Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gateway-api: requestHeaderModifier in HTTPRoute cannot set Host header #31844

Closed
nak3 opened this issue Apr 1, 2021 · 1 comment · Fixed by #31852
Closed

gateway-api: requestHeaderModifier in HTTPRoute cannot set Host header #31844

nak3 opened this issue Apr 1, 2021 · 1 comment · Fixed by #31852
Assignees
@howardjohn
Labels
area/networking

Comments

@nak3
Copy link
Member

nak3 commented Apr 1, 2021

Bug description

Affected product area (please put an X in all that apply)

[X] Networking

Expected behavior

  • When requestHeaderModifier sets Host header and controller should add the header via different directive.
  • :authority also cannot be set with the same reason.

Steps to reproduce the bug

1. Try to set Host: foo.example.com in HTTPRoute

cat <<EOF | kubectl apply -f -
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: host-header
spec:
  gateways:
    allow: FromList
    gatewayRefs:
    - name: test-gateway
      namespace: knative-serving
  hostnames:
  - test.example.com
  rules:
  - filters:
    - requestHeaderModifier:
        set:
          Host: foo.example.com
      type: RequestHeaderModifier
    forwardTo:
    - port: 80
      serviceName: ingress-conformance-host-rewrite-njaysumq
      weight: 1
    matches:
    - path:
        type: Prefix
        value: /
EOF

2. istio-ingressgateway rejects the HTTPRoute

$ kubectl  -n istio-system logs istio-ingressgateway-d5dfc5d8b-cl8bg -f
  ...
2021-04-01T06:25:15.732110Z	warning	envoy config	gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: :-prefixed or host headers may not be modified

$ kubectl  -n istio-system  logs istiod-85f9ccb96d-ks8hd |grep -i header
2021-04-01T05:33:04.824343Z	warn	ads	ADS:RDS: ACK ERROR router~172.20.37.2~istio-ingressgateway-d5dfc5d8b-vms5m.istio-system~istio-system.svc.cluster.local-1 Internal::-prefixed or host headers may not be modified

Version

$ istioctl version
client version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92
control plane version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92
data plane version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92 (2 proxies)
@nak3 nak3 mentioned this issue Apr 1, 2021
Closed
5 tasks
@howardjohn
Copy link
Member

This is broken in VirtualService as well it seems...

@howardjohn howardjohn self-assigned this Apr 1, 2021
howardjohn added a commit to howardjohn/istio that referenced this issue Apr 1, 2021
@howardjohn
Properly validate header operations and allow host header modification
6abff5a 
Fixes istio#31844

Envoy will reject header options for `Host` or `:`-prefixed. This adds
validation to our webhook to capture these. Additionally, it allows
setting `host` or `:authority` specifically, by internally transforming
it to a `authorityRewrite`.
@howardjohn howardjohn mentioned this issue Apr 1, 2021
Merged
istio-testing pushed a commit that referenced this issue Apr 5, 2021
@howardjohn
Properly validate header operations and allow host header modification (
31d9498 
#31852)

Fixes #31844

Envoy will reject header options for `Host` or `:`-prefixed. This adds
validation to our webhook to capture these. Additionally, it allows
setting `host` or `:authority` specifically, by internally transforming
it to a `authorityRewrite`.
@theofpa theofpa mentioned this issue Jun 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@howardjohn howardjohn

Labels
area/networking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly validate header operations and allow host header modification howardjohn/istio
2 participants
@howardjohn @nak3