Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GET requests blocked by AWS Application Load Balancer #467

Closed
BlueIce opened this issue Aug 27, 2024 · 3 comments
Closed

GET requests blocked by AWS Application Load Balancer #467

BlueIce opened this issue Aug 27, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@BlueIce
Copy link

BlueIce commented Aug 27, 2024

Describe the bug

When accessing a harbor instance which is behind a AWS Application Load Balancers, GET requests get blocked if "Desync mitigation mode" is set to strictest.

I think the reason it that for GET (and maybe also HEAD) requests, the payload passed to the client is nil. And when the payload is processed by the json encoder, the byte buffer b will contain a literal null and a newline:

terraform-provider-harbor/client/client.go

Lines 42 to 43 in 33fc049

b := new(bytes.Buffer)
err = json.NewEncoder(b).Encode(payload)

Which in turn has the effect, that the request will also have a content-length header and a non-empty body.
The request gets classified as Ambiguous (which means accordings to AWS docs: "Request does not comply with RFC 7230 but poses a risk, as various web servers and proxies could handle it differently."), which is blocked at strictest mode. The classification reason is UndefinedContentLengthSemantics, meaning:

There is a Content-Length header defined for a GET or HEAD request.

To Reproduce

The json encoding part can be reproduced by

package main

import (
    "bytes"
    "fmt"
    "encoding/json"
)

func main() {
    b := new(bytes.Buffer)
    err := json.NewEncoder(b).Encode(nil)
    if err != nil {
        fmt.Println("Error encoding:", err)
        return
    }

    fmt.Printf("buffer |%s|", b)
}

This will print:

buffer |null
|

To reproduce the blocked requests, a AWS Application Load Balancer has to be setup with "Desync mitigation mode" set to strictest.

Expected behavior
Request don't get blocked by AWS Application Load Balancer in strictest mode.

Additional context

Idea to fix the problem:
Do not use the json encoder if the payload is nil so that the byte buffer will stay empty.

  • Provider Version 3.10.15
  • Terraform Version 1.5.7
  • Harbor Version 2.11.1
@flbla flbla added the bug Something isn't working label Oct 23, 2024
flbla added a commit that referenced this issue Oct 23, 2024
@flbla
fixes #467 : GET requests blocked by AWS Application Load Balancer
d30c886
@flbla
Copy link
Contributor

flbla commented Oct 23, 2024

Hi @BlueIce ,
Thank you for the bug report.
I created a PR : #472
But I don't have an ALB to test it...
So let me know if you can test it before I merge it

@BlueIce
Copy link
Author

BlueIce commented Oct 28, 2024
edited
Loading

I managed to build the provider manually and use it in a local test setup. Using the code from the PR, I was able to successfully run terraform and create some harbor resources (while the loadbalancer was set to strictest)! 🚀

And I also cross-checked, that it failed using the code from the main branch (as expected).

flbla added a commit that referenced this issue Oct 30, 2024
@flbla
fixes #467 : GET requests blocked by AWS Application Load Balancer
07d1ad3 
Signed-off-by: flbla <[email protected]>
@flbla flbla closed this as completed in 5568402 Oct 30, 2024
@flbla
Copy link
Contributor

flbla commented Oct 30, 2024

hi @BlueIce
thanks, I merged it
I'll build soon a new release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BlueIce @flbla