skip to Main Content

In Openshift 4.6, I have deployed an app that exposes an nginx service. When using http, I can see an IP in the nginx logs for the field $http_x_forwarded_for. Whenever I switch to https, the $http_x_forwarded_for header is missing (-).

The route config for http:

spec:
  host: <my.host.com>
  to:
    kind: Service
    name: my-nginx
    weight: 100
  port:
    targetPort: 80-tcp
  wildcardPolicy: None

The route config for https:

spec:
  host: <my.host.com>
  to:
    kind: Service
    name: my-nginx
    weight: 100
  port:
    targetPort: 443-tcp
  tls:
    termination: passthrough
  wildcardPolicy: None

Is there a way I can preserve the http headers for https requests?

2

Answers


  1. Yes since v4.6 you should be able to do that. Doc here

    For this you have to configure the ingress controller operator with the httpHeaders.forwardedHeaderPolicy parameter

    However as you use a route of type"passthrough" As HAProxy does not "touch" or modify in any way the request(ie decrypt and/or reencrypt) and route it "as-is" to the endpoint, no "x-forwarded-for" is added nor modified.

    It works with a route of kind"edge"or"reencrypt", depending on the parameter set on the ingress controller

    So, if in "passthrough" mode your app does not receive the "x-forwarded-for" header, it’s because there is no such header on the request. Either your brwoser is directly hitting the OCP ingress controller (ie HAProxy) or your load balancer in front of OCP does not set this header

    Login or Signup to reply.
  2. Not in passthrough mode, you can’t!
    Passthrough means the TLS traffic is not decrypted, so there is no chance the ingress controller (haproxy) is able to add or modify a header field.
    Request forwarding is instead done on layer-4 (tcp) only.
    You need to switch to edge or reencrypt termination mode for this to work.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search