api icon indicating copy to clipboard operation
api copied to clipboard

Published 20 hours ago verified publisher icon istio

Added gateway server snis

Open hzxuzhonghu opened this issue 3 years ago • 6 comments

FYI https://discuss.istio.io/t/http-404-when-authority-and-requested-server-name-are-different/10713

This is to handle cases SNI and Host not equal

@ramaraochavali

hzxuzhonghu avatar Sep 08 '22 07:09 hzxuzhonghu

@hzxuzhonghu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
release-notes_api 55956089844669dfe59af91410122fdd01c1e6aa link false /test release-notes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

istio-testing avatar Sep 08 '22 08:09 istio-testing

It is a small option, i think to be consistent with https://github.com/istio/api/blob/master/networking/v1alpha3/destination_rule.pb.go#L1562. We should do

hzxuzhonghu avatar Sep 09 '22 01:09 hzxuzhonghu

I thought if I define all those names as hostnames - it will generate the SNI filters ?

Ie. if I define hostnames: example.com, foo.com - it wouldn't work if the generated config didn't recognize both domains as SNI names.

On Fri, Sep 9, 2022 at 9:43 AM John Howard @.***> wrote:

@.**** commented on this pull request.

In networking/v1alpha3/gateway.proto https://github.com/istio/api/pull/2477#discussion_r967272235:

@@ -728,4 +728,10 @@ message ServerTLSSettings { // Optional: If specified, only support the specified cipher list. // Otherwise default to the default cipher list supported by Envoy. repeated string cipher_suites = 9;

  • // An optional list of server names (e.g. SNI for TLS protocol) to consider when determining

This is not currently possible in the gateway-api BTW

— Reply to this email directly, view it on GitHub https://github.com/istio/api/pull/2477#discussion_r967272235, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAUR2S25LHOIARJH4N5IUTV5NSL5ANCNFSM6AAAAAAQHOWTMY . You are receiving this because you commented.Message ID: @.***>

costinm avatar Sep 09 '22 21:09 costinm

Istio and gateway-api work the same - Gateway hostname and Route hostname form a match. The Gateway hostname becomes an SNI match, but the route hostname must be a subset of that match (i.e. the Host header needs to match the SNI).

What this is adding, by my understanding, is a way to allow completely arbitrary SNIs without constraining the set of route hostnames.

howardjohn avatar Sep 09 '22 22:09 howardjohn

Do we actually check that the host header matches the SNI ?

I'm starting to think this is better left to an envoy filter, I don't think it's a common enough use case - and the risks of misuse and security issues seem high enough...

On Fri, Sep 9, 2022 at 3:07 PM John Howard @.***> wrote:

Istio and gateway-api work the same - Gateway hostname and Route hostname form a match. The Gateway hostname becomes an SNI match, but the route hostname must be a subset of that match (i.e. the Host header needs to match the SNI).

What this is adding, by my understanding, is a way to allow completely arbitrary SNIs without constraining the set of route hostnames.

— Reply to this email directly, view it on GitHub https://github.com/istio/api/pull/2477#issuecomment-1242516117, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAUR2TRVP7MTLYTITF7KY3V5OYI3ANCNFSM6AAAAAAQHOWTMY . You are receiving this because you commented.Message ID: @.***>

costinm avatar Sep 09 '22 22:09 costinm

We don't explicitly check it matches, but we check the configured names overlap. For example if I set *.example as the hostname, I could send SNI=foo.example and Host=bar.example. But I couldn't send foo.example and bar.notexample.

On Fri, Sep 9, 2022 at 3:39 PM Costin Manolache @.***> wrote:

Do we actually check that the host header matches the SNI ?

I'm starting to think this is better left to an envoy filter, I don't think it's a common enough use case - and the risks of misuse and security issues seem high enough...

On Fri, Sep 9, 2022 at 3:07 PM John Howard @.***> wrote:

Istio and gateway-api work the same - Gateway hostname and Route hostname form a match. The Gateway hostname becomes an SNI match, but the route hostname must be a subset of that match (i.e. the Host header needs to match the SNI).

What this is adding, by my understanding, is a way to allow completely arbitrary SNIs without constraining the set of route hostnames.

— Reply to this email directly, view it on GitHub https://github.com/istio/api/pull/2477#issuecomment-1242516117, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAAUR2TRVP7MTLYTITF7KY3V5OYI3ANCNFSM6AAAAAAQHOWTMY

. You are receiving this because you commented.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/istio/api/pull/2477#issuecomment-1242533746, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEYGXMZTMRNMSSASURJ6F3V5O4AZANCNFSM6AAAAAAQHOWTMY . You are receiving this because your review was requested.Message ID: @.***>

howardjohn avatar Oct 11 '22 07:10 howardjohn

@hzxuzhonghu: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

istio-testing avatar Jan 13 '23 04:01 istio-testing