Bug 1410157 - [3.3] HTTP_X_FORWARDED_FOR incorrect in V3
Summary: [3.3] HTTP_X_FORWARDED_FOR incorrect in V3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.3.1
Assignee: Miciah Dashiel Butler Masters
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On: 1385421
Blocks: 1410156
TreeView+ depends on / blocked
 
Reported: 2017-01-04 15:48 UTC by Scott Dodson
Modified: 2022-08-04 22:20 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Add option to allow HAProxy to expect incoming connections on port 80 or port 443 to use the PROXY protocol. Reason: So the source IP address can pass through a load balancer (if the load balancer supports the protocol, e.g. Amazon ELB). Result: If the ROUTER_USE_PROXY_PROTOCOL environment variable is set to "true" or "TRUE", HAProxy will expect incoming connections to use the PROXY protocol.
Clone Of: 1385421
Environment:
Last Closed: 2017-01-26 20:43:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0199 0 normal SHIPPED_LIVE OpenShift Container Platform 3.3.1.11 and 3.2.1.23 bug fix update 2017-01-27 01:41:56 UTC

Comment 3 zhaozhanqi 2017-01-06 07:56:12 UTC 
Seem like the corresponding v3.3.1.9 image is not built yet.So QE will verify this bug once it is ready.
Comment 6 Miciah Dashiel Butler Masters 2017-01-10 17:17:02 UTC 
In case it helps, here are the commands to configure ELB to use the PROXY protocol:

    aws elb create-load-balancer-policy --load-balancer-name infra-lb --policy-name infra-lb-ProxyProtocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true
    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 443 --policy-names infra-lb-ProxyProtocol-policy
    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 80 --policy-names infra-lb-ProxyProtocol-policy
Comment 10 Miciah Dashiel Butler Masters 2017-01-13 01:41:27 UTC 
Using the PROXY protocol for unencrypted HTTP with an Amazon ELB requires changing the listener from HTTP to TCP.  The following commands should suffice:

    % aws elb delete-load-balancer-listeners --load-balancer-name infra-lb --load-balancer-ports 80
    % aws elb create-load-balancer-listeners --load-balancer-name infra-lb --listeners Protocol=TCP,LoadBalancerPort=80,InstanceProtocol=TCP,InstancePort=80
    % aws elb describe-load-balancers --load-balancer-name infra-lb | jq '[.LoadBalancerDescriptions[]|.ListenerDescriptions]'[
      [
        {
          "Listener": {
            "InstancePort": 443,
            "LoadBalancerPort": 443,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          },
          "PolicyNames": []
        },
        {
          "Listener": {
            "InstancePort": 5000,
            "LoadBalancerPort": 5000,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          },
          "PolicyNames": []
        },
        {
          "Listener": {
            "InstancePort": 80,
            "LoadBalancerPort": 80,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          },
          "PolicyNames": []
        }
      ]
    ]
    %
Comment 11 zhaozhanqi 2017-01-13 01:52:19 UTC 
many thanks @Miciah

I will re-install the env to test again according to above configuration information.
Comment 13 Ben Bennett 2017-01-13 12:09:16 UTC 
Miciah: What OSE release is this targeted for?
Comment 14 Scott Dodson 2017-01-13 13:49:25 UTC 
This clone is 3.3.1
Comment 16 Miciah Dashiel Butler Masters 2017-01-13 17:01:59 UTC 
To clarify, the new setting affects both port 80 and port 443, per discussion on the original PR.
Comment 17 Kenjiro Nakayama 2017-01-17 05:03:16 UTC 
We need to know the progress.
Comment 18 Miciah Dashiel Butler Masters 2017-01-17 08:28:13 UTC 
The change has been merged and verified in version 3.3.1.9.  I am contacting ops about the next steps in getting this to customers' clusters.
Comment 20 errata-xmlrpc 2017-01-26 20:43:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0199
Note You need to log in before you can comment on or make changes to this bug.