Bug 1410157
| Summary: | [3.3] HTTP_X_FORWARDED_FOR incorrect in V3 | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Scott Dodson <sdodson> |
| Component: | Networking | Assignee: | Miciah Dashiel Butler Masters <mmasters> |
| Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | abhgupta, aos-bugs, bbennett, bingli, bleanhar, dranders, gareth.mcshane, knakayam, mmasters, mnapolis, sspeiche, zhaliu, zzhao |
| Version: | 3.3.1 | Keywords: | UpcomingRelease |
| Target Milestone: | --- | ||
| Target Release: | 3.3.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
Feature: Add option to allow HAProxy to expect incoming connections on port 80 or port 443 to use the PROXY protocol.
Reason: So the source IP address can pass through a load balancer (if the load balancer supports the protocol, e.g. Amazon ELB).
Result: If the ROUTER_USE_PROXY_PROTOCOL environment variable is set to "true" or "TRUE", HAProxy will expect incoming connections to use the PROXY protocol.
|
Story Points: | --- |
| Clone Of: | 1385421 | Environment: | |
| Last Closed: | 2017-01-26 20:43:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1385421 | ||
| Bug Blocks: | 1410156 | ||
|
Comment 3
zhaozhanqi
2017-01-06 07:56:12 UTC
In case it helps, here are the commands to configure ELB to use the PROXY protocol:
aws elb create-load-balancer-policy --load-balancer-name infra-lb --policy-name infra-lb-ProxyProtocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 443 --policy-names infra-lb-ProxyProtocol-policy
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 80 --policy-names infra-lb-ProxyProtocol-policy
Using the PROXY protocol for unencrypted HTTP with an Amazon ELB requires changing the listener from HTTP to TCP. The following commands should suffice:
% aws elb delete-load-balancer-listeners --load-balancer-name infra-lb --load-balancer-ports 80
% aws elb create-load-balancer-listeners --load-balancer-name infra-lb --listeners Protocol=TCP,LoadBalancerPort=80,InstanceProtocol=TCP,InstancePort=80
% aws elb describe-load-balancers --load-balancer-name infra-lb | jq '[.LoadBalancerDescriptions[]|.ListenerDescriptions]'[
[
{
"Listener": {
"InstancePort": 443,
"LoadBalancerPort": 443,
"Protocol": "TCP",
"InstanceProtocol": "TCP"
},
"PolicyNames": []
},
{
"Listener": {
"InstancePort": 5000,
"LoadBalancerPort": 5000,
"Protocol": "TCP",
"InstanceProtocol": "TCP"
},
"PolicyNames": []
},
{
"Listener": {
"InstancePort": 80,
"LoadBalancerPort": 80,
"Protocol": "TCP",
"InstanceProtocol": "TCP"
},
"PolicyNames": []
}
]
]
%
many thanks @Miciah I will re-install the env to test again according to above configuration information. Miciah: What OSE release is this targeted for? This clone is 3.3.1 To clarify, the new setting affects both port 80 and port 443, per discussion on the original PR. We need to know the progress. The change has been merged and verified in version 3.3.1.9. I am contacting ops about the next steps in getting this to customers' clusters. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0199 |