Bug 1953113 - HAProxy template doesn't allow HSTS header to be case insensitive or include spaces
Summary: HAProxy template doesn't allow HSTS header to be case insensitive or include ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.9.0
Assignee: Andrey Lebedev
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-23 23:02 UTC by Candace Holman
Modified: 2022-08-04 22:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:30:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 298 0 None open Bug 1953113: template config - HSTS header's pattern accepts case insensitive and white spaces 2021-06-17 18:24:11 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:30:30 UTC

Comment 2 Arvind iyengar 2021-06-21 08:14:00 UTC
Verified in "4.9.0-0.nightly-2021-06-19-034606" release version. With this payload, it is observed that the haproxy template now allows the header to be case insensitive and include spaces:
-------
oc get clusterversion                                    
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-06-19-034606   True        False         52m     Cluster version is 4.9.0-0.nightly-2021-06-19-034606

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/hsts_header: max-age=31536000; includeSubDomains; preload
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-06-21T06:14:57Z"	

router config after change:
oc -n openshift-ingress exec router-default-6fc58fcbf7-999ql -- grep -i "openshift-console:console" haproxy.config -A15
backend be_secure:openshift-console:console
  mode http
  option redispatch
  option forwardfor
  balance 

  timeout check 5000ms
  http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
  http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  cookie 1e2670d92730b515ce3a1bb65da45062 insert indirect nocache httponly secure attr SameSite=None
  http-response set-header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' <-----
  server pod:console-d8b7db956-nmlps:console:https:10.129.0.36:8443 10.129.0.36:8443 cookie a831362b9b1fbe613d289a244f2ed573 weight 256 ssl verifyhost console.openshift-console.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms


curl -sIk https://console-openshift-console.apps.aiyengar49bz.qe.devcluster.openshift.com | grep -i strict        
strict-transport-security: max-age=31536000; includeSubDomains; preload
-------

Comment 5 errata-xmlrpc 2021-10-18 17:30:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.