Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7967

APIcast does not support using a proxy to connect with upstreams not defined as Private Base URL

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide

      in APIcast, configure:
      THREESCALE_PORTAL_ENDPOINT=https://<ACCESS_TOKEN>@<EXTERNAL_ROUTE>:443/master/api/proxy/configs
      HTTPS_PROXY=<SOME_PROXY>

      Show
      in APIcast, configure: THREESCALE_PORTAL_ENDPOINT=https://<ACCESS_TOKEN>@<EXTERNAL_ROUTE>:443/master/api/proxy/configs HTTPS_PROXY=<SOME_PROXY>

      When APIcast is configured with https_proxy, and the environment variable THREESCALE_PORTAL_ENDPOINT is configured to the value of the OpenShift route, the connection to fetch the json configuration will go through the proxy, however DNS resolution is still performed on the gateway, so the proxy will receive a CONNECT request similar to the following:

      CONNECT 165.71.36.168:80 HTTP/1.1
      Host: server.example.com:80
      

      According to the spec: https://httpwg.org/specs/rfc7231.html#CONNECT and https://httpwg.org/specs/rfc7230.html#request-target

      We would expect the DNS resolution to be offloaded to the proxy, and the CONNECT to look like:

      CONNECT server.example.com:80 HTTP/1.1
      Host: server.example.com:80
      

      The expected behaviour matches what we currently do in our http_proxy policy, where no resolution is applied on APIcast.

      The same should apply for request to the 3scale backend.

            [THREESCALE-7967] APIcast does not support using a proxy to connect with upstreams not defined as Private Base URL

            CPaaS Service Account mentioned this issue in a merge request of 3scale / Apicast Midstream on branch 3scale-2.12-dev-rhel-8_upstream_14f352a9077a67bad5d063a71dd685b5:

            Updated US source to: 4bd6d46 Merge pull request #1333 from samugi/THREESCALE-8000

            GitLab CEE Bot added a comment - CPaaS Service Account mentioned this issue in a merge request of 3scale / Apicast Midstream on branch 3scale-2.12-dev-rhel-8_ upstream _14f352a9077a67bad5d063a71dd685b5 : Updated US source to: 4bd6d46 Merge pull request #1333 from samugi/THREESCALE-8000

            Kevin Price added a comment - - edited

            Reduced priority to Minor as this is an edge case where it's not common to put a proxy between APIcast & 3scale but it's still a valid issue and incorrect behaviour from an APIcast point of view. Moving to backlog.

            UPDATE: Bumped this to Critical becuase more customers are now hitting this issue so even though it seemed like an edge case it's important for 2 customers already and according to the specification APIcast's behaviour is non-compliant.

            Kevin Price added a comment - - edited Reduced priority to Minor as this is an edge case where it's not common to put a proxy between APIcast & 3scale but it's still a valid issue and incorrect behaviour from an APIcast point of view. Moving to backlog. UPDATE: Bumped this to Critical becuase more customers are now hitting this issue so even though it seemed like an edge case it's important for 2 customers already and according to the specification APIcast's behaviour is non-compliant.

              Unassigned Unassigned
              rhn-support-sillumin Samuele Illuminati (Inactive)
              Jakub Urban Jakub Urban (Inactive)
              Kevin Price Kevin Price
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: