404 if Host header include port number 443

[yegle]

What happened?

If Host header includes the standard 443 port number, Pomerium will return 404.

$ curl -I -H 'Host: foo.example.com:443' https://foo.example.com
HTTP/2 404 
date: Mon, 22 Jun 2020 07:23:02 GMT
server: envoy

$ curl -I -H 'Host: foo.example.com' https://foo.example.com 
HTTP/2 302 
content-length: 5
content-type: text/plain
location: LOGIN_URL
date: Mon, 22 Jun 2020 07:23:52 GMT
server: envoy

What did you expect to happen?

Should handle the request correctly.

How'd it happen?

1. Ran x
2. Clicked y
3. Saw error z

What's your environment like?

• Pomerium version (retrieve with pomerium --version or /ping endpoint):
  pomerium/v0.9.0 (+github.com/pomerium/pomerium; 84dde09; go1.14.4)
• Server Operating System/Architecture/Cloud:
  Docker

What's your config.yaml?

N/A

What did you see in the logs?

12:23AM INF http-request authority=foo.example.com:443 duration=0.126206 forwarded-for= method=HEAD path=/ referer= request-id=63ed7a23-69ba-48d0-990a-b3c079608df2 response-code=404 response-code-details=route_not_found service=envoy size=0 upstream-cluster= user-agent=curl/7.64.0
12:23AM INF http-request authority=foo.example.com duration=3.894968 forwarded-for= method=HEAD path=/ referer= request-id=aa62dd7c-6506-40c2-b6f6-43247ffb3849 response-code=302 response-code-details=ext_authz_denied service=envoy size=0 upstream-cluster= user-agent=curl/7.64.0

Additional context

Similar but probably unrelated bug #352

[yegle]

Workaround: Add the same policy but with port number appended to from:.

- from: https://foo.example.com
  to: ...
- from: https://foo.example.com:443
  to: ...

[cuonglm]

@yegle This is how envoy works. We can make envoy strip the port part from domain, by set strip_matching_host_port to true.

[yegle]

Yes found this https://www.envoyproxy.io/docs/envoy/latest/faq/debugging/why_is_my_route_not_found also suggest to set strip_matching_host_port to true.

I would assume it's as easy as adding a StripMatchingHostPort: true in the code below but it looks like Pomerium still uses 0.9.5 of Envoy and doesn't include this option.

here

pomerium/internal/controlplane/xds_listeners.go

Lines 189 to 227 in 84dde09

	tc, _ := ptypes.MarshalAny(&envoy_http_connection_manager.HttpConnectionManager{
	CodecType: envoy_http_connection_manager.HttpConnectionManager_AUTO,
	StatPrefix: "ingress",
	RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_RouteConfig{
	RouteConfig: buildRouteConfiguration("main", virtualHosts),
	},
	HttpFilters: []*envoy_http_connection_manager.HttpFilter{
	{
	Name: "envoy.filters.http.ext_authz",
	ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
	TypedConfig: extAuthZ,
	},
	},
	{
	Name: "envoy.filters.http.lua",
	ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
	TypedConfig: extAuthzSetCookieLua,
	},
	},
	{
	Name: "envoy.filters.http.lua",
	ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
	TypedConfig: cleanUpstreamLua,
	},
	},
	{
	Name: "envoy.filters.http.router",
	},
	},
	AccessLog: buildAccessLogs(options),
	CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{
	IdleTimeout: ptypes.DurationProto(options.IdleTimeout),
	MaxStreamDuration: maxStreamDuration,
	},
	RequestTimeout: ptypes.DurationProto(options.ReadTimeout),
	Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{
	RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100},
	},
	})

[yegle]

I was a bit confused. It looks like the commit envoyproxy/envoy@111684f is not part of any Envoy release yet. And the go control plane library is likely kept in sync with Envoy so it doesn't have StripMatchingHostPort. (Pomerium is already using the latest released version of envoy go control plane library).

I guess we'll have to use the workaround for now.

[cuonglm]

I was a bit confused. It looks like the commit envoyproxy/envoy@111684f is not part of any Envoy release yet. And the go control plane library is likely kept in sync with Envoy so it doesn't have StripMatchingHostPort. (Pomerium is already using the latest released version of envoy go control plane library).

I guess we'll have to use the workaround for now.

Yes, we will have to wait new envoy release.

[yegle]

This is not fully resolved. It looks like a request with header Host: example.com:443 will disable public unauthenticated access:

$ curl -I https://plex.example.com -H 'Host: plex.example.com:443'
HTTP/2 302 
content-length: 5
content-type: text/plain
location: https://pomerium.example.com/.pomerium/sign_in?XXXX
date: Thu, 30 Jul 2020 23:05:42 GMT
server: envoy

$ curl -I https://plex.example.com -H 'Host: plex.example.com'    
HTTP/2 401 
x-plex-protocol: 1.0
content-length: 193
content-type: text/html
cache-control: no-cache
date: Thu, 30 Jul 2020 23:05:51 GMT
x-envoy-upstream-service-time: 0
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
server: envoy

Policy config:

- from: https://plex.example.com
  to: https://plex:32400
  allow_public_unauthenticated_access: true
  allow_websockets: true

[desimone]

\cc @cuonglm / @calebdoxsey

[calebdoxsey]

The route matching code in authorize needs to be updated.