haproxy obfuscated internal IP in routing cookie

The cookie currently returns the openshift internal pod IP address. This is a security issue as an attacker can develop a map of the pods in the cluster just by observing the returned cookie. This change returns a hash of the internal address and internal service name to obfuscate the internal information. The service name is configured when the service is created and is not visible to outside users. This in combination with the internal ip:port is hashed and presented in the cookie. addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1318796
openshift · Apr 4, 2016 · 3e5d176 · 3e5d176
1 parent 0eb3b28
commit 3e5d176
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -214,7 +214,7 @@ backend be_edge_http_{{$cfgIdx}}
   {{ end }}
   http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
                 {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.ID}}
+  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IDhash}}
                 {{ end }}
             {{ end }}
 
@@ -236,7 +236,7 @@ backend be_secure_{{$cfgIdx}}
   timeout check 5000ms
   cookie OPENSHIFT_REENCRYPT_{{$cfgIdx}}_SERVERID insert indirect nocache httponly secure
                 {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.ID}}
+  server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IDhash}}
                 {{ end }}
             {{ end  }}
         {{ end  }}{{/* $serviceUnit.ServiceAliasConfigs*/}}

diff --git a/pkg/router/template/router.go b/pkg/router/template/router.go
@@ -2,6 +2,7 @@ package templaterouter
 
 import (
 	"encoding/json"
+	"crypto/md5"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -172,12 +173,20 @@ func newTemplateRouter(cfg templateRouterCfg) (*templateRouter, error) {
 
 func endpointsForAlias(alias ServiceAliasConfig, svc ServiceUnit) []Endpoint {
 	if len(alias.PreferPort) == 0 {
+		for i := range svc.EndpointTable {
+			endpoint := svc.EndpointTable[i]
+			s := endpoint.ID+endpoint.TargetName+endpoint.PortName
+			hash := md5.Sum([]byte(s))
+			svc.EndpointTable[i].IDhash = fmt.Sprintf("%x", hash)
+		}
 		return svc.EndpointTable
 	}
 	endpoints := make([]Endpoint, 0, len(svc.EndpointTable))
 	for i := range svc.EndpointTable {
 		endpoint := svc.EndpointTable[i]
 		if endpoint.PortName == alias.PreferPort || endpoint.Port == alias.PreferPort {
+			s := endpoint.ID+endpoint.TargetName+endpoint.PortName
+			endpoint.IDhash = fmt.Sprintf("%x", md5.Sum([]byte(s)))
 			endpoints = append(endpoints, endpoint)
 		}
 	}

diff --git a/pkg/router/template/types.go b/pkg/router/template/types.go
@@ -62,6 +62,7 @@ type Endpoint struct {
 	Port       string
 	TargetName string
 	PortName   string
+	IDhash     string
 }
 
 // certificateManager provides the ability to write certificates for a ServiceAliasConfig