Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-2205

APIcast reuses the same HTTPS session for requests on different domains

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.3 GA, 2.4 GA, SaaS
    • Fix Version/s: 2.5.1
    • Component/s: Gateway
    • Labels:
    • Target Release:
    • QE Test Coverage:
      +

      Description

      When OpenID connect is used, and there are multiple OpenID Connect issuers with different subdomains, but using the same IP, APIcast reuses the same HTTPS session, which results in SNI check fail, because the hostname provided via SNI and hostname sent in HTTP Host header are different.

      The logs in APIcast look as follows:

      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-one.example.com finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to  ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-one.example.com:443 established, reused times: 0
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:633: send_request(): 
      GET /auth/realms/realm-name/.well-known/openid-configuration HTTP/1.1
      >>> Request successful
      
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-one.example.com finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to  ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-one.example.com:443 established, reused times: 1
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:633: send_request(): 
      GET /auth/realms/realm-name/protocol/openid-connect/certs HTTP/1.1
      >>> Request successful
      
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-two.example.com finished with 1 answers
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to  ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-two.example.com:443 established, reused times: 2
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] http.lua:633: send_request(): 
      GET /auth/realms/realm-name/.well-known/openid-configuration HTTP/1.1
      >>> Request successful
      

      Note that in the 3rd request the request to sudomain-two.example.com reuses the connection of sudomain-one.example.com (reused times: 2)

      This is reproduced in APIcast v3.3 and v3.4.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                ecotoper Eloy Coto
                Reporter:
                mayorova Daria Mayorova
                Developer:
                David Ortiz
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: