New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1878319: Allow trailing dots in host names #180
Bug 1878319: Allow trailing dots in host names #180
Conversation
@Miciah: This pull request references Bugzilla bug 1878319, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
43b87b3
to
79d252b
Compare
@Miciah: This pull request references Bugzilla bug 1878319, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work. Pointed out one small concern.
Change the generated os_sni_passthrough.map map file to match server names without port numbers or paths. * pkg/router/template/util/util.go (generateRouteHostRegexp): New function. Generate a regular expression just for the route host, for use in other regular expressions. (GenerateRouteRegexp): Use generateRouteHostRegexp. (GenerateSNIRegexp): New function. Use generateRouteHostRegexp to generate a regular expression to match route hosts against a server name in a TLS client hello message. * pkg/router/template/util/haproxy/map_entry.go (generateTCPMapEntry): Use GenerateSNIRegexp. * pkg/router/template/util/haproxy/map_entry_test.go (TestGenerateSNIPassthroughMapEntry): Expect keys that match only server names (not port number or path). * pkg/router/template/template_helper_test.go (TestGenerateHAProxyMap): Expect os_sni_passthrough.map to have patterns that match only server names (not port number or path).
When generating the pattern for a map entry to match a route host and path, make sure the pattern allows for a trailing dot in the host name. RFC 7230, section 5.4, specifies that the HTTP "host" header value includes the URI host as defined in RFC 3986, section 3.2.2, which indicates that a trailing dot is permitted. Note that the same treatment is not required for entries in the certificate map because RFC 3546, section 3.1, specifies that the server name in a TLS client hello message does *not* have a trailing dot. This commit fixes bug 1878319. https://bugzilla.redhat.com/show_bug.cgi?id=1878319 * pkg/router/template/util/util.go (GenerateRouteRegexp): Match an optional trailing dot in the host name. * pkg/router/template/template_helper_test.go (TestGenerateHAProxyMap): * pkg/router/template/util/haproxy/map_entry_test.go (TestGenerateWildcardDomainMapEntry, TestGenerateHttpMapEntry) (TestGenerateEdgeReencryptMapEntry, TestGenerateHttpRedirectMapEntry) (TestGenerateTCPMapEntry): * pkg/router/template/util/util_test.go (TestGenerateRouteRegexp): Verify that the trailing dot is permitted.
79d252b
to
0614648
Compare
@Miciah: This pull request references Bugzilla bug 1878319, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Looks great! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah, sgreene570 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
@Miciah: All pull requests linked via external trackers have merged: Bugzilla bug 1878319 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
generateSNIPassthroughMapEntry
: Match only hostChange the generated
os_sni_passthrough.map
map file to match server names without port numbers or paths.pkg/router/template/util/util.go
(generateRouteHostRegexp
): New function. Generate a regular expression just for the route host, for use in other regular expressions.(
GenerateRouteRegexp
): UsegenerateRouteHostRegexp
.(
GenerateSNIRegexp
): New function. UsegenerateRouteHostRegexp
to generate a regular expression to match route hosts against a server name in a TLS client hello message.pkg/router/template/util/haproxy/map_entry.go
(generateTCPMapEntry
): UseGenerateSNIRegexp
.pkg/router/template/util/haproxy/map_entry_test.go
(TestGenerateSNIPassthroughMapEntry
): Expect keys that match only server names (not port number or path).pkg/router/template/template_helper_test.go
(TestGenerateHAProxyMap
): Expectos_sni_passthrough.map
to have patterns that match only server names (not port number or path).Allow trailing dots in host names
When generating the pattern for a map entry to match a route host and path, make sure the pattern allows for a trailing dot in the host name.
RFC 7230, section 5.4, specifies that the HTTP "host" header value includes the URI host as defined in RFC 3986, section 3.2.2, which indicates that a trailing dot is permitted.
Note that the same treatment is not required for entries in the certificate map because RFC 3546, section 3.1, specifies that the server name in a TLS client hello message does not have a trailing dot.
pkg/router/template/util/util.go
(GenerateRouteRegexp
): Match an optional trailing dot in the host name.pkg/router/template/template_helper_test.go
(TestGenerateHAProxyMap
):pkg/router/template/util/haproxy/map_entry_test.go
(TestGenerateWildcardDomainMapEntry
,TestGenerateHttpMapEntry
,TestGenerateEdgeReencryptMapEntry
,TestGenerateHttpRedirectMapEntry
,TestGenerateTCPMapEntry
):pkg/router/template/util/util_test.go
(TestGenerateRouteRegexp
): Verify that the trailing dot is permitted.