search

KvalitetsIT / gosamlserviceprovider

Apache License 2.0
4 stars 0 forks source link

Webscokets igennem caddy proxy'en #1

Open andtra opened 4 years ago

andtra commented 4 years ago

Hej

Vi forsøger at få en webscoket til at køre igennem caddy proxien. Det ser ud til at den breaker. Hvad jeg kan se i debug loggen, så kommer kaldet igennem, men den får ikke etableret en korrekt webscoket. IDP redirects og login virker fint.

Init containers configuration

      CADDYFILE:                  /config/caddy-saml.conf
      LISTEN_PORT:                80
      MONGO_HOST:                 mongodb.auth.svc.cluster.local
      MONGO_DATABASE:             lvchat-laege
      SAML_CLIENT_LOGLEVEL:       debug
      SAML_SESSION_HEADER:        SESSION
      SAML_AUDIENCE_RESTRICTION:  dias:lvchat-laege
      SAML_IDP_METADATAURL:       https://telemed-medarbejderlogin-test.rm.dk/auth/realms/bsk/protocol/saml/descriptor
      SAML_ENTITY_ID:             dias:lvchat-laege
      SAML_SIGN_AUTH_REQUEST:     true
      SAML_SIGN_CERT_FILE:        /tls/tls.crt
      SAML_SIGN_KEY_FILE:         /tls/tls.key
      SAML_SESSION_EXPIRY_HOURS:  6
      SAML_EXTERNAL_URL:          https://lvchat-laege.test.dias.rm.dk
      SAML_SLO_PATH:              /saml/slo
      SAML_SSO_PATH:              /saml/sso
      SAML_METADATA_PATH:         /saml/metadata
      SAML_LOGOUT_PATH:           /saml/logout
      SAML_COOKIE_PATH:           /
      SAML_COOKIE_DOMAIN:         lvchat-laege.test.dias.rm.dk
      SAML_BACKEND_HOST:          localhost
      SAML_BACKEND_PORT:          8080

Output fra debug Log med et kald

{
    "request": {
        "method": "GET",
        "uri": "/api",
        "proto": "HTTP/1.1",
        "remote_addr": "127.0.0.1:54484",
        "host": "lvchat-laege.test.dias.rm.dk",
        "headers": {
            "X-Forwarded-Proto": [
                "https"
            ],
            "X-B3-Traceid": [
                "a4c6352df82001db7798f8e127d43236"
            ],
            "Upgrade": [
                "websocket"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0"
            ],
            "Accept-Language": [
                "en-US,en;q=0.5"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Origin": [
                "https://lvchat-laege.test.dias.rm.dk"
            ],
            "Session": [
                "8446a788-34df-47fc-84e0-303656195b2e"
            ],
            "Sec-Websocket-Extensions": [
                "permessage-deflate"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "X-Forwarded-For": [
                "10.180.29.192, 127.0.0.1"
            ],
            "X-Envoy-Internal": [
                "true"
            ],
            "X-Forwarded-Client-Cert": [
                "By=spiffe://cluster.local/ns/emergency-chat/sa/default;Hash=9f4cae60b56d58222c2f837f2ac97dc83397c4c55d0b7bab4d84c00de7ac870b;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
            ],
            "X-Request-Id": [
                "d6048f6e-c59b-487d-88c9-526904aac25c"
            ],
            "X-B3-Spanid": [
                "df83bae14efd5ebc"
            ],
            "Accept": [
                "*/*"
            ],
            "Sec-Websocket-Version": [
                "13"
            ],
            "Dnt": [
                "1"
            ],
            "Pragma": [
                "no-cache"
            ],
            "Content-Length": [
                "0"
            ],
            "Sec-Websocket-Key": [
                "dD9TQiHtkjvf0z/UfD3gFA=="
            ],
            "Connection": [
                "Upgrade"
            ],
            "Cookie": [
                "SESSION=8446a788-34df-47fc-84e0-303656195b2e"
            ],
            "X-B3-Parentspanid": [
                "7798f8e127d43236"
            ],
            "X-B3-Sampled": [
                "0"
            ]
        }
    },
    "headers": {
        "Connection": [
            "Upgrade"
        ],
        "Sec-Websocket-Accept": [
            "Hz3LB+JpUXi/ReMrAEoXiA/tpaw="
        ],
        "Upgrade": [
            "websocket"
        ]
    },
    "status": 101
}

En fuld logline

2020/03/25 14:53:22.014 DEBUG   http.handlers.reverse_proxy upstream roundtrip  {"request": {"method": "GET", "uri": "/api", "proto": "HTTP/1.1", "remote_addr": "127.0.0.1:53186", "host": "lvchat-laege.test.dias.rm.dk", "headers": {"User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"], "Sec-Websocket-Version": ["13"], "Accept-Language": ["en,da;q=0.9,en-US;q=0.8,nb;q=0.7"], "Sec-Websocket-Key": ["R2UNnuWpmKnZFJ42kIEo6A=="], "X-B3-Parentspanid": ["8032ec2664924d58"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Websocket-Extensions": ["permessage-deflate; client_max_window_bits"], "Content-Length": ["0"], "Upgrade": ["websocket"], "Pragma": ["no-cache"], "Cache-Control": ["no-cache"], "Origin": ["https://lvchat-laege.test.dias.rm.dk"], "X-Envoy-Internal": ["true"], "X-Forwarded-Client-Cert": ["By=spiffe://cluster.local/ns/emergency-chat/sa/default;Hash=9f4cae60b56d58222c2f837f2ac97dc83397c4c55d0b7bab4d84c00de7ac870b;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"], "Connection": ["Upgrade"], "X-Forwarded-Proto": ["https"], "X-B3-Traceid": ["d35bb05da6b07f5e8032ec2664924d58"], "X-B3-Spanid": ["095703a54b39b409"], "Session": ["e8771a31-db6d-4882-a7f0-a3897f15c583"], "Cookie": ["SESSION=e8771a31-db6d-4882-a7f0-a3897f15c583"], "X-Forwarded-For": ["10.83.37.247, 127.0.0.1"], "X-Request-Id": ["e88968c8-6445-41e6-8d02-bf005bd020c3"], "X-B3-Sampled": ["0"]}}, "headers": {"Upgrade": ["websocket"], "Connection": ["Upgrade"], "Sec-Websocket-Accept": ["gjguOYpeSt4H6TUZmR3W4AEG25I="]}, "status": 101}

Log fra den underliggende service

  host: 'lvchat-laege.test.dias.rm.dk',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en,da;q=0.9,en-US;q=0.8,nb;q=0.7',
  'cache-control': 'no-cache',
  connection: 'Upgrade',
  cookie: 'SESSION=df0ebb91-8d02-44da-ac5f-626a89ff8617',
  origin: 'https://lvchat-laege.test.dias.rm.dk',
  pragma: 'no-cache',
  'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits',
  'sec-websocket-key': 'C2DE+Znni9r9iELpxyd2FA==',
  'sec-websocket-version': '13',
  session: 'df0ebb91-8d02-44da-ac5f-626a89ff8617',
  upgrade: 'websocket',
  'x-b3-parentspanid': '37aa3f01304b78fc',
  'x-b3-sampled': '0',
  'x-b3-spanid': 'a18303d0a603910c',
  'x-b3-traceid': 'df7db1e20a39652837aa3f01304b78fc',
  'x-envoy-internal': 'true',
  'x-forwarded-client-cert': 'By=spiffe://cluster.local/ns/emergency-chat/sa/default;Hash=9f4cae60b56d58222c2f837f2ac97dc83397c4c55d0b7bab4d84c00de7ac870b;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account',
  'x-forwarded-for': '10.180.229.128, 127.0.0.1',
  'x-forwarded-proto': 'https',
  'x-request-id': 'c220d153-538b-440e-83a7-ff45269bd449'
}

Det er taget fra forskellige sessioner, så sessionid matcher ikke

andtra commented 4 years ago

Det lykkes at lave en work-around med a bypasse proxien, ved at lave en yderliggende redirect direkte til endpointed i stedet for igennem caddy proxien. Det svækker jo så sikkerheden en smule, men det er et brugbart workaround. Jeg ved ikke om det er muligt at få webscokets til at køre igennem 2 proxies. Den yderliggende ingress og så caddy proxien. Det kender jeg ikke nok til websockets til 100% at kunne gennesmskue.