Bad Request from Kubernetes

[michaelschem]

I've got the attached kubernets yaml. When I hit the service directly I get a Bad Request response. Interestingly if I send the header Host: localhost it seems to work just fine.

my log (/var/log/cups/error_log ) files show the following error showing it failing when I access the service directly and through istio behind the domain.

E [22/Apr/2022:19:57:53 +0000] [Client 131] Request from "localhost" using invalid Host: field "10.10.20.138:631".
E [22/Apr/2022:20:09:15 +0000] [Client 149] Request from "localhost" using invalid Host: field "cups.sk.stringking.com".

I've added the below configs as frequently reccomended.

Listen *:631
ServerAlias *

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: p1
  labels:
    p1.service: p1-cups
  name: cups
spec:
  replicas: 1
  selector:
    matchLabels:
      p1.service: cups
  template:
    metadata:
      labels:
        p1.service: cups
    spec:
      containers:
        - name: cups
          image: olbat/cupsd
          ports:
            - containerPort: 631
          volumeMounts:
            - name: cups
              mountPath: /data
            - name: cups-config
              mountPath: /etc/cups/cupsd.conf
              subPath: cupsd.conf
          imagePullPolicy: Always
      restartPolicy: Always
      volumes:
        - name: cups
          persistentVolumeClaim:
            claimName: cups
        - name: cups-config
          configMap:
            name: cups-config
---
apiVersion: v1
kind: Service
metadata:
  namespace: p1
  name: p1-cups-service
  labels:
    p1.service: p1-cups-service
spec:
  ports:
    - name: http
      protocol: TCP
      port: 631
      targetPort: 631
  selector:
    p1.service: cups
  type: LoadBalancer
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: p1-cups
  namespace: p1
spec:
  gateways:
  - {{ .Values.web.gateway }}
  hosts:
  - "cups.sk.stringking.com"
  http:
  - name: p1
    match:
    route:
    - destination:
        host: p1-cups-service
        port:
          number: 631
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: cups
  namespace: p1
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "storefs1-rook-cephfs"
  resources:
    requests:
      storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: p1
  name: cups-config
data:
  cupsd.conf: |
    #
    # Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
    # complete description of this file.
    #

    # Log general information in error_log - change "warn" to "debug"
    # for troubleshooting...
    LogLevel warn

    # Deactivate CUPS' internal logrotating, as we provide a better one, especially
    # LogLevel debug2 gets usable now
    MaxLogSize 0

    # Listen on external interfaces for connections
    Listen *:631
    Listen /var/run/cups/cups.sock
    ServerAlias *

    # Show shared printers on the local network.
    Browsing On

    # Default authentication type, when authentication is required...
    DefaultAuthType Basic

    # Restrict access to the server...
    <Location />
      Order allow,deny
      Allow localhost
      Allow All
    </Location>

    # Restrict access to the admin pages...
    <Location /admin>
      Order allow,deny
      Allow All
    </Location>

    # Restrict access to configuration files...
    <Location /admin/conf>
      AuthType Default
      Require user @SYSTEM
      Order allow,deny
      Allow All
    </Location>

    # Set the default printer/job policies...
    <Policy default>
      # Job/subscription privacy...
      JobPrivateAccess default
      JobPrivateValues default
      SubscriptionPrivateAccess default
      SubscriptionPrivateValues default

      # Job-related operations must be done by the owner or an administrator...
      <Limit Create-Job Print-Job Print-URI Validate-Job>
        Order deny,allow
      </Limit>

      <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
        Require user @OWNER @SYSTEM
        Order deny,allow
      </Limit>

      # All administration operations require an administrator to authenticate...
      <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
        AuthType Default
        Require user @SYSTEM
        Order deny,allow
      </Limit>

      # All printer operations require a printer operator to authenticate...
      <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
        AuthType Default
        Require user @SYSTEM
        Order deny,allow
      </Limit>

      # Only the owner or an administrator can cancel or authenticate a job...
      <Limit Cancel-Job CUPS-Authenticate-Job>
        Require user @OWNER @SYSTEM
        Order deny,allow
      </Limit>

      <Limit All>
        Order deny,allow
      </Limit>
    </Policy>

    # Set the authenticated printer/job policies...
    <Policy authenticated>
      # Job/subscription privacy...
      JobPrivateAccess default
      JobPrivateValues default
      SubscriptionPrivateAccess default
      SubscriptionPrivateValues default

      # Job-related operations must be done by the owner or an administrator...
      <Limit Create-Job Print-Job Print-URI Validate-Job>
        AuthType Default
        Order deny,allow
      </Limit>

      <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
        AuthType Default
        Require user @OWNER @SYSTEM
        Order deny,allow
      </Limit>

      # All administration operations require an administrator to authenticate...
      <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
        AuthType Default
        Require user @SYSTEM
        Order deny,allow
      </Limit>

      # All printer operations require a printer operator to authenticate...
      <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
        AuthType Default
        Require user @SYSTEM
        Order deny,allow
      </Limit>

      # Only the owner or an administrator can cancel or authenticate a job...
      <Limit Cancel-Job CUPS-Authenticate-Job>
        AuthType Default
        Require user @OWNER @SYSTEM
        Order deny,allow
      </Limit>

      <Limit All>
        Order deny,allow
      </Limit>
    </Policy>

[michaelschem]

ok, it's istio routing the connection through localhost. Is there anyway to ignore what host is being used?

[michaelschem]

Ok, solved. For anyone trying to do this, you'll need to re-write the Host header in the istio VirtualService.

- destination:
        host: p1-cups-service
        port:
          number: 631
    headers:
      request:
        add:
          Host: "localhost"

[olbat]

Hey, I'm glad that you found a solution to fix your problem 👍 For anyone interested that's not using Istio, I guess that you could also setup the proper setting in the cupsd configuration file (most probably ServerAlias or ServerName).