chproxy icon indicating copy to clipboard operation
chproxy copied to clipboard
verified publisher icon ContentSquare

[BUG] host header on requests to ClickHouse

Open adiletkabylbekov opened this issue 1 year ago • 4 comments

We have env where connection to ClickHouse node goes throw NGINX reverse proxy, with custom server_name (virtual host) and acl on that, so CHProxy sends user requests throw that NGINX reverse proxy. CHProxy config:

server:
  http:
    listen_addr: "0.0.0.0:8080"
users:
- name: "user"
  password: "pass"
  to_user: "cl_user"
  to_cluster: "example_com"
clusters:
- name: "example_com"
  nodes: [ "example.com:80" ]
  heartbeat:
    request: "/?query=SELECT%201"
    response: "1\n"
  users:
  - name: "cl_user"
    password: "passs"

Faced behaviour when CHProxy sets invalid host header when serving http query to CH node, it's just resend header from user request

Example:

curl -v -d 'select now()' -X POST -H "X-ClickHouse-User: user" -H "X-ClickHouse-Key: pass" "http://chproxy.com:8080"
* About to connect() to chproxy.com port 8080 (#0)
*   Trying 10.10.10.4...
* Connected to chproxy.com (10.10.10.4) port 8080 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: chproxy.com:8080
> Accept: */*
> X-ClickHouse-User: user
> X-ClickHouse-Key: pass
> Content-Length: 12
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 12 out of 12 bytes
< HTTP/1.1 403 Forbidden
< Content-Length: 169
< Content-Type: text/html
< Date: Thu, 28 Mar 2024 08:09:10 GMT
< Server: nginx/1.12.1
< X-Cache: MISS
< 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
* Connection #0 to host chproxy.com left intact

such request is rejected by NGINX alc because it was going to default virtual host (where another acl was configured), not to configured server_name, because 'host header' was not matched

if we added required host header to request to CHProxy, query was successfully maintained by CH node, cause it was passed all configs and acl on NGINX reverse proxy

curl -v -H "Host: example.com" -d 'select timezone()' -X POST -H "X-ClickHouse-User: user" -H "X-ClickHouse-Key: pass" "http://chproxy.com:8080"
* About to connect() to chproxy.com port 8080 (#0)
*   Trying 10.10.10.4...
* Connected to chproxy.com (10.10.10.4) port 8080 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Host: example.com
> X-ClickHouse-User: user
> X-ClickHouse-Key: pass
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 17 out of 17 bytes
< HTTP/1.1 200 OK
< Cache-Control: max-age=7200
< Content-Length: 14
< Content-Type: text/tab-separated-values; charset=UTF-8
< Date: Thu, 28 Mar 2024 07:06:43 GMT
< Server: nginx/1.12.1
< X-Cache: MISS
< X-Clickhouse-Format: TabSeparated
< X-Clickhouse-Query-Id: 17C09936B0D3ACBF
< X-Clickhouse-Server-Display-Name: ch3.i
< X-Clickhouse-Summary: {"read_rows":"1","read_bytes":"1","written_rows":"0","written_bytes":"0","total_rows_to_read":"0","result_rows":"0","result_bytes":"0"}
< X-Clickhouse-Timezone: Asia/Bishkek
< 
Asia/Bishkek
* Connection #0 to host 10.10.10.4 left intact

I guess need to rewrite host header on requests from CHProxy to ClickHouse to proper value

adiletkabylbekov avatar Mar 28 '24 08:03 adiletkabylbekov

Hi, did you look at these reverse proxy settings ?

mga-chka avatar Mar 29 '24 17:03 mga-chka

Hi, did you look at these reverse proxy settings ?

that setting is related to env where chproxy behind proxy, our case is request to ClickHouse goes throw proxy it's not same things

adiletkabylbekov avatar Apr 01 '24 14:04 adiletkabylbekov

my bad, I read the issue to face. In this case. This issue is quite specific and the core maintainers don't have a lot of time to work on chproxy. So, feel free to add the feature in the code and we'll review the PR.

mga-chka avatar Apr 03 '24 07:04 mga-chka