Tiger 3.0.1 offers HTTP/2 in ALPN during TLS handshake, but then fails if the client sends an HTTP/2 request. 2.3.2 works. If Tiger isn't meant to support HTTP/2 that's fine, but then it shouldn't be offered in ALPN.

Reproducer

Start the Tiger proxy. No config needed, I'm just setting the proxy port so I don't need to look it up in the log.

$ java -jar tiger-standalone-proxy-3.0.1.jar --tigerProxy.proxyPort=9090

Connect to the proxy port over HTTPS. The actual URL doesn't matter, the bug occurs before any proxying would. I first encountered it with a URL for which the Tiger instance was configured as a reverse proxy.

$ curl -v --insecure https://localhost:9090/test
*   Trying 127.0.0.1:9090...
* Connected to localhost (127.0.0.1) port 9090 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=localhost; O=Gematik; L=Berlin; ST=Berlin; C=DE
*  start date: Mar 12 12:03:26 2024 GMT
*  expire date: Apr 13 12:03:26 2025 GMT
*  issuer: CN=Tiger-Proxy; O=Gematik; L=Berlin; ST=Berlin; C=DE
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /test]
* h2h3 [:scheme: https]
* h2h3 [:authority: localhost:9090]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55974ab24c80)
> GET /test HTTP/2
> Host: localhost:9090
> user-agent: curl/7.88.1
> accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

Result in the Tiger log:

2024-03-22T13:03:34.793+01:00  INFO 44365 --- [orkerEventLoop3] o.b.jsse.provider.ProvTlsServer          : [server #2 @659d483e] accepting connection from (unknown):(unknown)
2024-03-22T13:03:34.797+01:00  INFO 44365 --- [orkerEventLoop3] o.b.jsse.provider.ProvTlsServer          : [server #2 @659d483e] established connection with (unknown):(unknown)
2024-03-22T13:03:34.798+01:00  INFO 44365 --- [orkerEventLoop3] d.g.t.t.m.netty.proxy.BinaryHandler      : received binary request: 505249202a20485454502f322e300d0a0d0a534d0d0a0d0a00001204000000000000030000006400040200000000020000000000000408000000000001ff0001
2024-03-22T13:03:34.798+01:00  INFO 44365 --- [orkerEventLoop3] d.g.t.t.m.netty.proxy.BinaryHandler      : unknown message format, only HTTP requests are supported for mocking or HTTP & binary requests for proxying, but request is not being proxied and request is not valid HTTP, found request in binary: 505249202a20485454502f322e300d0a0d0a534d0d0a0d0a00001204000000000000030000006400040200000000020000000000000408000000000001ff0001 in utf8 text: PRI * HTTP/2.0

SM

�
2024-03-22T13:03:34.799+01:00  INFO 44365 --- [orkerEventLoop3] o.b.jsse.provider.ProvTlsServer          : [server #2 @659d483e] disconnected from (unknown):(unknown)

Workaround

Force the client to use HTTP/1.1 only (for curl: --http1.1 option).

Since upgrading tiger-standalone-proxy from version 0.15.0 to 0.18.1 I've been getting the following errors

ERROR 1 --- [ver-Scheduler13] d.g.t.tiger.proxy.ForwardProxyCallback   : RBel FAILED!

de.gematik.rbellogger.exceptions.RbelConversionException: The given URL is invalid. Please check your configuration.
	at de.gematik.rbellogger.data.RbelHostname.checkIfUrlIsValid(RbelHostname.java:104) ~[rbellogger-0.22.0.jar!/:na]
	at de.gematik.rbellogger.data.RbelHostname.generateFromUrl(RbelHostname.java:83) ~[rbellogger-0.22.0.jar!/:na]
	at de.gematik.test.tiger.proxy.MockServerToRbelConverter.convertUri(MockServerToRbelConverter.java:69) ~[tiger-proxy-0.18.1.jar!/:na]
	at de.gematik.test.tiger.proxy.MockServerToRbelConverter.convertRequest(MockServerToRbelConverter.java:53) ~[tiger-proxy-0.18.1.jar!/:na]
	at de.gematik.test.tiger.proxy.ForwardProxyCallback.handleResponse(ForwardProxyCallback.java:56) ~[tiger-proxy-0.18.1.jar!/:na]
	at de.gematik.test.tiger.proxy.AbstractTigerRouteCallback.handle(AbstractTigerRouteCallback.java:114) ~[tiger-proxy-0.18.1.jar!/:na]
	at org.mockserver.mock.action.http.HttpForwardObjectCallbackActionHandler.lambda$handleLocally$0(HttpForwardObjectCallbackActionHandler.java:70) ~[mockserver-core-5.11.9.jar!/:5.11.9]
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859) ~[na:na]
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837) ~[na:na]
	at java.base/java.util.concurrent.CompletableFuture$Completion.run(CompletableFuture.java:478) ~[na:na]
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[na:na]
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]

I haven't changed any configurations and it was working perfectly prior to the upgrade.

The configuration it self is very basic and I could not find any hints in the release notes regarding needed migrations:

server.port: 8001
tiger-proxy:
  port: 8000
  proxyRoutes:
    - id: route1
      from: "http://route.to.service:8000"
      to: "http://forwardserivce:8000"
      disableRbelLogging: false
  activateRbelEndpoint: true
  keyFolders:
    - "/default-keyfiles/"

I am trying to build the tiger, but currently fail in TestTigerDirector with a certificate issue?

`07:34:20.976 [main] WARN de.gematik.test.tiger.lib.TigerDirector - ABORTING initialisation as environment variable TIGER_ACTIVE is not set to '1'
[ERROR] Tests run: 3, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 7.605 s <<< FAILURE! - in de.gematik.test.tiger.lib.TestTigerDirector
[ERROR] de.gematik.test.tiger.lib.TestTigerDirector.testDirectorSimpleIdp Time elapsed: 7.593 s <<< ERROR!
de.gematik.test.tiger.testenvmgr.TigerTestEnvException: Unable to pull image gstopdr1.top.local/idp/idp-server:17.0.0-38!
at de.gematik.test.tiger.lib.TestTigerDirector.testDirectorSimpleIdp(TestTigerDirector.java:53)
Caused by: com.github.dockerjava.api.exception.InternalServerErrorException:
Status 500: {"message":"Get https://gstopdr1.top.local/v2/: x509: certificate signed by unknown authority"}

[INFO]
[INFO] Results:
[INFO]
[ERROR] Errors:
[ERROR] TestTigerDirector.testDirectorSimpleIdp:53 » TigerTestEnv Unable to pull image...
[INFO]
[ERROR] Tests run: 44, Failures: 0, Errors: 1, Skipped: 0
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for app-Tiger 0.5.0:
[INFO]
[INFO] app-Tiger .......................................... SUCCESS [ 3.608 s]
[INFO] tiger-common ....................................... SUCCESS [ 22.810 s]
[INFO] tiger-proxy ........................................ SUCCESS [01:18 min]
[INFO] tiger-standalone-proxy ............................. SUCCESS [ 53.001 s]
[INFO] tiger-testenv-mgr .................................. SUCCESS [03:07 min]
[INFO] tiger-test-lib ..................................... FAILURE [ 35.663 s]
[INFO] tiger-aforeporter-plugin ........................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 06:21 min
[INFO] Finished at: 2021-07-07T07:34:21+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project tiger-test-lib: There are test failures.
[ERROR]
[ERROR] Please refer to C:\Dev\projects\epa\app-Tiger\tiger-test-lib\target\surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn -rf :tiger-test-lib`

If Tiger gets a non-proxy request for a path it doesn't have a reverse proxy route (or other configuration) for, it goes into an infinite loop trying to handle the request. It does not close the connection, and the infinite loop continues if the client closes it, endlessly consuming resources and filling the log.

This allows for effective denial of service attacks on standalone instances, including unintentionally (e.g. from a typo in a test case). The reason I'm writing this as an issue here (and not via the security process) is that Tiger should be used only for test systems.

Found in 3.0.1 and 2.3.2, I haven't checked other versions. The log excerpt below is from 3.0.1.

Expected behavior

I'd expect Tiger to return a 404 error when a client requests a URL that isn't available.

Reproducer

Start the Tiger proxy. No config needed, I'm just setting the proxy port so I don't need to look it up in the log.

$ java -jar tiger-standalone-proxy-3.0.1.jar --tigerProxy.proxyPort=9090

Make a request to the proxy port with a path where Tiger doesn't have a proxy route (or other configured response).

proxy route (or other configuration) for, it goes into an infinite

$ curl -v --insecure --http1.1 https://localhost:9090/test/doesnotexist
*   Trying 127.0.0.1:9090...
* Connected to localhost (127.0.0.1) port 9090 (#0)
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=localhost; O=Gematik; L=Berlin; ST=Berlin; C=DE
*  start date: Mar 29 17:28:59 2024 GMT
*  expire date: Apr 30 16:28:59 2025 GMT
*  issuer: CN=Tiger-Proxy; O=Gematik; L=Berlin; ST=Berlin; C=DE
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.1
> GET /test/doesnotexist HTTP/1.1
> Host: localhost:9090
> User-Agent: curl/7.88.1
> Accept: */*
> 
^C

Result in the Tiger log (repeated infinitely):

2024-04-08T18:27:32.300+02:00  INFO 12977 --- [orkerEventLoop4] o.b.jsse.provider.ProvTlsServer          : [server #127 @6e8e74a1] accepting connection from (unknown):(unknown)
2024-04-08T18:27:32.305+02:00  INFO 12977 --- [orkerEventLoop4] o.b.jsse.provider.ProvTlsServer          : [server #127 @6e8e74a1] established connection with (unknown):(unknown)
2024-04-08T18:27:32.307+02:00  INFO 12977 --- [orkerEventLoop4] d.g.t.t.p.h.AbstractTigerRouteCallback   : Received HTTPS GET /test/doesnotexist User-Agent: 'curl/7.88.1' Request-Length: 0 bytes => localhost:9090

With HTTP instead of HTTPS the TLS provider lines are absent naturally, but the general behavior is the same.

From the documentation (https://github.com/gematik/app-Tiger/tree/master/tiger-standalone-proxy) it is currently not quiet clear howto create a running proxy. I tried several approaches:

I tried the following approaches after a mvn clean install

1. Using docker build . , since the application folder contain a Dockerfile.
   Docker build was successful, but the produced image failed to start with Error: Unable to access jarfile tiger-proxy.jar

2. As a standalone application using simple java -jar .\target\tiger-standalone-proxy-0.5.0.jar
   this just produce no main manifest attribute, in .\target\tiger-standalone-proxy-0.5.0.jar

3. Run a standalone application with the application name java -cp .\target\tiger-standalone-proxy-0.5.0.jar de.gematik.test.tiger.proxy.TigerStandaloneProxyApplication
   This just produce Error: Unable to initialize main class de.gematik.test.tiger.proxy.TigerStandaloneProxyApplication Caused by: java.lang.NoClassDefFoundError: de/gematik/test/tiger/proxy/TigerProxy

4. Using spring boot mvn spring-boot:image-build and afterwards a docker run --rm -p 6666:6666 --env ROUTES="http://not.a.real.server;http://google.com" docker.io/library/tiger-standalone-proxy:0.5.0
   Now the image starts, but when trying to use the curl example the connection is simply aborted:
   `$ curl https://gog --proxy localhost:6666 -vv --insecure
   % Total % Received % Xferd Average Speed Time Time Time Current
   Dload Upload Total Spent Left Speed
   0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1:6666...

• TCP_NODELAY set
• Connected to localhost (::1) port 6666 (#0)
• allocate connect buffer!
• Establish HTTP proxy tunnel to gog:443

CONNECT gog:443 HTTP/1.1
Host: gog:443
User-Agent: curl/7.68.0
Proxy-Connection: Keep-Alive

• Proxy CONNECT aborted
• CONNECT phase completed!
• Closing connection 0
  curl: (56) Proxy CONNECT aborted
  `

and the container logs:
`
....
2021-07-07 06:27:28.337 INFO 1 --- [ main] o.s.b.a.ApplicationAvailabilityBean : Application availability state ReadinessState changed to ACCEPTING_TRAFFIC

2021-07-07 06:28:26.871 INFO 1 --- [MessageBroker-1] o.s.w.s.c.WebSocketMessageBrokerStats : WebSocketSession[0 current WS(0)-HttpStream(0)-HttpPoll(0), 0 total, 0 closed abnormally (0 connect failure, 0 send limit, 0 transport error)], stompSubProtocol[processed CONNECT(0)-CONNECTED(0)-DISCONNECT(0)], stompBrokerRelay[null], inboundChannel[pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0], outboundChannel[pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0], sockJsScheduler[pool size = 1, active threads = 1, queued tasks = 0, completed tasks = 0]
`

Also loading the log page http://localhost:6666/rbel does not display something in the browser.

Can you please provide some guidance what might be wrong?