Closed nickzaev closed 2 years ago
I've encountered 2 Tempesta bugs during poking around these tests:
1) http_rules.test_http_tables.H2Redirects
fails with
[Tue Aug 9 14:03:04 2022] [tempesta fw] Warning: request dropped: cannot find appropriate virtual host: 127.0.0.1
If you uncomment #-> redirection_chain;
line in the main chain, the test passes. Just to make sure that this behavior is not caused by poorly formed configuration, I've provided 2 additional temporary tests (that will be deleted after we resolve corresponding Tempesta issues) that have pretty much the same configurations (except for the TLS part): http_rules.test_http_tables.HttpRedirects
and http_rules.test_http_tables.HttpsRedirects
. They both pass. Note that both of them don't have -> redirection_chain;
in the main chain, so this h2
case is isolated. From my understanding, what happens is that Tempesta cannot match the request to any vhost because it simply doesn't have Host
field within the request. I haven't digged deep enough into Tempesta code yet, so I added checks for:
hdr "Authority" == "tempesta-tech.com" -> redirection_chain;
 hdr ":authority" == "tempesta-tech.com" -> redirection_chain;
 hdr "authority" == "tempesta-tech.com" -> redirection_chain;
as well in case if that would help, but it didn't — the test still fails.
2) cache.test_cache.H2Cache
fails with:
[Tue Aug 9 14:31:49 2022] [tempesta fw] Warning: Unable to transform HTTP/1.1 data into HTTP/2 format: free space exhausted (accumulated length: 78
[Tue Aug 9 14:31:49 2022] [tempesta tls] Warning: [::ffff:127.0.0.1] Bad TLS alert
This is a known Tempesta issue (#261, #1669). Note that:
test (cache.test_cache.H2Cache) ... Amount of requests passed to the backend: 2
FAIL
basically means that requests get to the backend and Tempesta fails to return them back to the client.
Regarding that tempesta tls
warning, I'm not aware of it's meaning at the moment, but [::ffff:127.0.0.1]
is definitely not a valid IPv6 address, so that might be a separate issue.
Issue (1) looks like about https://github.com/tempesta-tech/tempesta/issues/1630 - could you please disable the test pointing out the issue. I think just using authority
in the rules should work, but it'd be good to leave the host
rule pointing out to another chain/redirection to make sure that we process Host
and authority
in correct way (in terms of the cited issue).
I added comment 7 about Bad TLS alert
message - this is some separate issue. ::ffff:127.0.0.1
is just a IPv4-mapped IPv6 address: Tempesta FW handles all addressed in IPv6 internally and if you use IPv4, then it maps the address(es) to IPv6.
Issue (1) looks like about tempesta-tech/tempesta#1630 - could you please disable the test pointing out the issue. I think just using
authority
in the rules should work, but it'd be good to leave thehost
rule pointing out to another chain/redirection to make sure that we processHost
andauthority
in correct way (in terms of the cited issue).I added comment 7 about
Bad TLS alert
message - this is some separate issue.::ffff:127.0.0.1
is just a IPv4-mapped IPv6 address: Tempesta FW handles all addressed in IPv6 internally and if you use IPv4, then it maps the address(es) to IPv6.
No, it's not tempesta-tech/tempesta#1630, it's about matching pseudo-headers by http tables. Now we can't match any pseudo-headers by using hdr
keyword in http chain. To match :authority
we can use only Host
keyword in http chain block.
With the slack discussion it's worth testing configuration like:
hdr "authority" == "tempesta-tech.com" -> one_chain;
host == "tempesta-tech.com" -> some_other_chain;
These tests aim to ensure that Tempesta generates correct static responses in most common use-cases using
h2
protocol.