Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect header name validation in routing rules #766

Closed
pleshakov opened this issue Jun 16, 2023 · 0 comments · Fixed by #1239
Closed

Incorrect header name validation in routing rules #766

pleshakov opened this issue Jun 16, 2023 · 0 comments · Fixed by #1239
Assignees
@bjee19
Labels
bug Something isn't working good first issue Good for newcomers
Milestone
v1.1.0

Comments

@pleshakov
Copy link
Contributor

Describe the bug
Gateway API header validation is defined here
NKG validates header names using this rule, which is permissive and disallow values that make NGINX fail to reload.

However, NGINX when processing request headers, applies much stricter validation rules - only allows alpha-number chars and -. See this comment #717 (comment) Note: in NGINX, you can also allow undescores in headers, but we don't support that in NKG.

When NGINX encounter such headers, it drops them printing in the error log a message like below:

2023/06/16 22:44:05 [info] 70#70: *17 client sent invalid header line: "version%!:v2" while reading client request headers, client: 127.0.0.1, server: cafe.example.com, request: "GET /coffee HTTP/1.1", host: "cafe.example.com:8080"

So the routing rules with invalid headers will not work as expected

To Reproduce
Steps to reproduce the behavior:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /coffee
    backendRefs:
    - name: coffee-v1-svc
      port: 80
  - matches:
    - path:
        type: PathPrefix
        value: /coffee
      headers:
      - name: version%! # valid from Gateway API and current NKG perspective
        value: v2
    - path:
        type: PathPrefix
        value: /coffee
      queryParams:
      - name: TEST
        value: v2
    backendRefs:
    - name: coffee-v2-svc
      port: 80

This request is not routed as expected (to v2), because NGINX will drop the header version%!

curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -H 'version%!:v2'
Server address: 10.244.0.9:8080
Server name: coffee-v1-58f4c685db-jpsqk
Date: 16/Jun/2023:22:41:51 +0000
URI: /coffee
Request ID: 390384c7f082f2d03468594dec85f7e9

Expected behavior

Make NKG reject invalid from NGINX perspective header names so that the error is visible in the HTTPRoute status.

Your environment

  • NKG edge

Additional context
Add any other context about the problem here. Any log files you want to share.
@mpstefan mpstefan added the bug Something isn't working label Jun 21, 2023
@mpstefan mpstefan added this to the v1.0.0 milestone Jun 21, 2023
@mpstefan mpstefan modified the milestones: v1.0.0, v1.0.1 Aug 11, 2023
@sjberman sjberman added the good first issue Good for newcomers label Sep 6, 2023
@mpstefan mpstefan modified the milestones: v1.0.1, v1.1.0 Sep 22, 2023
@bjee19 bjee19 self-assigned this Nov 1, 2023
@bjee19 bjee19 mentioned this issue Nov 9, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bjee19 bjee19

Labels
bug Something isn't working good first issue Good for newcomers
Projects
NGINX Gateway Fabric
Archived in project
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

Correct header name validation bjee19/nginx-gateway-fabric
4 participants
@pleshakov @mpstefan @sjberman @bjee19