Too many redirects

[vpavlin]

Proxy often gets into redirect loop which results in too many redirects error - after showing this error, browser redirects to the Jenkins successfully.

The issue probably lies in how we work with cookies and generally verify if user is logged in

[hferentschik]

@vpavlin do you have any hunch on this?

[vpavlin]

It's gonna be connected to how we deal with cookies, but no, not yet...looking in to it now

[vpavlin]

Blocked by #174 - cannot be properly debuged at the moment

[hferentschik]

I think the whole problem is also browser related. It seems in particular Chrome where this error comes up. I don't think I have seen it in another browser yet.

[kishansagathiya]

I also faced this today

[yzainee-zz]

I am facing this problem since yesterday.

[kishansagathiya]

I think the whole problem is also browser related. It seems in particular Chrome where this error comes up. I don't think I have seen it in another browser yet.

Saw this even in firefox

[kishansagathiya]

got this

2018/04/06 13:18:35 http: multiple response.WriteHeader calls

I think it is a problem with implementation. It keeps redirecting to auth even if logged in. Should be fixable. Don't think it is intermittent anymore. I see it everytime these days.

[kishansagathiya]

Doesn't seems to create any problems on prod. So this can be done later

[kishansagathiya]

Ok. I see this happening even on prod and it is quite frequent

[kishansagathiya]

After #250 this issue is not seen. I will still hang to this for a while before closing this

[kishansagathiya]

Saw this on my local machine

This might be the reason

{"component":"proxy","level":"info","msg":"Could not find cache, redirecting to re-login","ns":"","request-hash":2960151885,"time":"2018-05-02T16:52:39+05:30"}

[concaf]

@sthaha @kishansagathiya - So this is all 🍪 magic!

There are 2 facets to this problem.

1. The localhost problem!

The whole cookie story is messed up for localhost. Even though the cookies are set for localhost, they are not being sent with the requests to localhost.

So, even though cookies are set at

fabric8-jenkins-proxy/internal/proxy/proxy.go

Line 275 in f86d376

http.SetCookie(w, cookie)

, no cookie is found at

fabric8-jenkins-proxy/internal/proxy/proxy.go

Line 293 in f86d376

if len(r.Cookies()) > 0 { //Check cookies and proxy cache to find user info

and this directly redirects to auth because needsAuth remains true and

fabric8-jenkins-proxy/internal/proxy/proxy.go

Lines 377 to 381 in f86d376

	if needsAuth {
	redirAuth := GetAuthURI(p.authURL, redirectURL.String())
	requestLogEntry.Infof("Redirecting to auth: %s", redirAuth)
	http.Redirect(w, r, redirAuth, http.StatusTemporaryRedirect)
	}

yet again, we go in circles.

To fix this, we need to make 2 changes.

• redirect requests to some other host except localhost that ends in openshift.io (this matters to auth), e.g. local.openshift.io
  This can be done by adding a line to /etc/hosts that looks like
  127.0.0.1 local.openshift.io

Once this is fixed, you will encounter the next problem. Read on 🤷‍♂️

2. The https:// problem

The cookies will now be set for local.openshift.io, but... your browser will not set all the cookies because the cookies are marked to be only set for secure connections, but do you have a secure connection on your localhost? Well, no! So no cookie, including the session cookie JSESSIONID is set in your browser, which makes this code to not execute

fabric8-jenkins-proxy/internal/proxy/proxy.go

Lines 299 to 308 in f86d376

	if strings.HasPrefix(cookie.Name, SessionCookie) { //We found a session cookie in cache
	cacheKey = cookie.Value
	pci := cacheVal.(CacheItem)
	r.Host = pci.Route //Configure proxy upstream
	r.URL.Host = pci.Route
	r.URL.Scheme = pci.Scheme
	ns = pci.NS
	needsAuth = false //user is probably logged in, do not redirect
	noProxy = false
	break

, which means cacheKey remains empty and we get

fabric8-jenkins-proxy/internal/proxy/proxy.go

Lines 369 to 371 in f86d376

	if len(cacheKey) == 0 { //If we do not have user's info cached, run through login process to get it
	requestLogEntry.WithField("ns", ns).Info("Could not find cache, redirecting to re-login")
	} else {

in the logs followed by redirection to auth

fabric8-jenkins-proxy/internal/proxy/proxy.go

Lines 377 to 381 in f86d376

	if needsAuth {
	redirAuth := GetAuthURI(p.authURL, redirectURL.String())
	requestLogEntry.Infof("Redirecting to auth: %s", redirAuth)
	http.Redirect(w, r, redirAuth, http.StatusTemporaryRedirect)
	}

And hence we go in circles!

This second problem was staring us in the face with #174, but 🤷‍♂️!

---

The fix for local development definitely lies in generating local certificates, or something of the like. But will this fix the too many redirects in prod preview, and prod, only time will tell!

[vpavlin]

What you describe makes perfect sense for local development, but does not at all explain the stage/prod issue as none of 2 causes you mentioned are present when running in prod/prev clusters. Also, during debugging this, I saw that cookies seemed to be set properly. I still think this is connected to how proxy handles cookies, but I am pretty sure neither https:// nor localhost.openshift.io on localhos will solve this issue:)