You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since rancher/lb-controller@8346f306 the "name" for the backend servers are hashed using sha1. This creates some major issue for some specific setups we're currently using:
a backend service does many checks on the headers and cookie content. This means the HAProxy in the lb must do some rewrites, for both client-server and server-client connections.
Most of them involve the backend name, for example:
# Rewrite Domain in All Headers to match public name
rspirep (.*)BAKCEND_FQDN(.*) \1PUBLIC_NAME\2
# Rewrite Referer Header to match name of the backend server
http-request set-header Referer https://%[req.cook(SRV_ID_443_)]/ipa/
(note: BAKCEND_FQDN is a regexp in order to match the different backends in one line)
Those rewrites are needed in order to prevent wrong rewrites from the backend application, as well as to ensure the cookies are sent and set correctly (the service is authenticated).
This was possible before the mentioned commit, because the generated line in HAProxy configuration was as follow:
server backend-name.tld backend-name.tld:443 [other options]
Since the change in HAProxy configuration with the hashing of the , and the line is now:
server sha1(backend-name.tld) backend-name.tld:443 [other options]
It would be really good to either revert the commit (I don't really see what it should have corrected), or allow to NOT hash the backend name (at least).
Also, in our setup, we use cookie stickiness, and the backend name was also in it - since the commit, it's a hash, and this break one of the rewrite we were using (the application is using some referrer checks, and we rewrite it using the sticky cookie value).
The text was updated successfully, but these errors were encountered:
woops, sorry, ctrl+enter while wanting to do something else. Some more information:
we're using a HAProxy directive in its "defaults" section that allows to send the backend name as a header: http-send-name-header Host - this allows to "hide" the public name used to access the lb, and ensure the backend actually gets its right/correct name. Since the commit, it's now the hash that is sent, and it breaks the checks at the application level. Among other things.
Thank you for your concern - feel free to ask for more information if needed.
Hello,
Since rancher/lb-controller@8346f306 the "name" for the backend servers are hashed using sha1. This creates some major issue for some specific setups we're currently using:
a backend service does many checks on the headers and cookie content. This means the HAProxy in the lb must do some rewrites, for both client-server and server-client connections.
Most of them involve the backend name, for example:
(note: BAKCEND_FQDN is a regexp in order to match the different backends in one line)
Those rewrites are needed in order to prevent wrong rewrites from the backend application, as well as to ensure the cookies are sent and set correctly (the service is authenticated).
This was possible before the mentioned commit, because the generated line in HAProxy configuration was as follow:
Since the change in HAProxy configuration with the hashing of the , and the line is now:
It would be really good to either revert the commit (I don't really see what it should have corrected), or allow to NOT hash the backend name (at least).
Also, in our setup, we use cookie stickiness, and the backend name was also in it - since the commit, it's a hash, and this break one of the rewrite we were using (the application is using some referrer checks, and we rewrite it using the sticky cookie value).
The text was updated successfully, but these errors were encountered: