Bug 1410157 – [3.3] HTTP_X_FORWARDED_FOR incorrect in V3

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1410157 - [3.3] HTTP_X_FORWARDED_FOR incorrect in V3

Summary:	[3.3] HTTP_X_FORWARDED_FOR incorrect in V3

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Routing (Show other bugs)
Sub Component:
Version:	3.3.1
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	---
Target Release:	3.3.1
Assigned To:	Miciah Dashiel Butler Masters
QA Contact:	zhaozhanqi
Docs Contact:

URL:
Whiteboard:
Keywords:	UpcomingRelease

Depends On:	1385421
Blocks:	1410156
	Show dependency tree / graph

Reported:	2017-01-04 10:48 EST by Scott Dodson
Modified:	2017-01-26 15:43 EST (History)
CC List:	13 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: Add option to allow HAProxy to expect incoming connections on port 80 or port 443 to use the PROXY protocol. Reason: So the source IP address can pass through a load balancer (if the load balancer supports the protocol, e.g. Amazon ELB). Result: If the ROUTER_USE_PROXY_PROTOCOL environment variable is set to "true" or "TRUE", HAProxy will expect incoming connections to use the PROXY protocol.
Story Points:	---
Clone Of:	1385421
Environment:
Last Closed:	2017-01-26 15:43:25 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0199	normal	SHIPPED_LIVE	OpenShift Container Platform 3.3.1.11 and 3.2.1.23 bug fix update	2017-01-26 20:41:56 EST

Groups: None (edit)

Comment 3 zhaozhanqi 2017-01-06 02:56:12 EST

Seem like the corresponding v3.3.1.9 image is not built yet.So QE will verify this bug once it is ready.

Comment 6 Miciah Dashiel Butler Masters 2017-01-10 12:17:02 EST

In case it helps, here are the commands to configure ELB to use the PROXY protocol:

    aws elb create-load-balancer-policy --load-balancer-name infra-lb --policy-name infra-lb-ProxyProtocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true
    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 443 --policy-names infra-lb-ProxyProtocol-policy
    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 80 --policy-names infra-lb-ProxyProtocol-policy

Comment 10 Miciah Dashiel Butler Masters 2017-01-12 20:41:27 EST

Using the PROXY protocol for unencrypted HTTP with an Amazon ELB requires changing the listener from HTTP to TCP.  The following commands should suffice:

    % aws elb delete-load-balancer-listeners --load-balancer-name infra-lb --load-balancer-ports 80
    % aws elb create-load-balancer-listeners --load-balancer-name infra-lb --listeners Protocol=TCP,LoadBalancerPort=80,InstanceProtocol=TCP,InstancePort=80
    % aws elb describe-load-balancers --load-balancer-name infra-lb | jq '[.LoadBalancerDescriptions[]|.ListenerDescriptions]'[
      [
        {
          "Listener": {
            "InstancePort": 443,
            "LoadBalancerPort": 443,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          },
          "PolicyNames": []
        },
        {
          "Listener": {
            "InstancePort": 5000,
            "LoadBalancerPort": 5000,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          },
          "PolicyNames": []
        },
        {
          "Listener": {
            "InstancePort": 80,
            "LoadBalancerPort": 80,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          },
          "PolicyNames": []
        }
      ]
    ]
    %

Comment 11 zhaozhanqi 2017-01-12 20:52:19 EST

many thanks @Miciah

I will re-install the env to test again according to above configuration information.

Comment 13 Ben Bennett 2017-01-13 07:09:16 EST

Miciah: What OSE release is this targeted for?

Comment 14 Scott Dodson 2017-01-13 08:49:25 EST

This clone is 3.3.1

Comment 16 Miciah Dashiel Butler Masters 2017-01-13 12:01:59 EST

To clarify, the new setting affects both port 80 and port 443, per discussion on the original PR.

Comment 17 Kenjiro Nakayama 2017-01-17 00:03:16 EST

We need to know the progress.

Comment 18 Miciah Dashiel Butler Masters 2017-01-17 03:28:13 EST

The change has been merged and verified in version 3.3.1.9.  I am contacting ops about the next steps in getting this to customers' clusters.

Comment 20 errata-xmlrpc 2017-01-26 15:43:25 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0199

Note You need to log in before you can comment on or make changes to this bug.