clemens
clemens

Reputation: 6813

x-forwarded-for headers lost when changing openshift route from http to https

In Openshift 4.6, I have deployed an app that exposes an nginx service. When using http, I can see an IP in the nginx logs for the field $http_x_forwarded_for. Whenever I switch to https, the $http_x_forwarded_for header is missing (-).

The route config for http:

spec:
  host: <my.host.com>
  to:
    kind: Service
    name: my-nginx
    weight: 100
  port:
    targetPort: 80-tcp
  wildcardPolicy: None

The route config for https:

spec:
  host: <my.host.com>
  to:
    kind: Service
    name: my-nginx
    weight: 100
  port:
    targetPort: 443-tcp
  tls:
    termination: passthrough
  wildcardPolicy: None

Is there a way I can preserve the http headers for https requests?

Upvotes: 2

Views: 5569

Answers (2)

thikade
thikade

Reputation: 420

Not in passthrough mode, you can't!
Passthrough means the TLS traffic is not decrypted, so there is no chance the ingress controller (haproxy) is able to add or modify a header field. Request forwarding is instead done on layer-4 (tcp) only.
You need to switch to edge or reencrypt termination mode for this to work.

Upvotes: 3

titou10
titou10

Reputation: 2977

Yes since v4.6 you should be able to do that. Doc here

For this you have to configure the ingress controller operator with the httpHeaders.forwardedHeaderPolicy parameter

However as you use a route of type"passthrough" As HAProxy does not "touch" or modify in any way the request(ie decrypt and/or reencrypt) and route it "as-is" to the endpoint, no "x-forwarded-for" is added nor modified.

It works with a route of kind"edge"or"reencrypt", depending on the parameter set on the ingress controller

So, if in "passthrough" mode your app does not receive the "x-forwarded-for" header, it's because there is no such header on the request. Either your brwoser is directly hitting the OCP ingress controller (ie HAProxy) or your load balancer in front of OCP does not set this header

Upvotes: 1

Related Questions