-
Notifications
You must be signed in to change notification settings - Fork 3.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix host predicate use host of InetSocketAddress insted of headers
Fixes gh-3037
1 parent
8263985
commit a5da112
Showing
3 changed files
with
31 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a5da112
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this security oriented fix, but this did break the compatibility with the older versions of SCG.
The issue is that the "Host" header includes the ":" if it is non standard port, and the match condition demanded that the route predicate config includes the port number. (This is only a problem if you are running the SCG on a non default port.)
With the inet class the match condition only requires the host name, and old predicate config which includes the port do no longer match. Hence: lost config compatibility.
I know that the inclusion of the port was a special thing for SCG, other rev proxies do not match on port, and the port could be a redundant info in most cases, although if the SCG is behind another rev proxy then that may not be the case. Regardless, I think the backward compatibility should have been maintained with older versions. May be a global config option, or some other claver way?
Thanks AA
a5da112
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aaHomeOfficeGit will you open a new issue for me?
a5da112
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, how did it break backwards compatibility?
a5da112
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @spencergibb, we have a system which runs on a non standard port 9443.
When the client makes a call the Http header "Host" has the value of "some.fqdn.com:9443".
Also for arch reasons, in the SCG config we need to filter by fqdn, so we had a host predicate with "Host=some.fqdn.com:9443,other.fqdn.com:9443" value.
After the upgrade to 4.1.0 the routs were not matching. The fix was to change the host predicate to:
"Host=some.fqdn.com,other.fqdn.com"
It should be possible to reproduce, we were able to reproduce it on a dev's box by running the scg on 8089 port ... the old scg needs the ports in the predicate value, the new one does not work with the ports, only without ports.
(Actually we now have both with and without port the fqdns in the predicate value, this way we have achieved some version compatibility, but it is a bit of an efficiency hit...not much, may be 1us or so)