-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change order of use_backend haproxy.tmpl #1109
Comments
Hi, can you describe a bit more about your need? How your ingresses resources are configured, how the request looks like. The hostname in the SNI extension is not supposed to be used to route requests, but instead to choose a proper server certificate for the TLS handshake. Note also that it's a common practice for a http client (e.g. browsers), over H2 connections, to reuse the same TCP connection for requests with distinct hostnames, leading the request with distinct values between SNI and Host header, being the Host header the correct one to be used. The proposed configuration change might lead to wrong routing and maybe to a security issue depending on the ingress configurations. |
To give you more insight, the context for this issue is:
Since But since one of the endpoints uses mTLS, it's mapping is being stored on the SNI mapping instead of the Host mapping. Jesse suggestion is just the more simple way we could go to solve this, any solution from changing the order, making the order configurable or even allowing us to specify the regex and match type for the host (instead of only basing it on the host) would work for us. Let me know if this gives you enough information or if you need any further details. |
Hi thanks for the clarification. The detailed description of your use case led me to identify a missing piece in the frontend configuration that I think it should be there. Can you folks share the ingress resources you are using? Better if using fake, but semantically compatible with the real data. Those resources along with the provided descriptions should be enough for me to create an e2e test covering the expectations. Maybe we can fix this behavior for you in the code. In the mean time I think you can safely overwrite the template file and change the order of the use_backend evaluation. The SNI validation I was worried about happens on another place of the template, so changing the order should be safe, except for some non expected behavior changed on other routing you might have in your cluster. |
Hey, sorry for the delayed response. Bellow the details you requested. First let me just define the 2 external services:
Ingress objects: Ingress Yaml:
Please let me know if you need anything else. |
What are you trying to do
We require that the SNIBACKEND come before the HOSTBACKEND on the frontend configuration.
What HAProxy Ingress should do or how it should behave differently
This would require a change in the haproxy.tmpl
https://github.com/jcmoraisjr/haproxy-ingress/blob/v0.14.6/rootfs/etc/templates/haproxy/haproxy.tmpl
Original code:
New code:
Would this be feasible @jcmoraisjr or do you suggest another way to attack our problem?
The text was updated successfully, but these errors were encountered: