Bug 1395326

Summary: Kibana Fails Behind F-5 Loadbalancer with X-Forwarded-For enabled
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: LoggingAssignee: ewolinet
Status: CLOSED NEXTRELEASE QA Contact: Xia Zhao <xiazhao>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, ewolinet, pportant, pweil, stwalter
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1401688 (view as bug list) Environment:
Last Closed: 2017-01-03 20:56:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1401688    

Description Steven Walter 2016-11-15 16:49:09 UTC 
Description of problem:
When application Kibana is behind a F5 big ip with parameter 'X-Forwarded-For = enabled', kibana fails trying to connect to elasticsearch


Version-Release number of selected component (if applicable):
3.3.0

How reproducible:
Unconfirmed

Steps to Reproduce:
1. Set up OpenShift cluster using F-5 as internal loadbalancer
2. Set up logging cluster

Actual results:

Kibana: Unknown error while connecting to Elasticsearch

Error: Unknown error while connecting to Elasticsearch
Error: UnknownHostException[No trusted proxies]


Expected results:

Logging cluster to work
Comment 14 ewolinet 2017-01-03 20:56:11 UTC 
Troubleshooting section added to logging installation regarding resolving this issue. Verified in https://bugzilla.redhat.com/show_bug.cgi?id=1401688
Comment 15 Peter Portante 2017-03-29 19:22:22 UTC 
Could we have used 'searchguard.dynamic.http.xff.enabled: false' instead?

See https://github.com/floragunncom/search-guard-docs/blob/master/proxy.md.
Comment 16 ewolinet 2017-03-29 21:06:26 UTC 
@Peter IIRC, unfortunately we needed to have it set to 'true' as part of picking up user information from the proxy header.

https://github.com/openshift/origin-aggregated-logging/blob/master/elasticsearch/sgconfig/sg_config.yml