Closed openshift-cherrypick-robot closed 5 months ago
@openshift-cherrypick-robot: Jira Issue OCPBUGS-32044 has been cloned as Jira Issue OCPBUGS-32437. Will retitle bug to link to clone. /retitle [release-4.14] OCPBUGS-32437: Introduce 'idle-close-on-response' option for frontends
@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-32437, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
We believe this change is low risk, as described in https://github.com/openshift/router/pull/579#issuecomment-2064151878. /label backport-risk-assessed
/lgtm /approve
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: frobware
The full list of commands accepted by this bot can be found here.
The pull request process is described here
@openshift-cherrypick-robot: all tests passed!
Full PR test history. Your PR dashboard.
/jira refresh
@alebedev87: This pull request references Jira Issue OCPBUGS-32437, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
/label cherry-pick-approved
/jira refresh
@alebedev87: This pull request references Jira Issue OCPBUGS-32437, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
Verifying using pre-image build
melvinjoseph@mjoseph-mac openshift-tests-private % oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.14.0-0.ci.test-2024-04-19-162652-ci-ln-zmcgilt-latest True False 104s Cluster version is 4.14.0-0.ci.test-2024-04-19-162652-ci-ln-zmcgilt-latest
melvinjoseph@mjoseph-mac Downloads % oc rsh -n openshift-ingress router-43113-5db576bf56-dv4j2
sh-4.4$ cat haproxy.config | grep 'option idle-close-on-response' -a7
bind :80
mode http
# Workaround for a known issue encountered with certain HTTP clients,
# particularly the Apache HTTP client (prior to version 5),
# where closed idle connections are erroneously reused.
# Bug reference: https://issues.redhat.com/browse/OCPBUGS-32044.
option idle-close-on-response
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
monitor-uri /_______internal_router_healthz
# Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers)
http-request deny if { hdr_len(content-length) 0 }
--
server fe_sni unix@/var/lib/haproxy/run/haproxy-sni.sock weight 1 send-proxy
frontend fe_sni
# terminate ssl on edge
bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
mode http
option idle-close-on-response
# Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers)
http-request deny if { hdr_len(content-length) 0 }
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
http-request del-header Proxy
--
server fe_no_sni unix@/var/lib/haproxy/run/haproxy-no-sni.sock weight 1 send-proxy
frontend fe_no_sni
# terminate ssl on edge
bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy
mode http
option idle-close-on-response
# Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers)
http-request deny if { hdr_len(content-length) 0 }
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
http-request del-header Proxy
The changes are present in haproxy.config file. As there is no proper reproducer for the issue, iirun regression on build locally and all route and ingress cases are passing. Hence marking as verified
/label qe-approved
/jira refresh
@melvinjoseph86: This pull request references Jira Issue OCPBUGS-32437, which is valid. The bug has been moved to the POST state.
Requesting review from QA contact: /cc @melvinjoseph86
@openshift-cherrypick-robot: Jira Issue OCPBUGS-32437: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-32437 has been moved to the MODIFIED state.
[ART PR BUILD NOTIFIER]
This PR has been included in build ose-haproxy-router-base-container-v4.14.0-202404200437.p0.g3f83325.assembly.stream.el8 for distgit ose-haproxy-router-base. All builds following this will include this PR.
Fix included in accepted release 4.14.0-0.nightly-2024-04-20-140625
This is an automated cherry-pick of #573
/assign alebedev87