Bug 1459791 - [online-int]The HTTP_X_FORWARDED_FOR is not the client IP for ELB env
Summary: [online-int]The HTTP_X_FORWARDED_FOR is not the client IP for ELB env
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Routing
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-08 07:55 UTC by Yan Du
Modified: 2017-11-09 18:57 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-09 18:57:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Yan Du 2017-06-08 07:55:20 UTC 
Description of problem:
The HTTP_X_FORWARDED_FOR is not the client IP for ELB env

Version-Release number of selected component (if applicable):
openshift v3.5.5.24
kubernetes v1.5.2+43a9be4


How reproducible:
Always

Steps to Reproduce:
1. Create project
2. Create dc/svc/route
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/header-test/dc.json
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/header-test/insecure-service.json
# oc expose service header-test-insecure
3. Access the route

Actual results:
3.
# curl http://header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<pre>
        host: header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com
        user-agent: curl/7.43.0
        accept: */*
        x-forwarded-host: header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com
        x-forwarded-port: 80
        x-forwarded-proto: http
        forwarded: for=172.31.54.149;host=header-test-insecure-3gzw6.34bf.online-int.openshiftapps.com;proto=http
        x-forwarded-for: 172.31.54.149
      </pre>


Expected results:
The HTTP_X_FORWARDED_FOR should be the client IP for ELB env

Additional info:
Check the online-int haproxy config file, found ROUTER_USE_PROXY_PROTOCOL is not enabled.
Comment 1 ihorvath 2017-06-21 15:29:50 UTC 
As noted the ROUTER_USE_PROXY_PROTOCOL was missing in the router DC. After adding that and making sure the AWS ELB already has it set, created a project in the cluster with the aosqe/http-header-test image and got the correct x-forwarded-for ip back:

host: http-header-test-ihorvathtest.34bf.online-int.openshiftapps.com
  upgrade-insecure-requests: 1
  user-agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  accept-encoding: gzip, deflate, sdch
  accept-language: en-US,en;q=0.8
  x-forwarded-host: http-header-test-ihorvathtest.34bf.online-int.openshiftapps.com
  x-forwarded-port: 80
  x-forwarded-proto: http
  forwarded: for=66.187.233.202;host=http-header-test-ihorvathtest.34bf.online-int.openshiftapps.com;proto=http
  x-forwarded-for: 66.187.233.202
Comment 2 Yan Du 2017-06-22 09:14:58 UTC 
Retest on online-int env
openshift v3.5.5.27
kubernetes v1.5.2+43a9be4

Bug have been fixed.

        host: myroute-hg7zu.34bf.online-int.openshiftapps.com
        user-agent: curl/7.43.0
        accept: */*
        x-forwarded-host: myroute-hg7zu.34bf.online-int.openshiftapps.com
        x-forwarded-port: 443
        x-forwarded-proto: https
        forwarded: for=54.173.1.35;host=myroute-hg7zu.34bf.online-int.openshiftapps.com;proto=https
        x-forwarded-for: 54.173.1.35
      </pre>
Note You need to log in before you can comment on or make changes to this bug.