New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingresses for a sticky services with a single ingress path can get multiple cookies #1744
Comments
Seems related to #1716 |
I have been debugging the issue together with @thomas-b-jackson on Slack for a few days. Tom also tried the current experimental Docker Hub image which includes #1716; unfortunately, it didn't make a difference. The problem manifests both with 1.2.3 and 1.3.0, so it doesn't look like a (recent) regression either. |
note that it seems to manifest more rarely with v1.2.3 than it does with v1.3.0 we saw in on multiple client sessions with v1.3.0, but have so far seen in only on one client session with v1.2.3 |
What's interesting is that some screenshots show multiple cookies having the same content, i.e., server URLs, which means that Traefik likely considered the cookie to not contain a valid server URL anymore at some point and created another one with the same URL. The oxy library uses The question would then be: why/how do we run into this case? |
Preliminary results: Chrome sometimes seems to be losing the sticky cookie that Treafik sets. The behavior isn't super consistent but reproducible for sure. Other browsers don't seem to have that problem, and neither does the Nginx Ingress controller. To be continued... |
after lots of trial and error we've found root cause: the problem is that when traefik sets its cookie it doesn't specify a path so the browser has to assume a path chrome assumes the path of the splash page you use to access the web app in the repro steps firefox and safari assume the root path in chrome, for subsequent call backs, if the callback path doesn't match the original path, chrome doesn't send the traefik cookie if chrome doesn't send the traefik cookie, traefic responds by sending a new cookie with a different value. |
The Internet indicates that not setting the path can lead to problems just like the one @thomas-b-jackson describes. AFAICS, we should set the cookie path. One question is whether we should set it to root ( @containous/traefik any thoughts? |
We are currently facing the same problem. One application with sub-paths results in multiple loadbalancer-cookies. In my optinion both cases are valid. Setting it to root ( |
I got the simple fix working for our servers working. I forked the oxy libs and set the cookie-path to "/". Now the clients can handle the cookie correctly. I pushed it as marcopaga/traefik:1.3.5.2 based on 1.3.5 and the simple fixing commit. |
/cc @marco-jantke |
I am trying to figure out a more general solution for the problem at hand. One precondition I would like to mention is that the cookie name contains the backend name in the latest version and so we can have multiple cookies, one per backend. I was thinking whether we still have to add a specific Path to a cookie or whether / suffices after the addition of the Backend name. Consider the following configuration: [frontends]
[frontends.frontend1]
backend = "backend1"
[frontends.frontend1.routes.test_1]
rule = "Path:/ok"
[frontends.frontend2]
backend = "backend1"
[frontends.frontend2.routes.test_1]
rule = "Path:/notOk"
[backends]
[backends.backend1]
[backends.backend1.LoadBalancer]
sticky = true
[backends.backend1.servers.server1]
url = "http://localhost:8081"
[backends.backend1.servers.server2]
url = "http://localhost:8082" To my understanding it seems the desired behaviour that for requests to /ok and /notOk we have the same sticky backend and this will always be the case when we set the cookie's path to /. If that is the case, I think we can make the logical conclusion that the same holds true for other @timoreimann @marcopaga WDYT about it? |
@marco-jantke makes sense to me. One caveat we should mention is that the security/privacy concern I alluded to before would still be present. Given the complexity of matching paths properly when regular expressions are involved, however, I say we move forward with the root-based solution for now. After all, a lot of folks are presumably operating Traefik in a trusted environment where these concerns don't matter. @marcopaga would you mind submitting a PR against containous/oxy and afterwards one against containous/traefik to vendor the updated oxy package? Thanks! |
Sure, great :) @timoreimann I created the pull request for oxy to set the cookie path. Once it is merged I will create a PR for containous/traefik. @marco-jantke I changed the commit to reflect my new knowledge regarding "iff" |
I created the PR to pick up the changes in oxy. |
@marco-jantke @timoreimann We see the same problem on our environments, we use v1.3.3 of traefik. The situation usually happens when there are different backends that serve the UI and APIs for an application and there may be cases where the UI makes async calls to the API service. Both being served by the same domain but have different prefixes. a hypothetical eg: users use the /ui prefix to access the application on the browser, the browser serves content based on results from async calls to /api both requiring sticky behavior. |
Do you want to request a feature or report a bug?
Bug
What did you do?
What did you expect to see?
Since stickiness is configured, and since a single, global path was specified, all requests from a given client browser session should be directed to the same app pod.
What did you see instead?
For some web clients, all requests go to the same app pod.
For some other web clients, requests for path path1 always to to pod A, request for path2 got to pod B, etc.
Output of
traefik version
1.3.0
What is your environment & configuration
traefik config
app ingress resource
app svc
If applicable, please paste the log output in debug mode (
--debug
switch)The text was updated successfully, but these errors were encountered: