Bug 1803001 - Forwarded header includes empty quoted proto-version parameter
Summary: Forwarded header includes empty quoted proto-version parameter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.5.0
Assignee: Daneyon Hansen
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks: 1816544
TreeView+ depends on / blocked
 
Reported: 2020-02-14 10:03 UTC by Felipe M
Modified: 2023-10-06 19:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When the ingress controller forwarded an HTTP request to an application, the ingress controller would add a Forwarded HTTP header with a non-standard "proto-version" parameter. Consequence: The Forwarded header was not standards-compliant, which could cause problems when applications tried to parse the header value. Fix: The ingress controller was modified not to specify any "proto-version" parameter in the Forwarded header. Result: The Forwarded header should now be standards-compliant.
Clone Of:
Environment:
Last Closed: 2020-07-13 17:15:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 90 0 None closed Bug 1803001: Removes Unneeded proto-version Header 2020-07-13 13:37:39 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:15:44 UTC

Internal Links: 1816540 1816544

Description Felipe M 2020-02-14 10:03:15 UTC
Description of problem:

Pull request #8 for openshift/router [1] changed the haproxy template Forwarded header for it
to contain quotes on the proto-version field value even when this value was empty.

Acording to PR author, this is defined on RFC7239, and field value components are defined
in RFC7230 Section 3.2.6 [2] 

The definition for this field values specify that the length of the value must be more than
one character. [2]


     token          = 1*tchar

     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters


[1] https://github.com/openshift/router/pull/8
[2] https://tools.ietf.org/html/rfc7230#section-3.2.6

Comment 1 Felipe M 2020-02-18 08:07:34 UTC
Good morning,

thanks for the quick response!

Will this be backported to 4.2?

Thanks,
F.

Comment 6 Hongan Li 2020-03-19 08:31:48 UTC
verified with 4.5.0-0.nightly-2020-03-18-115438 and the `proto-version` header has been removed.

$ oc -n openshift-ingress rsh router-default-565f46859f-qg2s8
sh-4.2$ grep proto haproxy-config.template -C 2
  {{- if matchPattern "(v4)?v6" $router_ip_v4_v6_mode }}
  # See the quoting rules in https://tools.ietf.org/html/rfc7239 for IPv6 addresses (v4 addresses get translated to v6 when in hybrid mode)
  http-request add-header Forwarded for=\"[%[src]]\";host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  {{- else }}
  http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  {{- end }}

Comment 8 errata-xmlrpc 2020-07-13 17:15:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409

Comment 9 Eswar Vadla 2021-04-07 03:58:47 UTC
Hi team,

whether/will this can be backported to 3.11.

Regards,
Eswar.


Note You need to log in before you can comment on or make changes to this bug.