You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Munendra S N (Jira)" <ji...@apache.org> on 2020/09/28 14:04:00 UTC
[jira] [Commented] (SOLR-14898) Proxied/Forwarded requests to other
nodes wind up getting duplicate response headers
[ https://issues.apache.org/jira/browse/SOLR-14898?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17203249#comment-17203249 ]
Munendra S N commented on SOLR-14898:
-------------------------------------
When a request is received by any node, security headers are set in the response by the Jetty's RewriteHandler. When there is no local core then request is forwarded/proxied to Node with core and the returned response is sent back to the user. Here, all the response headers from proxy request are [*added*|https://github.com/apache/lucene-solr/blob/c3f97fbdc11cf29e17a4e715981108dda7ba3aea/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L731] to original response.
addHeader could be replaced by setHeader, so that defaults are overwritten by the headers in response(which is the actual response we return to user).
Another approach is to add new filter to set security headers instead of RewriteHandler but we will still have the problem(again, we might need contains check or replace it with setHeader)
Let me know which approach looks better, will attach a patch post that
> Proxied/Forwarded requests to other nodes wind up getting duplicate response headers
> ------------------------------------------------------------------------------------
>
> Key: SOLR-14898
> URL: https://issues.apache.org/jira/browse/SOLR-14898
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Chris M. Hostetter
> Priority: Major
>
> When Solr receives a request for a collection not hosted on the current node, HttpSolrCall forwards/proxies that request - but the final response for the client can include duplicate response headers - one header from the remote node that ultimately handled the request, and a second copy of the header added by the current node...
> {noformat}
> # create a simple 2 node cluster...
> $ ./bin/solr -e cloud -noprompt
> # ...
> $ curl 'http://localhost:8983/solr/admin/collections?action=CREATE&name=solo&numShards=1&nrtReplicas=1'
> # ...
> # node 8983 is the node currently hosting the only replica of the 'solo' collection, and responds to requests directly...
> #
> $ curl -S -s -D - -o /dev/null http://localhost:8983/solr/solo/select
> HTTP/1.1 200 OK
> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';
> X-Content-Type-Options: nosniff
> X-Frame-Options: SAMEORIGIN
> X-XSS-Protection: 1; mode=block
> Content-Type: application/json;charset=utf-8
> Content-Length: 169
> # node 7574 does not host a replica, and forwards requests for it to 8983
> # the response the client gets from 7574 has several security related headers duplicated...
> #
> $ curl -S -s -D - -o /dev/null http://localhost:7574/solr/solo/select
> HTTP/1.1 200 OK
> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';
> X-Content-Type-Options: nosniff
> X-Frame-Options: SAMEORIGIN
> X-XSS-Protection: 1; mode=block
> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';
> X-Content-Type-Options: nosniff
> X-Frame-Options: SAMEORIGIN
> X-XSS-Protection: 1; mode=block
> Content-Type: application/json;charset=utf-8
> Content-Length: 197
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org