Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-5258

IP Check policy doesn't strip the port

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 2.9 GA
    • 2.8 GA
    • Gateway
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • +
    • Hide

      As a workaround is possible to use the Header Modification policy before the IP Check policy with this configuration:

      {
  "name": "headers",
  "version": "builtin",
  "configuration": {
    "request": [
      {
        "value_type": "liquid",
        "op": "set",
        "header": "X-Forwarded-For",
        "value": "{{ headers['x-forwarded-for'] | first | split: ':' | first}}"
      }
    ]
  }
}
      Show
      As a workaround is possible to use the Header Modification policy before the IP Check policy with this configuration: { "name": "headers", "version": "builtin", "configuration": { "request": [ { "value_type": "liquid", "op": "set", "header": "X-Forwarded-For", "value": "{{ headers['x-forwarded-for'] | first | split: ':' | first}}" } ] } }
    • Hide 
      curl -vk -H "X-Forwarded-For: 1.2.3.4:1234" "http://localhost:8080/employee?app_id=7bb9f339&app_key=f11473a24de209afac139c856a3f7a0a"

      {
  "services": [
    {
      "id": 2,
      "account_id": 2,
      "name": "Echo Api",
      "oneline_description": null,
      "description": "This is the echo API",
      "txt_api": null,
      "txt_support": null,
      "txt_features": null,
      "created_at": "2018-12-12T15:42:05+01:00",
      "updated_at": "2020-05-22T11:38:30+02:00",
      "logo_file_name": null,
      "logo_content_type": null,
      "logo_file_size": null,
      "state": "incomplete",
      "intentions_required": false,
      "draft_name": "",
      "infobar": null,
      "terms": null,
      "display_provider_keys": false,
      "tech_support_email": null,
      "admin_support_email": null,
      "credit_card_support_email": null,
      "buyers_manage_apps": true,
      "buyers_manage_keys": true,
      "custom_keys_enabled": true,
      "buyer_plan_change_permission": "request",
      "buyer_can_select_plan": false,
      "notification_settings": {
        "web_provider": [
          0,
          100
        ],
        "email_provider": [
          0,
          100
        ],
        "web_buyer": [
          0,
          100
        ],
        "email_buyer": [
          0,
          100
        ]
      },
      "default_application_plan_id": 2,
      "default_service_plan_id": 2,
      "tenant_id": 2,
      "system_name": "echo2",
      "backend_version": "2",
      "mandatory_app_key": true,
      "buyer_key_regenerate_enabled": true,
      "support_email": "admin@example.com",
      "referrer_filters_required": false,
      "deployment_option": "self_managed",
      "kubernetes_service_link": null,
      "act_as_product": false,
      "proxiable?": true,
      "backend_authentication_type": "service_token",
      "backend_authentication_value": "1234567879",
      "proxy": {
        "service_id": 2,
        "authentication_method": "2",
        "id": 109330,
        "lock_version": 105,
        "tenant_id": 2,
        "endpoint": "http://prod.echo.127.0.0.1.xip.io:8080",
        "deployed_at": null,
        "api_backend": "https://echo-api.3scale.net:443",
        "auth_app_key": "app_key",
        "auth_app_id": "app_id",
        "auth_user_key": "user_key",
        "credentials_location": "query",
        "error_auth_failed": "Authentication failed",
        "error_auth_missing": "Authentication parameters missing",
        "created_at": "2018-12-12T15:42:05+01:00",
        "updated_at": "2020-05-22T11:38:30+02:00",
        "error_status_auth_failed": 403,
        "error_headers_auth_failed": "text/plain; charset=us-ascii",
        "error_status_auth_missing": 403,
        "error_headers_auth_missing": "text/plain; charset=us-ascii",
        "error_no_match": "No Mapping Rule matched",
        "error_status_no_match": 404,
        "error_headers_no_match": "text/plain; charset=us-ascii",
        "secret_token": "Shared_secret_sent_from_proxy_to_API_backend",
        "hostname_rewrite": "",
        "oauth_login_url": null,
        "sandbox_endpoint": "http://stg.echo.127.0.0.1.xip.io:8080",
        "api_test_path": "/employee/",
        "api_test_success": null,
        "apicast_configuration_driven": true,
        "oidc_issuer_endpoint": null,
        "oidc_issuer_type": null,
        "error_headers_limits_exceeded": "text/plain; charset=us-ascii",
        "error_status_limits_exceeded": 429,
        "error_limits_exceeded": "Usage limit exceeded",
        "staging_domain": "stg.echo.127.0.0.1.xip.io",
        "production_domain": "prod.echo.127.0.0.1.xip.io",
        "hostname_rewrite_for_sandbox": "echo-api.3scale.net",
        "endpoint_port": 8080,
        "valid?": true,
        "service_backend_version": "2",
        "hosts": [
          "prod.echo.127.0.0.1.xip.io",
          "stg.echo.127.0.0.1.xip.io"
        ],
        "backend": {
          "endpoint": "https://su1.3scale.net",
          "host": "su1.3scale.net"
        },
        "policy_chain": [
                    {
            "name": "ip_check",
            "version": "builtin",
            "configuration": {
              "error_msg": "IP address not allowed",
              "client_ip_sources": [
                "X-Forwarded-For"
              ],
              "ips": [
                "1.2.3.4",
                "5.6.7.8"
              ],
              "check_type": "whitelist"
            }
          },
          {
            "name": "apicast",
            "version": "builtin",
            "configuration": {}
          }
        ],
        "jwt_claim_with_client_id": null,
        "jwt_claim_with_client_id_type": null,
        "proxy_rules": [
          {
            "id": 2,
            "proxy_id": 2,
            "http_method": "GET",
            "pattern": "/",
            "metric_id": 2,
            "metric_system_name": "hits",
            "delta": 1,
            "tenant_id": 2,
            "created_at": "2020-05-22T11:31:18+02:00",
            "updated_at": "2020-05-22T11:31:18+02:00",
            "redirect_url": null,
            "position": 4,
            "last": false,
            "owner_id": 2,
            "owner_type": "Proxy",
            "parameters": [],
            "querystring_parameters": {}
          }
        ]
      }
    }
  ]
}
      Show
      curl -vk -H "X-Forwarded-For: 1.2.3.4:1234" "http://localhost:8080/employee?app_id=7bb9f339&app_key=f11473a24de209afac139c856a3f7a0a" { "services": [ { "id": 2, "account_id": 2, "name": "Echo Api", "oneline_description": null, "description": "This is the echo API", "txt_api": null, "txt_support": null, "txt_features": null, "created_at": "2018-12-12T15:42:05+01:00", "updated_at": "2020-05-22T11:38:30+02:00", "logo_file_name": null, "logo_content_type": null, "logo_file_size": null, "state": "incomplete", "intentions_required": false, "draft_name": "", "infobar": null, "terms": null, "display_provider_keys": false, "tech_support_email": null, "admin_support_email": null, "credit_card_support_email": null, "buyers_manage_apps": true, "buyers_manage_keys": true, "custom_keys_enabled": true, "buyer_plan_change_permission": "request", "buyer_can_select_plan": false, "notification_settings": { "web_provider": [ 0, 100 ], "email_provider": [ 0, 100 ], "web_buyer": [ 0, 100 ], "email_buyer": [ 0, 100 ] }, "default_application_plan_id": 2, "default_service_plan_id": 2, "tenant_id": 2, "system_name": "echo2", "backend_version": "2", "mandatory_app_key": true, "buyer_key_regenerate_enabled": true, "support_email": "admin@example.com", "referrer_filters_required": false, "deployment_option": "self_managed", "kubernetes_service_link": null, "act_as_product": false, "proxiable?": true, "backend_authentication_type": "service_token", "backend_authentication_value": "1234567879", "proxy": { "service_id": 2, "authentication_method": "2", "id": 109330, "lock_version": 105, "tenant_id": 2, "endpoint": "http://prod.echo.127.0.0.1.xip.io:8080", "deployed_at": null, "api_backend": "https://echo-api.3scale.net:443", "auth_app_key": "app_key", "auth_app_id": "app_id", "auth_user_key": "user_key", "credentials_location": "query", "error_auth_failed": "Authentication failed", "error_auth_missing": "Authentication parameters missing", "created_at": "2018-12-12T15:42:05+01:00", "updated_at": "2020-05-22T11:38:30+02:00", "error_status_auth_failed": 403, "error_headers_auth_failed": "text/plain; charset=us-ascii", "error_status_auth_missing": 403, "error_headers_auth_missing": "text/plain; charset=us-ascii", "error_no_match": "No Mapping Rule matched", "error_status_no_match": 404, "error_headers_no_match": "text/plain; charset=us-ascii", "secret_token": "Shared_secret_sent_from_proxy_to_API_backend", "hostname_rewrite": "", "oauth_login_url": null, "sandbox_endpoint": "http://stg.echo.127.0.0.1.xip.io:8080", "api_test_path": "/employee/", "api_test_success": null, "apicast_configuration_driven": true, "oidc_issuer_endpoint": null, "oidc_issuer_type": null, "error_headers_limits_exceeded": "text/plain; charset=us-ascii", "error_status_limits_exceeded": 429, "error_limits_exceeded": "Usage limit exceeded", "staging_domain": "stg.echo.127.0.0.1.xip.io", "production_domain": "prod.echo.127.0.0.1.xip.io", "hostname_rewrite_for_sandbox": "echo-api.3scale.net", "endpoint_port": 8080, "valid?": true, "service_backend_version": "2", "hosts": [ "prod.echo.127.0.0.1.xip.io", "stg.echo.127.0.0.1.xip.io" ], "backend": { "endpoint": "https://su1.3scale.net", "host": "su1.3scale.net" }, "policy_chain": [ { "name": "ip_check", "version": "builtin", "configuration": { "error_msg": "IP address not allowed", "client_ip_sources": [ "X-Forwarded-For" ], "ips": [ "1.2.3.4", "5.6.7.8" ], "check_type": "whitelist" } }, { "name": "apicast", "version": "builtin", "configuration": {} } ], "jwt_claim_with_client_id": null, "jwt_claim_with_client_id_type": null, "proxy_rules": [ { "id": 2, "proxy_id": 2, "http_method": "GET", "pattern": "/", "metric_id": 2, "metric_system_name": "hits", "delta": 1, "tenant_id": 2, "created_at": "2020-05-22T11:31:18+02:00", "updated_at": "2020-05-22T11:31:18+02:00", "redirect_url": null, "position": 4, "last": false, "owner_id": 2, "owner_type": "Proxy", "parameters": [], "querystring_parameters": {} } ] } } ] }

    Description

      When the header considered by the policy to

      {whitelist|blacklist} the request is in the form ip:port the request is {not} allowed also if ip is in the {whitelist|blacklist}

      .

      From the IETF Spec is not clear if the port is expected or not in this header.

      Attachments

        Issue Links

          links to

          Web Link KCS Link

          Activity

            People

              Unassigned Unassigned
              rhn-support-cpalmier Carlo Palmieri (Inactive)
              Jakub Smadis Jakub Smadis (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: