Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow wildcard port in route host/from #4460

Closed
caesay opened this issue Aug 14, 2023 · 7 comments
Closed

Allow wildcard port in route host/from #4460

caesay opened this issue Aug 14, 2023 · 7 comments
Assignees
@calebdoxsey @ssveta7ak
Labels
backend

Comments

@caesay
Copy link

caesay commented Aug 14, 2023
edited

This is similar to #1677 and the merged #4131 which allows you to use wildcards in the 'from' route property. Also related to: #659

Is your feature request related to a problem? Please describe.
I have devices accessing the proxy via various local networks, and also remotely from behind other proxies. Pomerium runs/listens on port 8443. If accessing the proxy externally, generally you access via port 443 - which is then forwarded to 8443 on the local network by another proxy. If a device needs to access the proxy on the same local network, then they will directly use 8443. In some occasional cases, ports need to be re-mapped between local networks, so the client may access on even other ports.

Currently, to support this you would need to create a route for each possible port to the same service, and copy over any additional route configuration (such as access policies, headers etc):

  - from: https://one.example.com
    to: local.service
  - from: https://one.example.com:443
    to: local.service
  - from: https://one.example.com:8443
    to: local.service
  - from: https://one.example.com:18443
    to: local.service

This duplication needs to be done for each route/service, and can get particularly erroneous if the routes have complicated access policies and request/response rewriting.

Describe the solution you'd like
It would be good if you could define multiple "from" addresses, or use wildcards and/or regexes that also cover the port number in the host address.

For example, a solution using multiple "from" addresses, requiring you to spell out each port but share access policies and request rewriting properties -

  - from: 
      - https://one.example.com
      - https://one.example.com:8443
      - https://one.example.com:18443
    to: local.service

Or a solution using wildcard (not covered by current implementation in #4131)

  - from: https://one.example.com:*
    to: local.service

Or a solution using regexes (not covered by specification of #659)

  - from: https://one.example.com:(\d*)
    to: local.service
@kenjenkins
Copy link
Contributor

I wonder if we can ignore the port number entirely (or perhaps ignore it unless specified explicitly). I believe Pomerium doesn't currently listen on multiple ports, so I'm not sure when you'd want it to make a distinction between different port numbers.

@wasaga
Copy link
Contributor

wasaga commented Aug 14, 2023

@kenjenkins if the server is configured to listen at port 8443 (address: ":8443") while running behind a TCP load balancer that forwards requests arriving to one.example.com:443 to Pomerium host:8443, your from should look like https://one.example.com.

However, if Pomerium is exposed directly to the internet, and is still running on port 8443, then your from must be https://one.example.com:8443.

@caesay
Copy link
Author

caesay commented Aug 15, 2023
edited

I agree @kenjenkins, providing an option to ignore the port in route matching would be a simple solution to the problem and would work perfectly.

@wasaga The problem for me is that clients will arrive to Pomerium with both :443 and with :8443 in the host header, so it does not matter what I put in the address: or from: setting, there is no combination of these two settings which will solve my problem.

To ignore the port, is the envoy setting strip_any_host_port the solution?

@desimone desimone added help wanted Extra attention is needed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. NeedsMoreData Waiting for additional user feedback or case studies labels Aug 28, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 5, 2023
@kenjenkins
Copy link
Contributor

I'm not sure why the GitHub action closed this issue.

I do think it could be worthwhile to provide an option for this. I don't see an easy way to make this configurable per route, but I think it wouldn't be too hard to implement a global configuration option for setting Envoy's strip_any_host_port.

@kenjenkins kenjenkins reopened this Sep 7, 2023
@github-actions github-actions bot removed the NeedsMoreData Waiting for additional user feedback or case studies label Sep 8, 2023
@calebdoxsey calebdoxsey mentioned this issue Mar 27, 2024
Open
@calebdoxsey calebdoxsey self-assigned this Apr 24, 2024
@calebdoxsey calebdoxsey mentioned this issue Apr 24, 2024
Merged
6 tasks
@calebdoxsey
Copy link
Contributor

A change to support this will be in v26. The new behavior is that if a route does not have a port:

  - from: https://one.example.com
    to: local.service

A request on any incoming port will match that route, so there's no need to specify a list. That single route will by-default match

- https://one.example.com
- https://one.example.com:8443
- https://one.example.com:18443

and any other port.

@calebdoxsey calebdoxsey added backend and removed help wanted Extra attention is needed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Apr 29, 2024
@kenjenkins
Copy link
Contributor

@ssveta7ak, to verify:

  1. Configure Core to listen on a non-standard port (e.g. 8443), and configure a route without a port number in the from URL. In the config.yaml file this would be something like this:

    address: ':8443'

routes:
 - from: https://verify.localhost.pomerium.io
   to: https://verify.pomerium.com
   allow_any_authenticated_user: true

  2. Navigate to https://verify.localhost.pomerium.io:8443 in the browser. The request should go through to the verify app.

  3. Disable the new behavior by adding these lines to the config.yaml file:

    runtime_flags:
  match_any_incoming_port: false

  4. Navigate to https://verify.localhost.pomerium.io:8443 again. You should see a 404 route not found error page from Pomerium.

@ssveta7ak
Copy link

Implemented. Checked on pomerium: 0.26.0-1715969560+adb5f781

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@calebdoxsey calebdoxsey

@ssveta7ak ssveta7ak

Labels
backend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@calebdoxsey @wasaga @caesay @desimone @ssveta7ak @kenjenkins