In Openshift 4.6, I have deployed an app that exposes an nginx
service. When using http
, I can see an IP in the nginx logs for the field $http_x_forwarded_for
. Whenever I switch to https
, the $http_x_forwarded_for
header is missing (-
).
The route config for http
:
spec:
host: <my.host.com>
to:
kind: Service
name: my-nginx
weight: 100
port:
targetPort: 80-tcp
wildcardPolicy: None
The route config for https
:
spec:
host: <my.host.com>
to:
kind: Service
name: my-nginx
weight: 100
port:
targetPort: 443-tcp
tls:
termination: passthrough
wildcardPolicy: None
Is there a way I can preserve the http headers for https requests?
2
Answers
Yes since v4.6 you should be able to do that. Doc here
For this you have to configure the ingress controller operator with the
httpHeaders.forwardedHeaderPolicy
parameterHowever as you use a route of type
"passthrough"
As HAProxy does not "touch" or modify in any way the request(ie decrypt and/or reencrypt) and route it "as-is" to the endpoint, no "x-forwarded-for" is added nor modified.It works with a route of kind
"edge"
or"reencrypt"
, depending on the parameter set on the ingress controllerSo, if in "passthrough" mode your app does not receive the
"x-forwarded-for"
header, it’s because there is no such header on the request. Either your brwoser is directly hitting the OCP ingress controller (ie HAProxy) or your load balancer in front of OCP does not set this headerNot in
passthrough
mode, you can’t!Passthrough means the TLS traffic is not decrypted, so there is no chance the ingress controller (haproxy) is able to add or modify a header field.
Request forwarding is instead done on layer-4 (tcp) only.
You need to switch to
edge
orreencrypt
termination mode for this to work.