Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-10151

Camel Service policy doesn't send some headers set by APIcast to the API backend

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 2.13.2 GA
    • Gateway
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide

      Use the Header Modification policy to add a request header `X-3scale-proxy-secret-token`.

      Show
      Use the Header Modification policy to add a request header `X-3scale-proxy-secret-token`.
    • Hide

      Tested in 3scale On-premises using apicast 3scale managed:

      1) Set up a proxy:

      $ oc rsh dc/apicast-staging
      sh-4.4$ cd /tmp
      sh-4.4$ curl --output mitmproxy-8.0.0-linux.tar.gz https://downloads.mitmproxy.org/8.0.0/mitmproxy-8.0.0-linux.tar.gz
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100 86.5M  100 86.5M    0     0  43.9M      0  0:00:01  0:00:01 --:--:-- 43.8M
      sh-4.4$ tar zxvf mitmproxy-8.0.0-linux.tar.gz 
      mitmproxy
      mitmdump
      mitmweb
      sh-4.4$ ./mitmdump -p 8888 --modify-headers "/~q/User-Agent/test" --verbose
      Proxy server listening at http://*:8888
      127.0.0.1:33730: client connect
      127.0.0.1:33730: server connect echo-api.3scale.net:443 (xx.xx.xx.xx:443)
      127.0.0.1:33730: GET https://echo-api.3scale.net/?user_key=<key>
          x-forwarded-for: xx.x.xx.xx
          accept: */*
          x-forwarded-host: api-3scale-apicast-staging.xx.apps.<wildcard>
          forwarded: for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https
          x-forwarded-proto: https
          host: echo-api.3scale.net
          x-forwarded-port: 443
          User-Agent: test
       << 200 OK 837b
          content-type: application/json
          x-3scale-echo-api: echo-api/1.0.3
          vary: Origin
          x-content-type-options: nosniff
          content-length: 837
          x-envoy-upstream-service-time: 1
          date: Wed, 13 Sep 2023 14:49:25 GMT
          server: envoy
      

      The User-Agent was changed to make sure the proxy was used.

      2) Configure the Camel Proxy in a Product: 

      all_proxy: http://127.0.0.1:8888

      3) Request to the staging environment with the Camel Service policy enabled: 

       $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>"
      {
        "method": "GET",
        "path": "/",
        "args": "user_key=<key>",
        "body": "",
        "headers": {
          "HTTP_VERSION": "HTTP/1.1",
          "HTTP_HOST": "echo-api.3scale.net",
          "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx",
          "HTTP_ACCEPT": "*/*",
          "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>",
          "HTTP_FORWARDED": "for=xxx.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https",
          "HTTP_X_FORWARDED_PROTO": "https",
          "HTTP_X_FORWARDED_PORT": "443",
          "HTTP_USER_AGENT": "test",
          "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx",
          "HTTP_X_REQUEST_ID": "318f1c89-1238-49dd-868e-4d13ef1c7629",
          "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000"
        },
        "uuid": "6ede46eb-b527-4a86-8367-89501de99366"
      }
       

      4) Request without the Camel Service policy enabled:

      $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>"
      {
        "method": "GET",
        "path": "/",
        "args": "user_key=<key>",
        "body": "",
        "headers": {
          "HTTP_VERSION": "HTTP/1.1",
          "HTTP_HOST": "echo-api.3scale.net",
          "HTTP_X_REAL_IP": "YY.YYY.Y.Y",                                  <--------------------------- MISSING HEADER
          "HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "Shared_secret_sent_from_proxy_to_API_backend_8827ff9564e3323c",  <----- MISSING HEADER
          "HTTP_USER_AGENT": "curl/8.0.1",
          "HTTP_ACCEPT": "*/*",
          "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>",
          "HTTP_X_FORWARDED_PORT": "443",
          "HTTP_X_FORWARDED_PROTO": "https",
          "HTTP_FORWARDED": "for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https",
          "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx",
          "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx",
          "HTTP_X_REQUEST_ID": "d26e2b7b-6531-4b2a-b801-75da8a6bfa8d",
          "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000"
        },
        "uuid": "d5ef3d22-ff38-4675-9179-7fc9d21841f1"
      }
      

       

      Show
      Tested in 3scale On-premises using apicast 3scale managed: 1) Set up a proxy: $ oc rsh dc/apicast-staging sh-4.4$ cd /tmp sh-4.4$ curl --output mitmproxy-8.0.0-linux.tar.gz https://downloads.mitmproxy.org/8.0.0/mitmproxy-8.0.0-linux.tar.gz   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed 100 86.5M  100 86.5M    0     0  43.9M      0  0:00:01  0:00:01 --:--:-- 43.8M sh-4.4$ tar zxvf mitmproxy-8.0.0-linux.tar.gz  mitmproxy mitmdump mitmweb sh-4.4$ ./mitmdump -p 8888 --modify-headers "/~q/User-Agent/test" --verbose Proxy server listening at http://*:8888 127.0.0.1:33730: client connect 127.0.0.1:33730: server connect echo-api.3scale.net:443 (xx.xx.xx.xx:443) 127.0.0.1:33730: GET https://echo-api.3scale.net/?user_key=<key>     x-forwarded-for: xx.x.xx.xx     accept: */*     x-forwarded-host: api-3scale-apicast-staging.xx.apps.<wildcard>     forwarded: for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https     x-forwarded-proto: https     host: echo-api.3scale.net     x-forwarded-port: 443     User-Agent: test  << 200 OK 837b     content-type: application/json     x-3scale-echo-api: echo-api/1.0.3     vary: Origin     x-content-type-options: nosniff     content-length: 837     x-envoy-upstream-service-time: 1     date: Wed, 13 Sep 2023 14:49:25 GMT     server: envoy The User-Agent was changed to make sure the proxy was used. 2) Configure the Camel Proxy in a Product:  all_proxy: http://127.0.0.1:8888 3) Request to the staging environment with the Camel Service policy enabled:  $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>" { "method": "GET", "path": "/", "args": "user_key=<key>", "body": "", "headers": { "HTTP_VERSION": "HTTP/1.1", "HTTP_HOST": "echo-api.3scale.net", "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx", "HTTP_ACCEPT": "*/*", "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>", "HTTP_FORWARDED": "for=xxx.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https", "HTTP_X_FORWARDED_PROTO": "https", "HTTP_X_FORWARDED_PORT": "443", "HTTP_USER_AGENT": "test", "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx", "HTTP_X_REQUEST_ID": "318f1c89-1238-49dd-868e-4d13ef1c7629", "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000" }, "uuid": "6ede46eb-b527-4a86-8367-89501de99366" } 4) Request without the Camel Service policy enabled: $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>" { "method": "GET", "path": "/", "args": "user_key=<key>", "body": "", "headers": { "HTTP_VERSION": "HTTP/1.1", "HTTP_HOST": "echo-api.3scale.net", "HTTP_X_REAL_IP": "YY.YYY.Y.Y", <--------------------------- MISSING HEADER "HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "Shared_secret_sent_from_proxy_to_API_backend_8827ff9564e3323c", <----- MISSING HEADER "HTTP_USER_AGENT": "curl/8.0.1", "HTTP_ACCEPT": "*/*", "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>", "HTTP_X_FORWARDED_PORT": "443", "HTTP_X_FORWARDED_PROTO": "https", "HTTP_FORWARDED": "for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https", "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx", "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx", "HTTP_X_REQUEST_ID": "d26e2b7b-6531-4b2a-b801-75da8a6bfa8d", "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000" }, "uuid": "d5ef3d22-ff38-4675-9179-7fc9d21841f1" }  

    Description

      Current behavior

      When adding the Camel Service policy to the APIcast policy chain, the request received by the API backend doesn't contain the header 'X-3scale-proxy-secret-token' that APIcast sets to protect the API backend. It doesn't send the `X-real-ip`  header either.

      When using the Camel Service policy the API Backend can't be secured using the 'X-3scale-proxy-secret-token' header.

       

      Expected behavior
      When adding the Camel Servicy policy to APIcast policy chain, APIcast should send all the headers set by APIcast to the API backend.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-avilatus Anna Vila Tusell
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: