[Spacewalk-devel] [PATCH] Proxy should not make bogus fqdn:port DNS queries

Tue, 25 Mar 2014 04:13:57 -0700 

In proxy 5.6 in order to fix 1000586, we've added the following commit:
commit 4273986e4c1996c6c575a4cc4ca9d2c5587acf1c
Author: Stephen Herr <sh...@redhat.com>
Date:   Fri Aug 23 14:46:32 2013 -0400

    1000586 - /etc/hosts doesn't work with proxies

It does a "socket.gethostbyname(req.headers_in['Host'])", but since RHEL 5
clients over https send 'server.domain:443' host headers, we end up
doing lots of odd queries to the DNS servers (note the :443 at the end):
22:12:00.733856 IP 172.16.11.11.49785 > 172.16.11.254.53: 60115+ A?  
satproxy.int.rhx:443.int.rhx. (46)
22:12:00.734481 IP 172.16.11.254.53 > 172.16.11.11.49785: 60115 NXDomain* 0/1/0 
(93)

Clients with python2.4 (RHEL5) using a proxy over https set the
Host: header to values like 'server.domain:443'. Python 2.6
clients (RHEL 6) set the Host: header in the form 'server.domain' when
connecting to the same proxy over https. The HTTP rfc (2616) allows
both. This change in Python's HTTPConnection class happened via
6 RFE #1472176.

Fix this by leaving out the ':port' part.

Signed-off-by: Michele Baldessari <mich...@acksyn.org>
---
 proxy/proxy/broker/rhnBroker.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/proxy/proxy/broker/rhnBroker.py b/proxy/proxy/broker/rhnBroker.py
index f90189aa462c..aca0b060f600 100644
--- a/proxy/proxy/broker/rhnBroker.py
+++ b/proxy/proxy/broker/rhnBroker.py
@@ -71,11 +71,17 @@ class BrokerHandler(SharedHandler):
         if req.headers_in.has_key('Host'):
             # the client has provided a host header
             try:
-                if socket.gethostbyname(req.headers_in['Host']) == my_ip_addr:
+                # When a client with python 2.4 (RHEL 5) uses SSL
+                # the host header is in the 'hostname:port' form
+                # (In python 2.6 RFE #1472176 changed this and 'hostname'
+                # is used). We need to use the 'hostname' part in any case
+                # or we create bogus 'hostname:port' DNS queries
+                host_header = req.headers_in['Host'].split(':')[0]
+                if socket.gethostbyname(host_header) == my_ip_addr:
                     # if host header is valid (i.e. not just an /etc/hosts
                     # entry on the client or the hostname of some other
                     # machine (say a load balancer)) then use it
-                    hostname = req.headers_in['Host']
+                    hostname = host_header
             except (socket.gaierror, socket.error,
                     socket.herror, socket.timeout):
                 # hostname probably didn't exist, fine
-- 
1.8.5.3

_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel

Reply via email to