Soti nan lavi ak Kubernetes: Ki jan sèvè HTTP a pa t 'favè Espanyòl yo

Yon reprezantan kliyan nou an, ki gen yon pil aplikasyon ki abite nan nwaj Microsoft (Azure), te adrese yon pwoblèm: dènyèman, kèk demann soti nan kèk kliyan soti nan Ewòp te kòmanse fini ak erè 400 (Move Demann). Tout aplikasyon yo ekri nan .NET, deplwaye nan Kubernetes...

Youn nan aplikasyon yo se API, atravè tout trafik finalman vini. Se sèvè HTTP a ki koute trafik sa a Krenèl, configuré pa kliyan an .NET ak anime nan yon gous. Avèk debogaj, nou te gen chans nan sans ke te gen yon itilizatè espesifik ki toujou repwodui pwoblèm nan. Sepandan, tout bagay te konplike pa chèn trafik la:

Erè a nan Ingress sanble sa a:

{
   "number_fields":{
      "status":400,
      "request_time":0.001,
      "bytes_sent":465,
      "upstream_response_time":0,
      "upstream_retries":0,
      "bytes_received":2328
   },
   "stream":"stdout",
   "string_fields":{
      "ingress":"app",
      "protocol":"HTTP/1.1",
      "request_id":"f9ab8540407208a119463975afda90bc",
      "path":"/api/sign-in",
      "nginx_upstream_status":"400",
      "service":"app",
      "namespace":"production",
      "location":"/front",
      "scheme":"https",
      "method":"POST",
      "nginx_upstream_response_time":"0.000",
      "nginx_upstream_bytes_received":"120",
      "vhost":"api.app.example.com",
      "host":"api.app.example.com",
      "user":"",
      "address":"83.41.81.250",
      "nginx_upstream_addr":"10.240.0.110:80",
      "referrer":"https://api.app.example.com/auth/login?long_encrypted_header",
      "service_port":"http",
      "user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36",
      "time":"2019-03-06T18:29:16+00:00",
      "content_kind":"cache-headers-not-present",
      "request_query":""
   },
   "timestamp":"2019-03-06 18:29:16",
   "labels":{
      "app":"nginx",
      "pod-template-generation":"6",
      "controller-revision-hash":"1682636041"
   },
   "namespace":"kube-nginx-ingress",
   "nsec":6726612,
   "source":"kubernetes",
   "host":"k8s-node-55555-0",
   "pod_name":"nginx-v2hcb",
   "container_name":"nginx",
   "boolean_fields":{}
}

An menm tan an, Kestrel te bay:

HTTP/1.1 400 Bad Request
Connection: close
Date: Wed, 06 Mar 2019 12:34:20 GMT
Server: Kestrel
Content-Length: 0

Menm ak maksimòm verbosity, erè Kestrel la te genyen anpil ti enfòmasyon itil:

{
   "number_fields":{"ThreadId":76},
   "stream":"stdout",
   "string_fields":{
      "EventId":"{"Id"=>17, "Name"=>"ConnectionBadRequest"}",
      "SourceContext":"Microsoft.AspNetCore.Server.Kestrel",
      "ConnectionId":"0HLL2VJSST5KV",
      "@mt":"Connection id "{ConnectionId}" bad request data: "{message}"",
      "@t":"2019-03-07T13:06:48.1449083Z",
      "@x":"Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Malformed request: invalid headers.n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TryParseRequest(ReadResult result, Boolean& endConnection)n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<ProcessRequestsAsync>d__185`1.MoveNext()",
      "message":"Malformed request: invalid headers."
   },
   "timestamp":"2019-03-07 13:06:48",
   "labels":{
      "pod-template-hash":"2368795483",
      "service":"app"
   },
   "namespace":"production",
   "nsec":145341848,
   "source":"kubernetes",
   "host":"k8s-node-55555-1",
   "pod_name":"app-67bdcf98d7-mhktx",
   "container_name":"app",
   "boolean_fields":{}
}

Li ta sanble ke sèlman tcpdump pral ede rezoud pwoblèm sa a ... men mwen pral repete sou chèn trafik la:

Envestigasyon

Li evidan, li pi bon pou koute trafik sou ne espesifik sa a, kote Kubernetes te deplwaye yon gous: volim pil fatra a pral tankou ke li pral posib jwenn omwen yon bagay trè byen vit. Ak tout bon, lè w ap egzamine li, yo te remake ankadreman sa a:

GET /back/user HTTP/1.1
Host: api.app.example.com
X-Request-ID: 27ceb14972da8c21a8f92904b3eff1e5
X-Real-IP: 83.41.81.250
X-Forwarded-For: 83.41.81.250
X-Forwarded-Host: api.app.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Original-URI: /front/back/user
X-Scheme: https
X-Original-Forwarded-For: 83.41.81.250
X-Nginx-Geo-Client-Country: Spain
X-Nginx-Geo-Client-City: M.laga
Accept-Encoding: gzip
CF-IPCountry: ES
CF-RAY: 4b345cfd1c4ac691-MAD
CF-Visitor: {"scheme":"https"}
pragma: no-cache
cache-control: no-cache
accept: application/json, text/plain, */*
origin: https://app.example.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
referer: https://app.example.com/auth/login
accept-language: en-US,en;q=0.9,en-GB;q=0.8,pl;q=0.7
cookie: many_encrypted_cookies; .AspNetCore.Identity.Application=something_encrypted; 
CF-Connecting-IP: 83.41.81.250
True-Client-IP: 83.41.81.250
CDN-Loop: cloudflare

HTTP/1.1 400 Bad Request
Connection: close
Date: Wed, 06 Mar 2019 12:34:20 GMT
Server: Kestrel
Content-Length: 0

Lè yo te fin enspeksyon pil fatra a, yo te remake mo a M.laga. Li fasil devine ke pa gen okenn vil M.laga nan peyi Espay (men gen malaga). Sezi lide sa a, nou gade konfigirasyon Ingress yo, kote nou te wè youn nan mete yon mwa de sa (sou demann kliyan an) fragment "inofansif".:

    ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-Nginx-Geo-Client-Country $geoip_country_name;
      proxy_set_header X-Nginx-Geo-Client-City $geoip_city;

Apre yo te fin enfim voye tèt sa yo, tout bagay te vin anfòm! (Li byento te vin klè ke aplikasyon an tèt li pa bezwen tèt sa yo ankò.)

Koulye a, ann gade nan pwoblèm nan plis jeneralman. Li ka fasil repwodui andedan aplikasyon an lè w fè yon demann telnet localhost:80:

GET /back/user HTTP/1.1
Host: api.app.example.com
cache-control: no-cache
accept: application/json, text/plain, */*
origin: https://app.example.com
Cookie: test=Desiree

... retounen 401 Unauthorized, jan yo espere. Kisa k ap pase si nou fè:

GET /back/user HTTP/1.1
Host: api.app.example.com
cache-control: no-cache
accept: application/json, text/plain, */*
origin: https://app.example.com
Cookie: test=Désirée

?

Ap retounen 400 Bad request — nan jounal aplikasyon an nou pral resevwa yon erè ki deja abitye pou nou:

{
   "@t":"2019-03-31T12:59:54.3746446Z",
   "@mt":"Connection id "{ConnectionId}" bad request data: "{message}"",
   "@x":"Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Malformed request: invalid headers.n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.Http1Connection.TryParseRequest(ReadResult result, Boolean& endConnection)n   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<ProcessRequestsAsync>d__185`1.MoveNext()",
   "ConnectionId":"0HLLLR1J974L9",
   "message":"Malformed request: invalid headers.",
   "EventId":{
      "Id":17,
      "Name":"ConnectionBadRequest"
   },
   "SourceContext":"Microsoft.AspNetCore.Server.Kestrel",
   "ThreadId":71
}

Rezilta

Espesyalman Kestrel pa kapab kòrèkteman trete tèt HTTP ak karaktè ki kòrèk yo nan UTF-8, ki genyen nan non yo nan yon kantite jistis gwo nan vil yo.

Yon faktè adisyonèl nan ka nou an se ke kliyan an pa kounye a planifye chanje aplikasyon an nan Kestrel nan aplikasyon an. Sepandan, pwoblèm nan AspNetCore tèt li (№ 4318, № 7707) yo di ke sa pap ede...

Pou rezime: nòt la pa sou pwoblèm espesifik Kestrel oswa UTF-8 (nan 2019?!), men sou lefèt ke atensyon ak etid konsistan Chak etap ou fè pandan w ap chèche pwoblèm yo pral pi bonè oswa pita bay fwi. Bon chans!

PS

Li tou sou blog nou an:

• «6 ensèk sistèm amizan nan operasyon Kubernetes [ak solisyon yo]";
• «Konsèy ak ke trik nouvèl Kubernetes: paj erè koutim nan NGINX Ingress";
• «Apèsi ak konparezon kontwolè Ingress pou Kubernetes";
• «Siveyans ping ant nœuds Kubernetes - resèt nou an";
• «3 ka etranj sou subsistèm rezo Linux'.

Sous: www.habr.com