift-default.router.default.svc.cluster.local
	X-Forwarded-Port: 80
	X-Forwarded-Proto: http
	Forwarded: for=::ffff:172.17.0.3;host=hello-openshift-default.router.default.svc.cluster.local;proto=http
	X-Forwarded-For: ::ffff:172.17.0.3



Expected results:

	GET / HTTP/1.1
	User-Agent: curl/7.51.0
	Accept: */*
	Host: hello-openshift-default.router.default.svc.cluster.local
	X-Forwarded-Host: hello-openshift-default.router.default.svc.cluster.local
	X-Forwarded-Port: 80
	X-Forwarded-Proto: http
	Forwarded: for=172.17.0.3;host=hello-openshift-default.router.default.svc.cluster.local;proto=http
	X-Forwarded-For: 172.17.0.3




Additional info:
Comment 1 Ben Bennett 2017-07-17 07:25:35 EDT
PR https://github.com/openshift/origin/pull/15229
Comment 2 openshift-github-bot 2017-07-21 01:59:13 EDT
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/7821bd5070fb167dfe455d017d338e22673d4cf3
Add an ENV to control ipv6 behavior in the router

This patch adds an environent variable called ROUTER_IP_V4_V6_MODE
which must be set to "v4" (the default), "v6", or "v4v6" to control
whether the router to binds to IPv4, IPv6, or both.

Note that when set to 'v6' or 'v4v6', the X-Forwarded-For and
Forwarded http headers will be in IPv6 form (even when the connection
was an IPv4 one, if set to 'v4v6').

Fixes bug 1471255 (https://bugzilla.redhat.com/show_bug.cgi?id=1471255)
Comment 3 Meng Bo 2017-07-31 03:36:21 EDT
The fix had been merged into latest ocp build, move it forward.
Comment 5 Ben Bennett 2017-07-31 15:53:05 EDT
Assigning this to @pcameron to shepherd in.  The PR is https://github.com/openshift/origin/pull/15566 to correct an issue.
Comment 7 hongli 2017-10-09 01:21:03 EDT
verified in atomic-openshift-3.7.0-0.143.1.git.0.e152287 and the bug has been fixed.

1. ROUTER_IP_V4_V6_MODE=v4 (by default)
  forwarded: for=10.8.241.59;host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http
  x-forwarded-for: 10.8.241.59

2. ROUTER_IP_V4_V6_MODE=v4v6
  forwarded: for="[::ffff:10.8.241.59]";host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http
  x-forwarded-for: ::ffff:10.8.241.59

or
  forwarded: for="[3037::37]";host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http
  x-forwarded-for: 3037::37

2. ROUTER_IP_V4_V6_MODE=v6
  forwarded: for="[3037::37]";host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http
  x-forwarded-for: 3037::37
Comment 10 errata-xmlrpc 2017-11-28 17:01:28 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.