Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Outdated proxy's IP address #19497

Closed
3 tasks done
willtn opened this issue Feb 27, 2021 · 6 comments · Fixed by #19558
Closed
3 tasks done

[BUG] Outdated proxy's IP address #19497

willtn opened this issue Feb 27, 2021 · 6 comments · Fixed by #19558
Assignees
@alzimmermsft
Labels
Azure.Core azure-core customer-reported Issues that are reported by GitHub users external to the Azure organization. HttpClient question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@willtn
Copy link

willtn commented Feb 27, 2021
edited
Loading

Describe the bug
A clear and concise description of what the bug is.
Our service use com.azure.security.keyvault.keys.cryptography.CryptographyClient to send requests to Azure Key Vault through our proxy, configured via JAVA_OPTS. Whenever we change the IP address of our proxy, our service becomes unable to connect to Azure key vault via a proxy.

Exception or Stack Trace

Max retries 3 times exceeded. Error Details: connection timed out: proxy.domain.name/100.100.0.237:1000

To Reproduce

  1. Start the JVM app with the following options -Dhttp.proxyHost=proxy.domain.name -Dhttp.proxyPort=1000 -Djava.net.useSystemProxies=true
  2. Build an Azure CryptographyClient and invoke CryptographyClient.sign. This will succeed.
  3. Change the actual IP address of proxy.domain.name in the DNS server.
  4. Invoke CryptographyClient.sign again. This will fail.

Code Snippet

// Start the JVM app with the following options `-Dhttp.proxyHost=proxy.domain.name -Dhttp.proxyPort=1000 -Djava.net.useSystemProxies=true`
CryptographyClient cryptoClient = new CryptographyClientBuilder()
        .keyIdentifier(vaultConfig.keyId.toString())
        .credential(credential)
        .buildClient()

cryptoClient.sign(toAzure(vaultConfig.signingAlgorithm), hash)

Expected behavior
The CryptographyClient should connect to the key vault properly through the configured proxy.

Setup (please complete the following information):

azure-security-keyvault-keys: 4.2.5
azure-identity: 1.2.3

Information Checklist

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 27, 2021
@willtn
Copy link
Author

willtn commented Feb 27, 2021
edited
Loading

After digging into the library, I believe the root cause is the fact that the proxy's host is resolved per initialization instead of per HTTP requests. According to Java doc, InetSocketAddress attempts to resolve the hostname.

https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/core/azure-core/src/main/java/com/azure/core/http/ProxyOptions.java#L302:L302

@willtn willtn changed the title [BUG] [BUG] Outdated proxy's IP address Feb 28, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Mar 1, 2021
@alzimmermsft alzimmermsft self-assigned this Mar 1, 2021
@alzimmermsft
Copy link
Member

Thank you for filing this issue @willtn.

I'll investigate better handling for validating the socket address per request rather than initialization. For a little more clarification on the issue, the proxy has a DNS name such as https://my-proxy.com which has a backing IP which is non-static.

@alzimmermsft alzimmermsft mentioned this issue Mar 12, 2021
Merged
@willtn
Copy link
Author

willtn commented Mar 29, 2021
edited
Loading

@alzimmermsft thank you for resolving this issue. When can we expect the releases of azure-security-keyvault-keys and azure-identity containing this patch? Thanks again.

@alzimmermsft
Copy link
Member

Hi @willtn, a release containing this fix will be shipped before the end of the week (2021/04/02), I'll update this issue once shipped.

@alzimmermsft alzimmermsft reopened this Mar 29, 2021
@willtn
Copy link
Author

willtn commented Apr 13, 2021

Hello @alzimmermsft , may I get an update on this please? Thanks.

@alzimmermsft
Copy link
Member

Thanks for the reminder @willtn, the fix for this shipped in the latest releases of azure-core, azure-core-http-netty, and azure-core-http-okhttp.

Azure Core Changelog
Azure Core HTTP Netty Changelog
Azure Core HTTP OkHttp Changelog

@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alzimmermsft alzimmermsft

Labels
Azure.Core azure-core customer-reported Issues that are reported by GitHub users external to the Azure organization. HttpClient question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Retry to ProxyConnectException alzimmermsft/azure-sdk-for-java
2 participants
@willtn @alzimmermsft