Bug 1410157 - [3.3] HTTP_X_FORWARDED_FOR incorrect in V3
Summary: [3.3] HTTP_X_FORWARDED_FOR incorrect in V3
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.3.1
Assignee: Miciah Dashiel Butler Masters
QA Contact: zhaozhanqi
Depends On: 1385421
Blocks: 1410156
TreeView+ depends on / blocked
Reported: 2017-01-04 15:48 UTC by Scott Dodson
Modified: 2020-05-14 15:30 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Add option to allow HAProxy to expect incoming connections on port 80 or port 443 to use the PROXY protocol. Reason: So the source IP address can pass through a load balancer (if the load balancer supports the protocol, e.g. Amazon ELB). Result: If the ROUTER_USE_PROXY_PROTOCOL environment variable is set to "true" or "TRUE", HAProxy will expect incoming connections to use the PROXY protocol.
Clone Of: 1385421
Last Closed: 2017-01-26 20:43:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0199 0 normal SHIPPED_LIVE OpenShift Container Platform and bug fix update 2017-01-27 01:41:56 UTC

Comment 3 zhaozhanqi 2017-01-06 07:56:12 UTC
Seem like the corresponding v3.3.1.9 image is not built yet.So QE will verify this bug once it is ready.

Comment 6 Miciah Dashiel Butler Masters 2017-01-10 17:17:02 UTC
In case it helps, here are the commands to configure ELB to use the PROXY protocol:

    aws elb create-load-balancer-policy --load-balancer-name infra-lb --policy-name infra-lb-ProxyProtocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true
    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 443 --policy-names infra-lb-ProxyProtocol-policy
    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name infra-lb --instance-port 80 --policy-names infra-lb-ProxyProtocol-policy

Comment 10 Miciah Dashiel Butler Masters 2017-01-13 01:41:27 UTC
Using the PROXY protocol for unencrypted HTTP with an Amazon ELB requires changing the listener from HTTP to TCP.  The following commands should suffice:

    % aws elb delete-load-balancer-listeners --load-balancer-name infra-lb --load-balancer-ports 80
    % aws elb create-load-balancer-listeners --load-balancer-name infra-lb --listeners Protocol=TCP,LoadBalancerPort=80,InstanceProtocol=TCP,InstancePort=80
    % aws elb describe-load-balancers --load-balancer-name infra-lb | jq '[.LoadBalancerDescriptions[]|.ListenerDescriptions]'[
          "Listener": {
            "InstancePort": 443,
            "LoadBalancerPort": 443,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          "PolicyNames": []
          "Listener": {
            "InstancePort": 5000,
            "LoadBalancerPort": 5000,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          "PolicyNames": []
          "Listener": {
            "InstancePort": 80,
            "LoadBalancerPort": 80,
            "Protocol": "TCP",
            "InstanceProtocol": "TCP"
          "PolicyNames": []

Comment 11 zhaozhanqi 2017-01-13 01:52:19 UTC
many thanks @Miciah

I will re-install the env to test again according to above configuration information.

Comment 13 Ben Bennett 2017-01-13 12:09:16 UTC
Miciah: What OSE release is this targeted for?

Comment 14 Scott Dodson 2017-01-13 13:49:25 UTC
This clone is 3.3.1

Comment 16 Miciah Dashiel Butler Masters 2017-01-13 17:01:59 UTC
To clarify, the new setting affects both port 80 and port 443, per discussion on the original PR.

Comment 17 Kenjiro Nakayama 2017-01-17 05:03:16 UTC
We need to know the progress.

Comment 18 Miciah Dashiel Butler Masters 2017-01-17 08:28:13 UTC
The change has been merged and verified in version  I am contacting ops about the next steps in getting this to customers' clusters.

Comment 20 errata-xmlrpc 2017-01-26 20:43:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.