search

openshift / router

Ingress controller for OpenShift
Apache License 2.0
68 stars 114 forks source link

[release-4.14] OCPBUGS-32437: Introduce 'idle-close-on-response' option for frontends #580

Closed openshift-cherrypick-robot closed 5 months ago

openshift-cherrypick-robot commented 5 months ago

This is an automated cherry-pick of #573

/assign alebedev87

openshift-ci-robot commented 5 months ago

@openshift-cherrypick-robot: Jira Issue OCPBUGS-32044 has been cloned as Jira Issue OCPBUGS-32437. Will retitle bug to link to clone. /retitle [release-4.14] OCPBUGS-32437: Introduce 'idle-close-on-response' option for frontends

In response to [this](https://github.com/openshift/router/pull/580): >This is an automated cherry-pick of #573 > >/assign alebedev87 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Frouter). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 5 months ago

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-32437, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/router/pull/580): >This is an automated cherry-pick of #573 > >/assign alebedev87 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Frouter). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
Miciah commented 5 months ago

We believe this change is low risk, as described in https://github.com/openshift/router/pull/579#issuecomment-2064151878. /label backport-risk-assessed

frobware commented 5 months ago

/lgtm /approve

openshift-ci[bot] commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: frobware

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/router/blob/release-4.14/OWNERS)~~ [frobware] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci[bot] commented 5 months ago

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
alebedev87 commented 5 months ago

/jira refresh

openshift-ci-robot commented 5 months ago

@alebedev87: This pull request references Jira Issue OCPBUGS-32437, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to [this](https://github.com/openshift/router/pull/580#issuecomment-2065273871): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Frouter). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
melvinjoseph86 commented 5 months ago

/label cherry-pick-approved

alebedev87 commented 5 months ago

/jira refresh

openshift-ci-robot commented 5 months ago

@alebedev87: This pull request references Jira Issue OCPBUGS-32437, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to [this](https://github.com/openshift/router/pull/580#issuecomment-2066540835): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Frouter). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
melvinjoseph86 commented 5 months ago

Verifying using pre-image build

melvinjoseph@mjoseph-mac openshift-tests-private % oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.14.0-0.ci.test-2024-04-19-162652-ci-ln-zmcgilt-latest   True        False         104s    Cluster version is 4.14.0-0.ci.test-2024-04-19-162652-ci-ln-zmcgilt-latest
melvinjoseph@mjoseph-mac Downloads % oc rsh -n openshift-ingress  router-43113-5db576bf56-dv4j2 
sh-4.4$ cat haproxy.config  | grep   'option idle-close-on-response' -a7
  bind :80
  mode http

  # Workaround for a known issue encountered with certain HTTP clients,
  # particularly the Apache HTTP client (prior to version 5),
  # where closed idle connections are erroneously reused.
  # Bug reference: https://issues.redhat.com/browse/OCPBUGS-32044.
  option idle-close-on-response
  tcp-request inspect-delay 5s
  tcp-request content accept if HTTP
  monitor-uri /_______internal_router_healthz

  # Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers)
  http-request deny if { hdr_len(content-length) 0 }

--
  server fe_sni unix@/var/lib/haproxy/run/haproxy-sni.sock weight 1 send-proxy

frontend fe_sni
  # terminate ssl on edge
  bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
  mode http

  option idle-close-on-response

  # Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers)
  http-request deny if { hdr_len(content-length) 0 }

  # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
  http-request del-header Proxy

--
  server fe_no_sni unix@/var/lib/haproxy/run/haproxy-no-sni.sock weight 1 send-proxy

frontend fe_no_sni
  # terminate ssl on edge
  bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy
  mode http

  option idle-close-on-response

  # Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers)
  http-request deny if { hdr_len(content-length) 0 }

  # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
  http-request del-header Proxy

The changes are present in haproxy.config file. As there is no proper reproducer for the issue, iirun regression on build locally and all route and ingress cases  are passing. Hence marking as verified 

/label qe-approved

melvinjoseph86 commented 5 months ago

/jira refresh

openshift-ci-robot commented 5 months ago

@melvinjoseph86: This pull request references Jira Issue OCPBUGS-32437, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.14.z) matches configured target version for branch (4.14.z) * bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST) * release note text is set and does not match the template * dependent bug [Jira Issue OCPBUGS-32435](https://issues.redhat.com//browse/OCPBUGS-32435) is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA)) * dependent [Jira Issue OCPBUGS-32435](https://issues.redhat.com//browse/OCPBUGS-32435) targets the "4.15.z" version, which is one of the valid target versions: 4.15.0, 4.15.z * bug has dependents

Requesting review from QA contact: /cc @melvinjoseph86

In response to [this](https://github.com/openshift/router/pull/580#issuecomment-2067158072): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Frouter). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci-robot commented 5 months ago

@openshift-cherrypick-robot: Jira Issue OCPBUGS-32437: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-32437 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/router/pull/580): >This is an automated cherry-pick of #573 > >/assign alebedev87 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Frouter). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-bot commented 5 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-haproxy-router-base-container-v4.14.0-202404200437.p0.g3f83325.assembly.stream.el8 for distgit ose-haproxy-router-base. All builds following this will include this PR.

openshift-merge-robot commented 5 months ago

Fix included in accepted release 4.14.0-0.nightly-2024-04-20-140625