2127955 – When CNAME is used, it is not excluded from the proxy communication by default unlike "localhost" or the "fqdn" of satellite itself.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2127955 - When CNAME is used, it is not excluded from the proxy communication by default unlike "localhost" or the "fqdn" of satellite itself.

Summary: When CNAME is used, it is not excluded from the proxy communication by defaul...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	6.11.2
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-19 13:05 UTC by Sayan Das
Modified:	2024-05-13 10:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-05-13 10:04:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-24105	0	None	None	None	2024-03-21 21:09:24 UTC

Description Sayan Das 2022-09-19 13:05:57 UTC

Description of problem:

When CNAME is used, it is not excluded from the proxy communication by default unlike "localhost" or the "fqdn" of the satellite itself. 


Version-Release number of selected component (if applicable):

Satellite 6.11.2

How reproducible:

Always ( but under very specific circumstances )


Steps to Reproduce:

1. Identify an IP that has an A record and a CNAME record e.g.

# nslookup 10.XX.XXX.XX
XX.XXX.XX.10.in-addr.arpa	name = sat611.example.com.
XX.XXX.XX.10.in-addr.arpa	name = mysatellite.example.com.

2. Have a squid proxy configured. ( assuming http://10.XX.XXX.YY:3128 )

3. Install an RHEL 8 VM having that IP and hostname set to sat611.example.com

# hostname -f
sat611.example.com

4. Enable required repos to install Satellite 6.11 and proceed with "yum install satellite".

5. Run the installer with the following options ( where the use of cname can be noticed ).

satellite-installer --scenario=satellite \
--foreman-initial-organization RedHat --foreman-initial-location Pune \
--foreman-initial-admin-username admin --foreman-initial-admin-password RedHat1! \
--certs-cname=mysatellite.example.com \
--foreman-servername=mysatellite.example.com \
--foreman-foreman-url=https://mysatellite.example.com \
--foreman-unattended-url=https://mysatellite.example.com \
--foreman-proxy-foreman-base-url=https://mysatellite.example.com \
--foreman-proxy-template-url=http://mysatellite.example.com:8000 --foreman-plugin-tasks-automatic-cleanup=true \
--enable-foreman-plugin-puppet --enable-foreman-cli-puppet --foreman-proxy-puppet=true --foreman-proxy-puppetca=true \
--foreman-proxy-content-puppet=true --enable-puppet --puppet-server=true \
--puppet-server-foreman-url=https://mysatellite.example.com \
--puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
--puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
--puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key \
--puppet-server-certname=mysatellite.example.com \
--foreman-proxy-puppet-ssl-cert=/etc/puppetlabs/puppet/ssl/certs/mysatellite.example.com.pem \
--foreman-proxy-puppet-ssl-key=/etc/puppetlabs/puppet/ssl/private_keys/mysatellite.example.com.pem \
--foreman-proxy-puppet-url=https://mysatellite.example.com:8140 \
--enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh \
--foreman-proxy-tftp=true --foreman-proxy-dhcp=false --foreman-proxy-dns=false


6. Check "hammer capsule list" and "hammer ping" to confirm the health of satellite and see the name of the internal smart-proxy.  Make sure firewalld is configured to allow necessary access to Satellite.

7. Check "/etc/pulp/settings.py" and notice that It also got configured with the CNAME mysatellite.example.com.

8. Confirm that the foreman knows the fqdn as sat611.example.com.

# echo "SETTINGS[:fqdn]" | foreman-rake console

"sat611.example.com"

9. Import a manifest in satellite.

10. Go to Administer --> Settings --> General --> HTTP(s) Proxy --> set "http://10.XX.XXX.YY:3128" as the value there for the proxy server.

11. Log in to the squid server and tail the log files:

# tail -f -v -n0  /var/log/squid/*log

12. Go to Content --> Red Hat Repositories --> Expand any repos and try enabling it while monitor the /var/log/foreman/production.log file of satellite as well as log files on squid server.



Actual results:

During the repo enabling task itself, we will be able to see following entries in satellite's production.log multiple times. 

2022-09-19T17:53:37 [I|app|3dd40cb3] (Excon) Proxying request to mysatellite.example.com via http://10.XX.XXX.YY:3128

Which means, Satellite tried to connect to pulp via the CNAME and that connection was established via proxy.

The squid proxy logs will also convey the same message. 

The same problem will happen during repo sync or any tasks that requires communication from foreman -> foreman-proxy via the CNAME. 



Expected results:

Satellite should not try to connect to it's own CNAME via the proxy configured or else the proxy server would get overloaded very frequently. 


Additional info:

When I check the code from https://github.com/theforeman/foreman/blob/3.1-stable/lib/foreman/http_proxy.rb#L33-L38 , That function includes the fqdn of the satellite as well.

    def local_request?(request_host)
      request_host.starts_with?('127.') ||
      request_host == 'localhost' ||
      request_host == '::1' ||
      request_host == SETTINGS[:fqdn]
    end

And whenever a request via proxy is initiated, any ip\fqdn defined in the local_request function should be excluded:

https://github.com/theforeman/foreman/blob/3.1-stable/lib/foreman/http_proxy.rb#L16-L23

Now, The problem in our case is that the code of the satellite works simply as expected i.e. it excludes SETTINGS[:fqdn] when it comes to communication via proxy.

SETTINGS[:fqdn] here is sat611.example.com but not mysatellite.example.com. So as long as that is true but the satellite internally uses mysatellite.example.com for communication, the same issue will continue to exist. 

WORKAROUND: Put the CNAME into the "HTTP(S) proxy except hosts" list from Administer --> Settings --> General page.

IMPROVEMENT REQUEST: If "--certs-cname" is used with the installer, then the CNAME FQDN should get set as a value of :cname object, so that it can be queried via SETTINGS[:cname] and then perhaps improve the function here:

    def local_request?(request_host)
      request_host.starts_with?('127.') ||
      request_host == 'localhost' ||
      request_host == '::1' ||
      request_host == SETTINGS[:fqdn] ||
      request_host == SETTINGS[:cname]
    end

Any other ideas are always welcome as long as it can clearly address the concern

Comment 6 Brad Buckingham 2024-03-21 21:07:37 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 7 Brad Buckingham 2024-05-13 10:04:06 UTC

Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.

Note You need to log in before you can comment on or make changes to this bug.