From a49ad327971d66c4ea9ac6a91160435bd7a986ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Hole=C4=8Dek?= Date: Wed, 25 Sep 2024 00:08:40 +0200 Subject: [PATCH] Use proxy FQDN from config file for auth token (#9265) AuthToken appended FQDN is used also for translating autoyast/ks server FQDN to proxy one. AuthToken thus has to use external FQDN and not internal pod hostname. This commit introduce this change and also fix for hairpin problem as AuthToken hostname was used for internal connection, which must be localhost (or internal pod hosname) for container scenario. --- ...proxy-httpd-image.changes.oholecek.store_proxy_fqdn | 2 ++ containers/proxy-httpd-image/uyuni-configure.py | 1 + proxy/proxy/broker/rhnBroker.py | 4 ++++ proxy/proxy/rhnShared.py | 10 ++++++++++ ...ewalk-proxy.changes.oholecek.fix_authtoken_hostname | 2 ++ 5 files changed, 19 insertions(+) create mode 100644 containers/proxy-httpd-image/proxy-httpd-image.changes.oholecek.store_proxy_fqdn create mode 100644 proxy/proxy/spacewalk-proxy.changes.oholecek.fix_authtoken_hostname diff --git a/containers/proxy-httpd-image/proxy-httpd-image.changes.oholecek.store_proxy_fqdn b/containers/proxy-httpd-image/proxy-httpd-image.changes.oholecek.store_proxy_fqdn new file mode 100644 index 000000000000..5ac085338e23 --- /dev/null +++ b/containers/proxy-httpd-image/proxy-httpd-image.changes.oholecek.store_proxy_fqdn @@ -0,0 +1,2 @@ +- store proxy FQDN in the rhn.conf for auth token use + (bsc#1230255) diff --git a/containers/proxy-httpd-image/uyuni-configure.py b/containers/proxy-httpd-image/uyuni-configure.py index 51fda4e25e4c..4d11ce17024a 100644 --- a/containers/proxy-httpd-image/uyuni-configure.py +++ b/containers/proxy-httpd-image/uyuni-configure.py @@ -167,6 +167,7 @@ def insert_under_line(file_path, line_to_match, line_to_insert): # Hostname of Uyuni, SUSE Manager Server or another proxy proxy.rhn_parent = {config['server']} + proxy.proxy_fqdn = {config['proxy_fqdn']} # Destination of all tracebacks, etc. traceback_mail = {config['email']} diff --git a/proxy/proxy/broker/rhnBroker.py b/proxy/proxy/broker/rhnBroker.py index a451034c1746..d227c37d4b5f 100644 --- a/proxy/proxy/broker/rhnBroker.py +++ b/proxy/proxy/broker/rhnBroker.py @@ -100,6 +100,10 @@ def __init__(self, req): socket.herror, socket.timeout): # hostname probably didn't exist, fine pass + if not hostname and CFG.has_key('PROXY_FQDN'): + # Not resolvable hostname, check container config + log_debug(2, "Using PROXY_FQDN config %s" % CFG.PROXY_FQDN) + hostname = CFG.PROXY_FQDN if not hostname: # okay, that didn't work, let's do a reverse dns lookup on my # ip address diff --git a/proxy/proxy/rhnShared.py b/proxy/proxy/rhnShared.py index 454fb628e87a..b8c4ecb04179 100644 --- a/proxy/proxy/rhnShared.py +++ b/proxy/proxy/rhnShared.py @@ -126,11 +126,15 @@ def _connectToParent(self): # if this request is for an upstream server, use the original query string. # Otherwise, if it is for the local Squid instance, strip it so that # Squid will not keep multiple cached copies of the same resource + # Containers notes: when going for local proxy, use localhost as host to avoid + # hairpin problem. if self.httpProxy not in ['127.0.0.1:8080', 'localhost:8080']: if 'X-Suse-Auth-Token' in self.req.headers_in: self.uri += '?%s' % self.req.headers_in['X-Suse-Auth-Token'] elif query: self.uri += '?%s' % query + else: + host = 'localhost' log_debug(3, 'Scheme:', scheme) log_debug(3, 'Host:', host) @@ -172,6 +176,12 @@ def _create_connection(self): 'host': host, 'port': port, } + + # Containers notes: when going for local proxy, use localhost as host to avoid + # hairpin problem. + if self.httpProxy in ['127.0.0.1:8080', 'localhost:8080']: + params['host'] = 'localhost' + if CFG.has_key('timeout'): params['timeout'] = CFG.TIMEOUT if self.httpProxy: diff --git a/proxy/proxy/spacewalk-proxy.changes.oholecek.fix_authtoken_hostname b/proxy/proxy/spacewalk-proxy.changes.oholecek.fix_authtoken_hostname new file mode 100644 index 000000000000..bb050dbbfbd6 --- /dev/null +++ b/proxy/proxy/spacewalk-proxy.changes.oholecek.fix_authtoken_hostname @@ -0,0 +1,2 @@ +- set proxy authtoken FQDN based on config file + (bsc#1230255)