CNAME flattening #3403
CNAME flattening #3403
Conversation
- Resolve CNAME recursively - Get the first(request) and last(potential) - Compare with the available host rule
- add cache mechanism for cname flattening
ldez
added
kind/enhancement
|
Hello @gamalan . Many thanks for this PR. 👍 We talked about it with the team and, even if we understand the need, we are not sure that it's a best practice to check the That's why, I guess it should be great if the WDYT? |
|
AFAIK Openstack Swift is using CNAME flattening, as a precaution they have a limit (lookup_depth) of dns resolves which are allowed for each request. https://docs.openstack.org/newton/config-reference/object-storage/features.html "CNAME lookup" https://github.com/openstack/swift/blob/master/swift/common/middleware/cname_lookup.py |
|
@nmengin agreed, not all people need this. My take is set up an additional set of global config, inside entrypoint, called
An example : [entryPoints.resolver]
CNAMEFlattening = true
resolverDepth = 10
cache = 30NB : to able generating the SSL for the incoming request, this feature need Happy to accept some opinion. |
|
@gamalan if you set Would you also consider a case where dns servers for CNAMEFlattening resolving can be specified in config file ? The |
|
@gregorybrzeski ah, forgot about that case, you are right, I think 5 should suffice for default. Also for the resolver config, good idea, but it should follow the resolv.conf standard(not sure gonna work in windows though). |
|
Updated, already make a new set of config, haven't been pushed yet. Currently, the CNAME flattening process is separated as a new package, the unit test has been added, the integration test and documentation is WIP. Not sure where to put for the documentation. The additional config is set to global, as example [resolver] #currently using resolver label
cnameFlattening = true #default is false, if this not set true, following config is useless
resolvConfig = "/etc/resolv.conf" # default is /etc/resolv.conf, if changed, the following file must follow resolv.conf standard
resolvDepth = 5 # maximum CNAME lookup depth before finishing
cacheDuration = "30m" # default cache expiration 30 minute |
# Conflicts: # server/server.go
|
Hello @gamalan , Many thanks for the modifications you made. We think the The flag should look like this : [resolver] #currently using resolver label
cnameFlattening = true #default is false, if this not set true, following config is useless
resolvConfig = "/etc/resolv.conf" # default is /etc/resolv.conf, if changed, the following file must follow resolv.conf standardMoreover, we would like to give the possibility to the users to enable WDYT? |
docs/configuration/commons.md
Outdated
|
|
||
| ``` | ||
|
|
||
| - To allow serving secure https request and generate the SSL using ACME while `cnameFlattening` is set to `true`. The `acme` configuration |
There was a problem hiding this comment.
Please only write one sentence by line.
docs/configuration/commons.md
Outdated
| ``` | ||
|
|
||
| - To allow serving secure https request and generate the SSL using ACME while `cnameFlattening` is set to `true`. The `acme` configuration | ||
| for `HTTP-01` challenge and `onDemand` is mandatory. Refer to [ACME configuration](/configuration/acme) for more information. |
There was a problem hiding this comment.
Please only write one sentence by line.
hostresolver/hostresolver.go
Outdated
| Record string | ||
| } | ||
|
|
||
| // CNAMEFlatten check if CNAME records is exists, flatten if possible |
There was a problem hiding this comment.
CNAMEFlatten check if CNAME records is exists,
Please modify in CNAMEFlatten check if CNAME records exists.
hostresolver/hostresolver.go
Outdated
| return result[0], result[len(result)-1] | ||
| } | ||
|
|
||
| // CNAMEResolve resolve CNAME if exists, and return with the highest TTL |
There was a problem hiding this comment.
Can you correct the comment please: CNAMEResolve resolves CNAME if exists, and returns with the highest TTL ?
hostresolver/hostresolver.go
Outdated
|
|
||
| // CNAMEResolve resolve CNAME if exists, and return with the highest TTL | ||
| func (hr *HostResolver) CNAMEResolve(host string) *CNAMEResolv { | ||
| config, _ := dns.ClientConfigFromFile(hr.ResolvConfig) |
There was a problem hiding this comment.
Can you manage the error please?
hostresolver/hostresolver.go
Outdated
| r, _, err := c.Exchange(m, net.JoinHostPort(config.Servers[i], config.Port)) | ||
| if err != nil { | ||
| log.Errorf("Failed to resolve host %s with server %s", host, config.Servers[i]) | ||
| } |
There was a problem hiding this comment.
Do you want to contin ue to precces the statement in the loop if there is an error?
WDYT to add a instructioncontinue if err != nil?
hostresolver/hostresolver.go
Outdated
| } | ||
|
|
||
| // CNAMEResolve resolve CNAME if exists, and return with the highest TTL | ||
| func (hr *HostResolver) CNAMEResolve(host string) *CNAMEResolv { |
There was a problem hiding this comment.
The method seems to be used only on this file.
WDYT to make it private?
refactor function visibility, add error logging fix loop control process
hostresolver/hostresolver.go
Outdated
| ResolvDepth int | ||
| } | ||
|
|
||
| // CNAMEResolv used for storing CNAME result |
There was a problem hiding this comment.
Please replace for storing by to store
hostresolver/hostresolver.go
Outdated
| Record string | ||
| } | ||
|
|
||
| // CNAMEFlatten check if CNAME records exists, flatten if possible |
There was a problem hiding this comment.
Do you mean records exist or record exists?
integration/hostresolver_test.go
Outdated
| c.Assert(err, checker.IsNil) | ||
| req.Host = "frontend1.docker.local" | ||
|
|
||
| err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody()) |
There was a problem hiding this comment.
Not sure, but this test only checks if the usual behavior is the same if the cnameflattening is enabled but it does not test if this one really works, it isn't?
Is it possible to add a test to check if CNAME flattening works or is it hard to check?
rules/rules.go
Outdated
| if types.CanonicalDomain(reqH) == types.CanonicalDomain(host) || types.CanonicalDomain(flatH) == types.CanonicalDomain(host) { | ||
| return true | ||
| } | ||
| } |
There was a problem hiding this comment.
WDYT to add a DEBUG log to indicate to user that the CNAMEFlattening did not allow resolving his domain?
# Conflicts: # Gopkg.toml # server/server.go
resolve conflict with master branch
What does this PR do?
Allow handling host rule with different names than the HOST header that comes in.
Motivation
I am working in a project that allow user masking their domain/subdomain to our domain. Previously, only able to serve request that have same host rule and host header that came.
Fixes #141
More
Additional Notes