Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-10151

Camel Service policy doesn't send some headers set by APIcast to the API backend

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 2.13.2 GA
    • Gateway
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide

      Use the Header Modification policy to add a request header `X-3scale-proxy-secret-token`.

      Show
      Use the Header Modification policy to add a request header `X-3scale-proxy-secret-token`.
    • Hide

      Tested in 3scale On-premises using apicast 3scale managed:

      1) Set up a proxy:

      $ oc rsh dc/apicast-staging
      sh-4.4$ cd /tmp
      sh-4.4$ curl --output mitmproxy-8.0.0-linux.tar.gz https://downloads.mitmproxy.org/8.0.0/mitmproxy-8.0.0-linux.tar.gz
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100 86.5M  100 86.5M    0     0  43.9M      0  0:00:01  0:00:01 --:--:-- 43.8M
      sh-4.4$ tar zxvf mitmproxy-8.0.0-linux.tar.gz 
      mitmproxy
      mitmdump
      mitmweb
      sh-4.4$ ./mitmdump -p 8888 --modify-headers "/~q/User-Agent/test" --verbose
      Proxy server listening at http://*:8888
      127.0.0.1:33730: client connect
      127.0.0.1:33730: server connect echo-api.3scale.net:443 (xx.xx.xx.xx:443)
      127.0.0.1:33730: GET https://echo-api.3scale.net/?user_key=<key>
          x-forwarded-for: xx.x.xx.xx
          accept: */*
          x-forwarded-host: api-3scale-apicast-staging.xx.apps.<wildcard>
          forwarded: for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https
          x-forwarded-proto: https
          host: echo-api.3scale.net
          x-forwarded-port: 443
          User-Agent: test
       << 200 OK 837b
          content-type: application/json
          x-3scale-echo-api: echo-api/1.0.3
          vary: Origin
          x-content-type-options: nosniff
          content-length: 837
          x-envoy-upstream-service-time: 1
          date: Wed, 13 Sep 2023 14:49:25 GMT
          server: envoy
      

      The User-Agent was changed to make sure the proxy was used.

      2) Configure the Camel Proxy in a Product: 

      all_proxy: http://127.0.0.1:8888

      3) Request to the staging environment with the Camel Service policy enabled: 

       $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>"
      {
        "method": "GET",
        "path": "/",
        "args": "user_key=<key>",
        "body": "",
        "headers": {
          "HTTP_VERSION": "HTTP/1.1",
          "HTTP_HOST": "echo-api.3scale.net",
          "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx",
          "HTTP_ACCEPT": "*/*",
          "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>",
          "HTTP_FORWARDED": "for=xxx.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https",
          "HTTP_X_FORWARDED_PROTO": "https",
          "HTTP_X_FORWARDED_PORT": "443",
          "HTTP_USER_AGENT": "test",
          "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx",
          "HTTP_X_REQUEST_ID": "318f1c89-1238-49dd-868e-4d13ef1c7629",
          "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000"
        },
        "uuid": "6ede46eb-b527-4a86-8367-89501de99366"
      }
       

      4) Request without the Camel Service policy enabled:

      $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>"
      {
        "method": "GET",
        "path": "/",
        "args": "user_key=<key>",
        "body": "",
        "headers": {
          "HTTP_VERSION": "HTTP/1.1",
          "HTTP_HOST": "echo-api.3scale.net",
          "HTTP_X_REAL_IP": "YY.YYY.Y.Y",                                  <--------------------------- MISSING HEADER
          "HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "Shared_secret_sent_from_proxy_to_API_backend_8827ff9564e3323c",  <----- MISSING HEADER
          "HTTP_USER_AGENT": "curl/8.0.1",
          "HTTP_ACCEPT": "*/*",
          "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>",
          "HTTP_X_FORWARDED_PORT": "443",
          "HTTP_X_FORWARDED_PROTO": "https",
          "HTTP_FORWARDED": "for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https",
          "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx",
          "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx",
          "HTTP_X_REQUEST_ID": "d26e2b7b-6531-4b2a-b801-75da8a6bfa8d",
          "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000"
        },
        "uuid": "d5ef3d22-ff38-4675-9179-7fc9d21841f1"
      }
      

       

      Show
      Tested in 3scale On-premises using apicast 3scale managed: 1) Set up a proxy: $ oc rsh dc/apicast-staging sh-4.4$ cd /tmp sh-4.4$ curl --output mitmproxy-8.0.0-linux.tar.gz https://downloads.mitmproxy.org/8.0.0/mitmproxy-8.0.0-linux.tar.gz   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed 100 86.5M  100 86.5M    0     0  43.9M      0  0:00:01  0:00:01 --:--:-- 43.8M sh-4.4$ tar zxvf mitmproxy-8.0.0-linux.tar.gz  mitmproxy mitmdump mitmweb sh-4.4$ ./mitmdump -p 8888 --modify-headers "/~q/User-Agent/test" --verbose Proxy server listening at http://*:8888 127.0.0.1:33730: client connect 127.0.0.1:33730: server connect echo-api.3scale.net:443 (xx.xx.xx.xx:443) 127.0.0.1:33730: GET https://echo-api.3scale.net/?user_key=<key>     x-forwarded-for: xx.x.xx.xx     accept: */*     x-forwarded-host: api-3scale-apicast-staging.xx.apps.<wildcard>     forwarded: for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https     x-forwarded-proto: https     host: echo-api.3scale.net     x-forwarded-port: 443     User-Agent: test  << 200 OK 837b     content-type: application/json     x-3scale-echo-api: echo-api/1.0.3     vary: Origin     x-content-type-options: nosniff     content-length: 837     x-envoy-upstream-service-time: 1     date: Wed, 13 Sep 2023 14:49:25 GMT     server: envoy The User-Agent was changed to make sure the proxy was used. 2) Configure the Camel Proxy in a Product:  all_proxy: http://127.0.0.1:8888 3) Request to the staging environment with the Camel Service policy enabled:  $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>" { "method": "GET", "path": "/", "args": "user_key=<key>", "body": "", "headers": { "HTTP_VERSION": "HTTP/1.1", "HTTP_HOST": "echo-api.3scale.net", "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx", "HTTP_ACCEPT": "*/*", "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>", "HTTP_FORWARDED": "for=xxx.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https", "HTTP_X_FORWARDED_PROTO": "https", "HTTP_X_FORWARDED_PORT": "443", "HTTP_USER_AGENT": "test", "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx", "HTTP_X_REQUEST_ID": "318f1c89-1238-49dd-868e-4d13ef1c7629", "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000" }, "uuid": "6ede46eb-b527-4a86-8367-89501de99366" } 4) Request without the Camel Service policy enabled: $ curl -k "https://api-3scale-apicast-staging.xx.apps.<wildcard>:443/?user_key=<key>" { "method": "GET", "path": "/", "args": "user_key=<key>", "body": "", "headers": { "HTTP_VERSION": "HTTP/1.1", "HTTP_HOST": "echo-api.3scale.net", "HTTP_X_REAL_IP": "YY.YYY.Y.Y", <--------------------------- MISSING HEADER "HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "Shared_secret_sent_from_proxy_to_API_backend_8827ff9564e3323c", <----- MISSING HEADER "HTTP_USER_AGENT": "curl/8.0.1", "HTTP_ACCEPT": "*/*", "HTTP_X_FORWARDED_HOST": "api-3scale-apicast-staging.xx.apps.<wildcard>", "HTTP_X_FORWARDED_PORT": "443", "HTTP_X_FORWARDED_PROTO": "https", "HTTP_FORWARDED": "for=xx.x.xx.xx;host=api-3scale-apicast-staging.xx.apps.<wildcard>;proto=https", "HTTP_X_FORWARDED_FOR": "xx.xx.xx,xx. xxx.xxx.xxx", "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "xx.xxx.xxx.xxx", "HTTP_X_REQUEST_ID": "d26e2b7b-6531-4b2a-b801-75da8a6bfa8d", "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "15000" }, "uuid": "d5ef3d22-ff38-4675-9179-7fc9d21841f1" }  

      Current behavior

      When adding the Camel Service policy to the APIcast policy chain, the request received by the API backend doesn't contain the header 'X-3scale-proxy-secret-token' that APIcast sets to protect the API backend. It doesn't send the `X-real-ip`  header either.

      When using the Camel Service policy the API Backend can't be secured using the 'X-3scale-proxy-secret-token' header.

       

      Expected behavior
      When adding the Camel Servicy policy to APIcast policy chain, APIcast should send all the headers set by APIcast to the API backend.

            Unassigned Unassigned
            rhn-support-avilatus Anna Vila Tusell
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: