First Last Prev Next    This bug is not in your last search results.
Bug 1459791 - [online-int]The HTTP_X_FORWARDED_FOR is not the client IP for ELB env
[online-int]The HTTP_X_FORWARDED_FOR is not the client IP for ELB env
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Routing (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Ben Bennett
zhaozhanqi
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 03:55 EDT by Yan Du
Modified: 2017-11-09 13:57 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-09 13:57:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Yan Du 2017-06-08 03:55:20 EDT 
Description of problem:
The HTTP_X_FORWARDED_FOR is not the client IP for ELB env

Version-Release number of selected component (if applicable):
openshift v3.5.5.24
kubernetes v1.5.2+43a9be4


How reproducible:
Always

Steps to Reproduce:
1. Create project
2. Create dc/svc/route
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/header-test/dc.json
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/header-test/insecure-service.json
# oc expose service header-test-insecure
3. Access the route

Actual results:
3.
# curl http://header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<pre>
        host: header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com
        user-agent: curl/7.43.0
        accept: */*
        x-forwarded-host: header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com
        x-forwarded-port: 80
        x-forwarded-proto: http
        forwarded: for=172.31.54.149;host=header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com;proto=http
        x-forwarded-for: 172.31.54.149
      </pre>


Expected results:
The HTTP_X_FORWARDED_FOR should be the client IP for ELB env

Additional info:
Check the online-int haproxy config file, found ROUTER_USE_PROXY_PROTOCOL is not enabled.
Comment 1 ihorvath 2017-06-21 11:29:50 EDT 
As noted the ROUTER_USE_PROXY_PROTOCOL was missing in the router DC. After adding that and making sure the AWS ELB already has it set, created a project in the cluster with the aosqe/http-header-test image and got the correct x-forwarded-for ip back:

host: http-header-test-ihorvathtest.34bf.online-int.openshiftapps.com
  upgrade-insecure-requests: 1
  user-agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  accept-encoding: gzip, deflate, sdch
  accept-language: en-US,en;q=0.8
  x-forwarded-host: http-header-test-ihorvathtest.34bf.online-int.openshiftapps.com
  x-forwarded-port: 80
  x-forwarded-proto: http
  forwarded: for=66.187.233.202;host=http-header-test-ihorvathtest.34bf.online-int.openshiftapps.com;proto=http
  x-forwarded-for: 66.187.233.202
Comment 2 Yan Du 2017-06-22 05:14:58 EDT 
Retest on online-int env
openshift v3.5.5.27
kubernetes v1.5.2+43a9be4

Bug have been fixed.

        host: myroute-hg7zu.34bf.online-int.openshiftapps.com
        user-agent: curl/7.43.0
        accept: */*
        x-forwarded-host: myroute-hg7zu.34bf.online-int.openshiftapps.com
        x-forwarded-port: 443
        x-forwarded-proto: https
        forwarded: for=54.173.1.35;host=myroute-hg7zu.34bf.online-int.openshiftapps.com;proto=https
        x-forwarded-for: 54.173.1.35
      </pre>
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.