Merge pull request #8334 from pecameron/bz1318796

Merged by openshift-bot
openshift · Apr 19, 2016 · 2d4cec7 · 2d4cec7
2 parents 7ac4cfa + 36c680b
commit 2d4cec7
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 6 deletions.
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -214,7 +214,7 @@ backend be_edge_http_{{$cfgIdx}}
   {{ end }}
   http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
                 {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.ID}}
+  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}}
                 {{ end }}
             {{ end }}
 
@@ -236,7 +236,7 @@ backend be_secure_{{$cfgIdx}}
   timeout check 5000ms
   cookie OPENSHIFT_REENCRYPT_{{$cfgIdx}}_SERVERID insert indirect nocache httponly secure
                 {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.ID}}
+  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}}
                 {{ end }}
             {{ end  }}
         {{ end  }}{{/* $serviceUnit.ServiceAliasConfigs*/}}

diff --git a/pkg/router/template/plugin.go b/pkg/router/template/plugin.go
@@ -1,6 +1,7 @@
 package templaterouter
 
 import (
+	"crypto/md5"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -230,6 +231,14 @@ func createRouterEndpoints(endpoints *kapi.Endpoints, excludeUDP bool) []Endpoin
 				} else {
 					ep.TargetName = ep.IP
 				}
+
+				// IdHash contains an obfuscated internal IP address
+				// that is the value passed in the cookie. The IP address
+				// is made more difficult to extract by including other
+				// internal information in the hash.
+				s := ep.ID + ep.TargetName + ep.PortName
+				ep.IdHash = fmt.Sprintf("%x", md5.Sum([]byte(s)))
+
 				out = append(out, ep)
 			}
 		}

diff --git a/pkg/router/template/router_test.go b/pkg/router/template/router_test.go
@@ -1,6 +1,7 @@
 package templaterouter
 
 import (
+	"crypto/md5"
 	"fmt"
 	"testing"
 
@@ -47,9 +48,10 @@ func TestAddEndpoints(t *testing.T) {
 	}
 
 	endpoint := Endpoint{
-		ID:   "ep1",
-		IP:   "ip",
-		Port: "port",
+		ID:     "ep1",
+		IP:     "ip",
+		Port:   "port",
+		IdHash: fmt.Sprintf("%x", md5.Sum([]byte("ep1ipport"))),
 	}
 
 	router.AddEndpoints(suKey, []Endpoint{endpoint})
@@ -63,7 +65,7 @@ func TestAddEndpoints(t *testing.T) {
 			t.Errorf("Expected endpoint table to contain 1 entry")
 		} else {
 			actualEp := su.EndpointTable[0]
-			if endpoint.IP != actualEp.IP || endpoint.Port != actualEp.Port {
+			if endpoint.IP != actualEp.IP || endpoint.Port != actualEp.Port || endpoint.IdHash != actualEp.IdHash {
 				t.Errorf("Expected endpoint %v did not match actual endpoint %v", endpoint, actualEp)
 			}
 		}

diff --git a/pkg/router/template/types.go b/pkg/router/template/types.go
@@ -62,6 +62,7 @@ type Endpoint struct {
 	Port       string
 	TargetName string
 	PortName   string
+	IdHash     string
 }
 
 // certificateManager provides the ability to write certificates for a ServiceAliasConfig