Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Load Balancer] name for backend servers are now hash: this create some big changes #7863

Closed
cjeanneret opened this issue Feb 17, 2017 · 3 comments
Closed

[Load Balancer] name for backend servers are now hash: this create some big changes #7863

cjeanneret opened this issue Feb 17, 2017 · 3 comments
Labels
area/loadbalancer kind/question Issues that just require an answer. No code change needd

Comments

@cjeanneret
Copy link

Hello,

Since rancher/lb-controller@8346f306 the "name" for the backend servers are hashed using sha1. This creates some major issue for some specific setups we're currently using:
a backend service does many checks on the headers and cookie content. This means the HAProxy in the lb must do some rewrites, for both client-server and server-client connections.
Most of them involve the backend name, for example:

      # Rewrite Domain in All Headers to match public name                      
      rspirep (.*)BAKCEND_FQDN(.*) \1PUBLIC_NAME\2
      # Rewrite Referer Header to match name of the backend server              
      http-request set-header Referer https://%[req.cook(SRV_ID_443_)]/ipa/

(note: BAKCEND_FQDN is a regexp in order to match the different backends in one line)

Those rewrites are needed in order to prevent wrong rewrites from the backend application, as well as to ensure the cookies are sent and set correctly (the service is authenticated).

This was possible before the mentioned commit, because the generated line in HAProxy configuration was as follow:

server backend-name.tld backend-name.tld:443 [other options]

Since the change in HAProxy configuration with the hashing of the , and the line is now:

server sha1(backend-name.tld) backend-name.tld:443 [other options]

It would be really good to either revert the commit (I don't really see what it should have corrected), or allow to NOT hash the backend name (at least).

Also, in our setup, we use cookie stickiness, and the backend name was also in it - since the commit, it's a hash, and this break one of the rewrite we were using (the application is using some referrer checks, and we rewrite it using the sticky cookie value).
@cjeanneret
Copy link
Author

woops, sorry, ctrl+enter while wanting to do something else. Some more information:

we're using a HAProxy directive in its "defaults" section that allows to send the backend name as a header: http-send-name-header Host - this allows to "hide" the public name used to access the lb, and ensure the backend actually gets its right/correct name. Since the commit, it's now the hash that is sent, and it breaks the checks at the application level. Among other things.

Thank you for your concern - feel free to ask for more information if needed.

Cheers,

C.

cjeanneret referenced this issue in rancher/lb-controller Feb 20, 2017
respect cookie set by policy
8346f30
@cjeanneret
Copy link
Author

Hello,

Any news ? Would be good if this could be solved.

@superseb superseb added kind/question Issues that just require an answer. No code change needd area/loadbalancer labels May 23, 2017
@loganhz
Copy link

loganhz commented Oct 5, 2018

With the release of Rancher 2.0, development on v1.6 is only limited to critical bug fixes and security patches.

@loganhz loganhz closed this as completed Oct 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/loadbalancer kind/question Issues that just require an answer. No code change needd
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cjeanneret @superseb @loganhz