Bug 1953113
| Summary: | HAProxy template doesn't allow HSTS header to be case insensitive or include spaces | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Candace Holman <cholman> |
| Component: | Networking | Assignee: | Andrey Lebedev <alebedev> |
| Networking sub component: | router | QA Contact: | Arvind iyengar <aiyengar> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | amcdermo, aos-bugs, bperkins, hongli, mmasters |
| Version: | 4.7 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:30:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |
Verified in "4.9.0-0.nightly-2021-06-19-034606" release version. With this payload, it is observed that the haproxy template now allows the header to be case insensitive and include spaces: ------- oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-06-19-034606 True False 52m Cluster version is 4.9.0-0.nightly-2021-06-19-034606 apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: haproxy.router.openshift.io/hsts_header: max-age=31536000; includeSubDomains; preload openshift.io/host.generated: "true" creationTimestamp: "2021-06-21T06:14:57Z" router config after change: oc -n openshift-ingress exec router-default-6fc58fcbf7-999ql -- grep -i "openshift-console:console" haproxy.config -A15 backend be_secure:openshift-console:console mode http option redispatch option forwardfor balance timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 1e2670d92730b515ce3a1bb65da45062 insert indirect nocache httponly secure attr SameSite=None http-response set-header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' <----- server pod:console-d8b7db956-nmlps:console:https:10.129.0.36:8443 10.129.0.36:8443 cookie a831362b9b1fbe613d289a244f2ed573 weight 256 ssl verifyhost console.openshift-console.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms curl -sIk https://console-openshift-console.apps.aiyengar49bz.qe.devcluster.openshift.com | grep -i strict strict-transport-security: max-age=31536000; includeSubDomains; preload -------