Ón saol le Kubernetes: Mar nach raibh an freastalaí HTTP i bhfabhar na Spáinnigh

Thug ionadaí dár gcliant, a bhfuil a chruach feidhmchlár ina chónaí i scamall Microsoft (Azure), aghaidh ar fhadhb: le déanaí, tháinig deireadh le roinnt iarratais ó chliaint áirithe ón Eoraip le hearráid 400 (Drochiarratas). Tá gach feidhmchlár scríofa in .NET, imlonnaítear iad in Kubernetes...

Is é ceann de na hiarratais an API, trína dtagann gach trácht ar deireadh thiar. Éisteann an freastalaí HTTP leis an trácht seo Podóg, arna chumrú ag an gcliant .NET agus á óstáil i pod. Le debugging, bhí an t-ádh linn sa chiall go raibh úsáideoir ar leith a atáirgeadh go seasta ar an bhfadhb. Mar sin féin, bhí gach rud casta ag an slabhra tráchta:

Bhí cuma mar seo ar an earráid in Ingress:

{
   "number_fields":{
      "status":400,
      "request_time":0.001,
      "bytes_sent":465,
      "upstream_response_time":0,
      "upstream_retries":0,
      "bytes_received":2328
   },
   "stream":"stdout",
   "string_fields":{
      "ingress":"app",
      "protocol":"HTTP/1.1",
      "request_id":"f9ab8540407208a119463975afda90bc",
      "path":"/api/sign-in",
      "nginx_upstream_status":"400",
      "service":"app",
      "namespace":"production",
      "location":"/front",
      "scheme":"https",
      "method":"POST",
      "nginx_upstream_response_time":"0.000",
      "nginx_upstream_bytes_received":"120",
      "vhost":"api.app.example.com",
      "host":"api.app.example.com",
      "user":"",
      "address":"83.41.81.250",
      "nginx_upstream_addr":"10.240.0.110:80",
      "referrer":"https://api.app.example.com/auth/login?long_encrypted_header",
      "service_port":"http",
      "user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36",
      "time":"2019-03-06T18:29:16+00:00",
      "content_kind":"cache-headers-not-present",
      "request_query":""
   },
   "timestamp":"2019-03-06 18:29:16",
   "labels":{
      "app":"nginx",
      "pod-template-generation":"6",
      "controller-revision-hash":"1682636041"
   },
   "namespace":"kube-nginx-ingress",
   "nsec":6726612,
   "source":"kubernetes",
   "host":"k8s-node-55555-0",
   "pod_name":"nginx-v2hcb",
   "container_name":"nginx",
   "boolean_fields":{}
}

Ag an am céanna, thug Kestrel:

HTTP/1.1 400 Bad Request
Connection: close
Date: Wed, 06 Mar 2019 12:34:20 GMT
Server: Kestrel
Content-Length: 0

Fiú agus an méid is mó briathrachais, bhí an earráid Kestrel thar a bheith beag eolas úsáideach:

{
   "number_fields":{"ThreadId":76},
   "stream":"stdout",
   "string_fields":{
      "EventId":"{"Id"=>17, "Name"=>"ConnectionBadRequest"}",
      "SourceContext":"Microsoft.AspNetCore.Server.Kestrel",
      "ConnectionId":"0HLL2VJSST5KV",
      "@mt":"Connection id "{ConnectionId}" bad request data: "{message}"",
      "@t":"2019-03-07T13:06:48.1449083Z",
      "@x":"Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Malformed request: invalid headers.n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TryParseRequest(ReadResult result, Boolean& endConnection)n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<ProcessRequestsAsync>d__185`1.MoveNext()",
      "message":"Malformed request: invalid headers."
   },
   "timestamp":"2019-03-07 13:06:48",
   "labels":{
      "pod-template-hash":"2368795483",
      "service":"app"
   },
   "namespace":"production",
   "nsec":145341848,
   "source":"kubernetes",
   "host":"k8s-node-55555-1",
   "pod_name":"app-67bdcf98d7-mhktx",
   "container_name":"app",
   "boolean_fields":{}
}

Tá an chuma ar an scéal nach gcuideoidh ach tcpdump leis an bhfadhb seo a réiteach... ach déarfaidh mé arís faoin slabhra tráchta:

Imscrúdú

Ar ndóigh, tá sé níos fearr éisteacht le trácht ar an nód sonrach sin, áit a bhfuil Kubernetes tar éis pod a imscaradh: beidh toirt an dumpála chomh mór sin go mbeifear in ann rud éigin a aimsiú go tapa ar a laghad. Agus go deimhin, agus é á scrúdú, tugadh an fráma seo a leanas faoi deara:

GET /back/user HTTP/1.1
Host: api.app.example.com
X-Request-ID: 27ceb14972da8c21a8f92904b3eff1e5
X-Real-IP: 83.41.81.250
X-Forwarded-For: 83.41.81.250
X-Forwarded-Host: api.app.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Original-URI: /front/back/user
X-Scheme: https
X-Original-Forwarded-For: 83.41.81.250
X-Nginx-Geo-Client-Country: Spain
X-Nginx-Geo-Client-City: M.laga
Accept-Encoding: gzip
CF-IPCountry: ES
CF-RAY: 4b345cfd1c4ac691-MAD
CF-Visitor: {"scheme":"https"}
pragma: no-cache
cache-control: no-cache
accept: application/json, text/plain, */*
origin: https://app.example.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
referer: https://app.example.com/auth/login
accept-language: en-US,en;q=0.9,en-GB;q=0.8,pl;q=0.7
cookie: many_encrypted_cookies; .AspNetCore.Identity.Application=something_encrypted; 
CF-Connecting-IP: 83.41.81.250
True-Client-IP: 83.41.81.250
CDN-Loop: cloudflare

HTTP/1.1 400 Bad Request
Connection: close
Date: Wed, 06 Mar 2019 12:34:20 GMT
Server: Kestrel
Content-Length: 0

Tar éis iniúchadh níos dlúithe a dhéanamh ar an dumpáil, tugadh an focal faoi deara M.laga. Is furasta buille faoi thuairim nach bhfuil aon chathair M.laga sa Spáinn (ach tá Malaga). Ag glacadh leis an smaoineamh seo, d’fhéachamar ar na cumraíochtaí Ingress, áit a bhfaca muid an ceann a cuireadh isteach mí ó shin (ar iarratas an chliaint) "harmless" blúire:

    ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-Nginx-Geo-Client-Country $geoip_country_name;
      proxy_set_header X-Nginx-Geo-Client-City $geoip_city;

Tar éis cur ar aghaidh na gceanntásca seo a dhíchumasú, d'éirigh gach rud go breá! (Ba léir go gairid nach raibh na ceanntásca seo ag teastáil ón bhfeidhmchlár féin a thuilleadh.)

Anois, déanaimis féachaint ar an bhfadhb níos ginearálta. Is féidir é a atáirgeadh go héasca taobh istigh den fheidhmchlár ach iarratas telnet a dhéanamh localhost:80:

GET /back/user HTTP/1.1
Host: api.app.example.com
cache-control: no-cache
accept: application/json, text/plain, */*
origin: https://app.example.com
Cookie: test=Desiree

... filleann 401 Unauthorized, mar a bheifí ag súil leis. Cad a tharlaíonn má dhéanaimid:

GET /back/user HTTP/1.1
Host: api.app.example.com
cache-control: no-cache
accept: application/json, text/plain, */*
origin: https://app.example.com
Cookie: test=Désirée

?

Fillfidh 400 Bad request — i loga an iarratais gheobhaimid earráid atá eolach dúinn cheana féin:

{
   "@t":"2019-03-31T12:59:54.3746446Z",
   "@mt":"Connection id "{ConnectionId}" bad request data: "{message}"",
   "@x":"Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Malformed request: invalid headers.n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TryParseRequest(ReadResult result, Boolean& endConnection)n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<ProcessRequestsAsync>d__185`1.MoveNext()",
   "ConnectionId":"0HLLLR1J974L9",
   "message":"Malformed request: invalid headers.",
   "EventId":{
      "Id":17,
      "Name":"ConnectionBadRequest"
   },
   "SourceContext":"Microsoft.AspNetCore.Server.Kestrel",
   "ThreadId":71
}

Torthaí

Go sonrach Kestrel ní féidir próiseáil i gceart ceanntásca HTTP leis na carachtair cearta in UTF-8, atá le fáil in ainmneacha líon measartha mór de na cathracha.

Fachtóir breise inár gcás ná nach bhfuil sé beartaithe ag an gcliant cur i bhfeidhm Kestrel a athrú san iarratas faoi láthair. Mar sin féin, saincheisteanna in AspNetCore féin (№ 4318, № 7707) deir siad nach gcuideoidh sé seo...

Mar achoimre: ní bhaineann an nóta a thuilleadh le fadhbanna sonracha Kestrel nó UTF-8 (in 2019?!), ach faoin bhfíric go bhfuil aire agus staidéar comhsheasmhach Luath nó mall beidh toradh ar gach céim a ghlacfaidh tú agus tú ag cuardach fadhbanna. Ádh mór!

PS

Léigh freisin ar ár mblag:

• «6 fhabht córais siamsúil i bhfeidhmiú Kubernetes [agus a réiteach]";
• «Leideanna & cleasanna Kubernetes: leathanaigh earráide saincheaptha in NGINX Ingress";
• «Forbhreathnú agus comparáid idir rialtóirí Ingress do Kubernetes";
• «Monatóireacht a dhéanamh ar pings idir nóid Kubernetes - ár n-oideas";
• «3 chás neamhghnách faoi fhochóras líonra Linux'.

Foinse: will.com