1395326 – Kibana Fails Behind F-5 Loadbalancer with X-Forwarded-For enabled

Bug 1395326 - Kibana Fails Behind F-5 Loadbalancer with X-Forwarded-For enabled

Summary: Kibana Fails Behind F-5 Loadbalancer with X-Forwarded-For enabled

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	ewolinet
QA Contact:	Xia Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1401688
TreeView+	depends on / blocked

Reported:	2016-11-15 16:49 UTC by Steven Walter
Modified:	2020-03-11 15:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1401688 (view as bug list)
Environment:
Last Closed:	2017-01-03 20:56:11 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Steven Walter 2016-11-15 16:49:09 UTC

Description of problem:
When application Kibana is behind a F5 big ip with parameter 'X-Forwarded-For = enabled', kibana fails trying to connect to elasticsearch


Version-Release number of selected component (if applicable):
3.3.0

How reproducible:
Unconfirmed

Steps to Reproduce:
1. Set up OpenShift cluster using F-5 as internal loadbalancer
2. Set up logging cluster

Actual results:

Kibana: Unknown error while connecting to Elasticsearch

Error: Unknown error while connecting to Elasticsearch
Error: UnknownHostException[No trusted proxies]


Expected results:

Logging cluster to work

Comment 14 ewolinet 2017-01-03 20:56:11 UTC

Troubleshooting section added to logging installation regarding resolving this issue. Verified in https://bugzilla.redhat.com/show_bug.cgi?id=1401688

Comment 15 Peter Portante 2017-03-29 19:22:22 UTC

Could we have used 'searchguard.dynamic.http.xff.enabled: false' instead?

See https://github.com/floragunncom/search-guard-docs/blob/master/proxy.md.

Comment 16 ewolinet 2017-03-29 21:06:26 UTC

@Peter IIRC, unfortunately we needed to have it set to 'true' as part of picking up user information from the proxy header.

https://github.com/openshift/origin-aggregated-logging/blob/master/elasticsearch/sgconfig/sg_config.yml

Note You need to log in before you can comment on or make changes to this bug.