[jira] [Commented] (KNOX-924) X-forwarded-host, X-forwared-port header behavior when there are multiple balancers/proxys causing redirection problems

Mon, 17 Apr 2017 16:54:07 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971842#comment-15971842
 ] 

Jeffrey E  Rodriguez commented on KNOX-924:
-------------------------------------------

I have not argument about the way the X-Forward-*  headers are processed in 
Knox, but more with the way we can deal with redirection (Location ) headers. 
The RFC only specifies how the headers are processed. e.g. The X-Forward-For 
which should have the trail of all proxyes, the X-Forward-Host which should 
have the "host" header info of the Client request. X-Forward-Proto schema of 
the original client request, etc. There is nothing about the X-Forward-Context 
but I agree in the way we process in Knox.
The issue is on how would we process the redirection headers (Location) which 
are not specified on this RFC standard about X-Forward headers.  We could argue 
that we should rewrite with respect of the X-Forward-Host,but that would assume 
the first proxy knows how to rewrite back to Knox proxy (Since Knox is the only 
proxy that knows how to deal with backend e.g. the only one that has the 
information of the DataNode in the case of webhdfs).
I see a couple of ways:
1. We find a way ( function) to put the X-Forward-Context as part of the 
Location header.  
or
2. We provide a way to let the redirection be taken care by Knox entirely (not 
redirect to X-Forward-Host).
Thanks for your help.


> X-forwarded-host, X-forwared-port  header behavior when there are multiple 
> balancers/proxys causing redirection problems
> ------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KNOX-924
>                 URL: https://issues.apache.org/jira/browse/KNOX-924
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>            Priority: Critical
>
> When there are other intermediaries between client and Knox it is possible to 
> cause Knox rewrites to not go to the gateway host but in fact the 
> gateway.host reflects X-forwar-host.
> e.g.
> "curl -v -k -u guest:guest-password -H X-Forwarded-Proto: http  -H 
> X-Forwarded-For: jeff -H X-Forwarded-Context:/ordexecvalid-prod/data/ -H 
> X-Forwarded-Port: 843 -H X-Forwarded-Host: myfoo.com -i 
> https://knox1.fyre.ibm.com:8443/gateway/default/webhdfs/v1/apps/hbase/data/hbase.id?op=OPEN
> *   Trying 9.30.57.135...
> * TCP_NODELAY set
> * Connected to knox1.fyre.ibm.com (9.30.57.135) port 8443 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate: localhost
> * Server auth using Basic with user 'guest'
> > GET 
> > /gateway/default/webhdfs/v1//iop/apps/4.3.0.0-0000/mapreduce/mapreduce.tar.gz?op=OPEN
> >  HTTP/1.1
> > Host: knox1.fyre.ibm.com:8443
> > Authorization: Basic Z3Vlc3Q6Z3Vlc3QtcGFzc3dvcmQ=
> > User-Agent: curl/7.51.0
> > Accept: */*
> > X-Forwarded-Proto: http 
> > X-Forwarded-Server: myfooserver.com
> > X-Forwarded-For: jeff
> > X-Forwarded-Context: /ordexecvalid-prod/data/
> > X-Forwarded-Port: 843
> > X-Forwarded-Host: myfoo.com
> < HTTP/1.1 307 Temporary Redirect
> HTTP/1.1 307 Temporary Redirect
> < Date: Sun, 16 Apr 2017 00:18:44 GMT
> Date: Sun, 16 Apr 2017 00:18:44 GMT
> < Set-Cookie: 
> JSESSIONID=1ry9x2q6sxuju1r5vr5tfkcifu;Path=/gateway/default;Secure;HttpOnly
> Set-Cookie: 
> JSESSIONID=1ry9x2q6sxuju1r5vr5tfkcifu;Path=/gateway/default;Secure;HttpOnly
> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> < Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; 
> Expires=Sat, 15-Apr-2017 00:18:44 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; 
> Expires=Sat, 15-Apr-2017 00:18:44 GMT
> < Cache-Control: no-cache
> Cache-Control: no-cache
> < Expires: Sun, 16 Apr 2017 00:18:59 GMT
> Expires: Sun, 16 Apr 2017 00:18:59 GMT
> < Date: Sun, 16 Apr 2017 00:18:59 GMT
> Date: Sun, 16 Apr 2017 00:18:59 GMT
> < Pragma: no-cache
> Pragma: no-cache
> < Expires: Sun, 16 Apr 2017 00:18:59 GMT
> Expires: Sun, 16 Apr 2017 00:18:59 GMT
> < Date: Sun, 16 Apr 2017 00:18:59 GMT
> Date: Sun, 16 Apr 2017 00:18:59 GMT
> < Pragma: no-cache
> Pragma: no-cache
> < Location: 
> http://myfoo.com:843/gateway/default/webhdfs/data/v1/webhdfs/v1/iop/apps/4.3.0.0-0000/mapreduce/mapreduce.tar.gz?_=AAAACAAAABAAAACA3IsAYTfMdBdl3-s2CYz7RWXKMvT_S9OT2LSLanl61bElhqjA3hCyqdCHhVJ1MLvn_NDL6JEBX5xdZ_N8ALSTINW1er2-7qih_nE4riDc17LQFLs9YYkBt2P3dZz_sFKOsPzCPmyNrcaHijxkloX2m4Jy4hkqEqlCakpVFEL-ZVBqiNGlBvFk1O6fbpX_UJn8qbm67uq4M6I
> Location: 
> http://myfoo.com:843/gateway/default/webhdfs/data/v1/webhdfs/v1/iop/apps/4.3.0.0-0000/mapreduce/mapreduce.tar.gz?_=AAAACAAAABAAAACA3IsAYTfMdBdl3-s2CYz7RWXKMvT_S9OT2LSLanl61bElhqjA3hCyqdCHhVJ1MLvn_NDL6JEBX5xdZ_N8ALSTINW1er2-7qih_nE4riDc17LQFLs9YYkBt2P3dZz_sFKOsPzCPmyNrcaHijxkloX2m4Jy4hkqEqlCakpVFEL-ZVBqiNGlBvFk1O6fbpX_UJn8qbm67uq4M6I
> < Content-Type: application/octet-stream
> Content-Type: application/octet-stream
> < Server: Jetty(6.1.26-ibm)
> Server: Jetty(6.1.26-ibm)
> < Content-Length: 0
> Content-Length: 0
> See here the redirection header.
> http://myfoo.com:843/gateway/default/webhdfs/data/v1/webhdfs/v1/iop/apps/4.3.0.0-0000/mapreduce/mapreduce.tar.gz?_=AAAACAAAABAAAACA3IsAYTfMdBdl3-s2CYz7RWXKMvT_S9OT2LSLanl61bElhqjA3hCyqdCHhVJ1MLvn_NDL6JEBX5xdZ_N8ALSTINW1er2-7qih_nE4riDc17LQFLs9YYkBt2P3dZz_sFKOsPzCPmyNrcaHijxkloX2m4Jy4hkqEqlCakpVFEL-ZVBqiNGlBvFk1O6fbpX_UJn8qbm67uq4M6I
> This could cause unexpected results.
> The UrlRequestResponse would use the X-Forward headers (even if 
> gateway.xforwarded.enabled is false).
> The documentation is very succinct. It seems like the xforwarded.enabled only 
> accomplish passing the "Knox" x-Forward-* headers when it is not set to false.
> But there is no documentation on the effect of other servers setting up 
> X-Forward header between client and Knox.
> I could even inject an X-Forward-* header and have Knox to redirect to a 
> different server than the one original Knox. See my relocation URL  
> Location: 
> http://myfoo.com:843/gateway/default/webhdfs/data/v1/webhdfs/v1/iop/apps/4.3.0.0-0000/mapreduce/mapreduce.tar.gz?_=AAAACAAAABAAAACA3IsAYTfMdBdl3-s2CYz7RWXKMvT_S9OT2LSLanl61bElhqjA3hCyqdCHhVJ1MLvn_NDL6JEBX5xdZ_N8ALSTINW1er2-
> This behavior seems very confusing. 
> 1. It should ok to pass multiple X-Forwarded-Host through.
> 2. It is unexpected that Knox should use X-Forward-Host and X-Forwarded-Port 
> as the Gateway host and port. e.g. {gateway.host} and {gateway.port} would 
> reflect the value of X-Forwarded-Host and X-Forwarded-Port. This doesn't seem 
> to leave any other options to rewrite rules which don't want to use 
> X-Forwarded-Host.
> 3. The rewrite feature of Gateway doesn't seem to work well with X-Forward* 
> feature.
> 4. X-Forward* feature in gateway is not well documented. The extend of the 
> documentation is a description of the filter that adds X-Forward headers to 
> Knox. We may need to explain whot X-forward headers affect Knox behavior.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to