Skip to content

Combine backend map files to fix path based routing #18840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 28, 2018
Merged

Combine backend map files to fix path based routing #18840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion images/router/haproxy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ RUN INSTALL_PKGS="haproxy18" && \
yum clean all && \
mkdir -p /var/lib/haproxy/router/{certs,cacerts} && \
mkdir -p /var/lib/haproxy/{conf,run,bin,log} && \
touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_route_http_expose,os_route_http_redirect,cert_config,os_wildcard_domain}.map,haproxy.config} && \
touch /var/lib/haproxy/conf/{{os_http_be,os_edge_reencrypt_be,os_tcp_be,os_sni_passthrough,os_route_http_redirect,cert_config,os_wildcard_domain}.map,haproxy.config} && \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooh, I was just merging in these changes into my branch and I noticed the map is still called os_edge_http_be and not os_edge_reencrypt_be and it is still being referenced as "os_edge_http_be" in the use backend directives. So this PR needs changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now done, but github hasn't noticed.

setcap 'cap_net_bind_service=ep' /usr/sbin/haproxy && \
chown -R :0 /var/lib/haproxy && \
chmod -R g+w /var/lib/haproxy
Expand Down
89 changes: 28 additions & 61 deletions images/router/haproxy/conf/haproxy-config.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,15 +164,7 @@ frontend public
acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found
redirect scheme https if secure_redirect

# Check if it is an edge or reencrypt route exposed insecurely.
acl route_http_expose base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map) -m found
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map)] if route_http_expose

# map to http backend
# Search from most specific to general path (host case).
# Note: If no match, haproxy uses the default_backend, no other
# use_backend directives below this will be processed.
use_backend be_http:%[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)]
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason why you only added be_http: and be_edge_http: to the map backend entry value and not for the redirect and tcp maps? It makes it inconsistent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left out the redirects because that is a specific operation that does not link to a use_backend statement. It is determining to allow redirect based on if there is an entry in the map.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries - I was just asking. I've made the change in my branch to make it consistent as part of the dynamic config changes anyway so its cool.


default_backend openshift_default

Expand Down Expand Up @@ -233,17 +225,11 @@ frontend fe_sni
# before matching, or any requests containing uppercase characters will never match.
http-request set-header Host %[req.hdr(Host),lower]

# check re-encrypt backends first - from most specific to general path.
acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found

# Search from most specific to general path (host case).
use_backend be_secure:%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt

# map to http backend
# map to backend
# Search from most specific to general path (host case).
# Note: If no match, haproxy uses the default_backend, no other
# use_backend directives below this will be processed.
use_backend be_edge_http:%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)]

default_backend openshift_default

Expand Down Expand Up @@ -274,17 +260,12 @@ frontend fe_no_sni
# before matching, or any requests containing uppercase characters will never match.
http-request set-header Host %[req.hdr(Host),lower]

# check re-encrypt backends first - path or host based.
acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found

# Search from most specific to general path (host case).
use_backend be_secure:%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt

# map to http backend
# map to backend
# Search from most specific to general path (host case).
# Note: If no match, haproxy uses the default_backend, no other
# use_backend directives below this will be processed.
use_backend be_edge_http:%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]
use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)]

default_backend openshift_default

Expand Down Expand Up @@ -494,46 +475,45 @@ backend be_tcp:{{$cfgIdx}}
{{ end -}}{{/* end if router allows wildcard routes */}}
{{ end -}}{{/* end wildcard domain map template */}}



{{/*
os_http_be.map: contains a mapping of www.example.com -> <service name>. This map is used to discover the correct backend
by attaching a prefix (be_http:) by use_backend statements if acls are matched.
os_http_be.map : contains a mapping of www.example.com -> <service name>. This map is used to discover the correct backend
by attaching a prefix: be_http for http routes
be_edge_http for edge routes with InsecureEdgeTerminationPolicy Allow
be_secure for reencrypt routes with InsecureEdgeTerminationPolicy Allow
*/}}
{{ define "/var/lib/haproxy/conf/os_http_be.map" -}}
{{ range $idx, $cfg := .State -}}
{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_http:{{$idx}}
{{ end -}}
{{ end -}}
{{ end -}}{{/* end http host map template */}}

{{/*
os_edge_http_be.map: same as os_http_be.map but allows us to separate tls from non-tls routes to ensure we don't expose
a tls only route on the unsecure port
*/}}
{{ define "/var/lib/haproxy/conf/os_edge_http_be.map" -}}
{{ range $idx, $cfg := .State -}}
{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{ if and (ne $cfg.Host "") (and (matchValues (print $cfg.TLSTermination) "edge" "reencrypt") (eq $cfg.InsecureEdgeTerminationPolicy "Allow")) -}}
{{ if (eq $cfg.TLSTermination "edge") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_edge_http:{{$idx}}
{{ else -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_secure:{{$idx}}
{{ end -}}
{{ end -}}
{{ end -}}
{{ end -}}{{/* end edge http host map template */}}
{{ end -}}

{{/*
os_route_http_expose.map: contains a mapping of www.example.com -> <service name>.
Map is used to also expose edge terminated and reencrypt routes via an insecure scheme
(http) if acls match for routes with insecure option set to expose.
os_edge_reencrypt_be.map : contains a mapping of www.example.com -> <service name>. This map is similar to os_http_be.map but for tls routes.
by attaching prefix: be_edge_http for edge terminated routes
be_secure for reencrypt routes
*/}}
{{ define "/var/lib/haproxy/conf/os_route_http_expose.map" -}}
{{ define "/var/lib/haproxy/conf/os_edge_reencrypt_be.map" -}}
{{ range $idx, $cfg := .State -}}
{{ if and (ne $cfg.Host "") (and (matchValues (print $cfg.TLSTermination) "edge" "reencrypt") (eq $cfg.InsecureEdgeTerminationPolicy "Allow")) -}}
{{ if (eq $cfg.TLSTermination "edge") -}}
{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_edge_http:{{$idx}}
{{ else -}}
{{ end -}}
{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_secure:{{$idx}}
{{ end -}}
{{ end -}}
{{ end -}}
{{ end -}}{{/* end edge and reencrypt expose http host map template */}}
{{ end -}}{{/* end edge http host map template */}}


{{/*
os_route_http_redirect.map: contains a mapping of www.example.com -> <service name>.
Expand Down Expand Up @@ -573,19 +553,6 @@ backend be_tcp:{{$cfgIdx}}
{{ end -}}
{{ end -}}{{/* end sni passthrough map template */}}


{{/*
os_reencrypt.map: marker that the host is configured to use a secure backend, allows the selection of a backend
that does specific checks that avoid mitm attacks: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl
*/}}
{{ define "/var/lib/haproxy/conf/os_reencrypt.map" -}}
{{ range $idx, $cfg := .State -}}
{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") -}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{ end -}}
{{ end -}}
{{ end -}}{{/* end reencrypt map template */}}

{{/*
cert_config.map: contains a mapping of <cert-file> -> example.org
This map is used to present the appropriate cert
Expand Down