Add X-FORWARDED-HOST header insert irule

[m-kratochvil]

Based on customer RFE - https://github.wdf.sap.corp/PlusOne/enhancements/issues/125
Tracked in https://github.wdf.sap.corp/cc/octavia-issues/issues/23

In this PR I'm adding X-FORWARDED-HOST irule. Once added to a listener, the XFH host header will be replaced by the value of the HTTP "Host" header. This is primarily security based, to prevent clients to inject arbitrary data into the XFH.

I will request adjustment of the "Insert headers" drop-down in listener config in Elektra separately.

iRule functionally tested in qa-de-1, working as expected:

Client request:

$ curl -vkI -H "X-Forwarded-Host: blablabla" https://test-listener-3.f5tests.only.sap/
*   Trying 10.236.36.112:443...
* Connected to test-listener-3.f5tests.only.sap (10.236.36.112) port 443
> HEAD / HTTP/1.1
> Host: test-listener-3.f5tests.only.sap
> User-Agent: curl/8.4.0
> Accept: */*
> X-Forwarded-Host: blablabla
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK

Server receives:

ccloud@srv-1:~$ sudo tcpdump -vnnn -i ens192 src host 10.180.88.99
tcpdump: listening on ens192, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:42:59.582243 IP (tos 0x0, ttl 255, id 35519, offset 0, flags [DF], proto TCP (6), length 231)
    10.180.88.99.35928 > 10.180.88.141.80: Flags [P.], cksum 0xdb22 (correct), seq 0:179, ack 1, win 42, options [nop,nop,TS val 3183195773 ecr 1977627832], length 179: HTTP, length: 179
        HEAD / HTTP/1.1
        Host: test-listener-3.f5tests.only.sap
        User-Agent: curl/8.4.0
        Accept: */*
        X-Forwarded-Host: test-listener-3.f5tests.only.sap

Outputs of irule-based logging:

info tmm1[11378]: Rule /Common/cc_x_forwarded_host <HTTP_REQUEST>: Client-side value of "host" header: blablabla
info tmm1[11378]: Rule /Common/cc_x_forwarded_host <HTTP_REQUEST>: Client-side value of "XFH" header: test-listener-3.f5tests.only.sap
info tmm1[11378]: Rule /Common/cc_x_forwarded_host <HTTP_REQUEST_RELEASE>: Server-side value of "host" header: test-listener-3.f5tests.only.sap
info tmm1[11378]: Rule /Common/cc_x_forwarded_host <HTTP_REQUEST_RELEASE>: Server-side value of "XFH" header: test-listener-3.f5tests.only.sap

[velp]

LGTM

[BenjaminLudwigSAP]

LGTM, will merge and roll out

[ZhichaoTJ]

hey, guys,
Thanks for rolling out this feature. I would like to conduct a thorough test to fully understand how the changes have been implemented. This will aid me in drafting a comprehensive guide for our customers on how to use this new feature.

I just investigated the code a bit, I guess I need to do following?

# set the rule that replace xfh with HOST
os loadbalancer listener set --insert-headers X-Forwarded-Host=true <listener-id>

Then the expected behavior would be XFH be replaced by HOST?

Once I have prepared the draft, could I ask you to review it? This would ensure that all technical aspects are covered accurately and align with the implementation. Thank you very much!

[m-kratochvil]

hey @ZhichaoTJ, yes, the feature is implemented as an "Insert Header" (--insert_haeaders) option of a listener and applied as you mentioned (or during creation of new listener). Once set, it overwrites an existing value of X-Forwarded-Host header with value of Host header.

[m-kratochvil]

This PR will be reverted, as the insert_headers option does not support XFH upstream. I will re-introduce XFH as ESD.