Description of problem: The X-Forwarded-For and related headers send the IPv6 form of the source IPv4 address. e.g.: Forwarded: for=::ffff:172.17.0.3;host=hello-openshift-default.router.default.svc.cluster.local;proto=http X-Forwarded-For: ::ffff:172.17.0.3 Version-Release number of selected component (if applicable): 3.6.0 How reproducible: Always Steps to Reproduce: 1. Set up a router and a route 2. Run tcpdump to sniff the traffic on the target node, and watch for the http request from the proxy 3. curl --ipv4 172.17.0.3 -H 'Host: hello-openshift-default.router.default.svc.cluster.local' Actual results: GET / HTTP/1.1 User-Agent: curl/7.51.0 Accept: */* Host: hello-openshift-default.router.default.svc.cluster.local X-Forwarded-Host: hello-openshift-default.router.default.svc.cluster.local X-Forwarded-Port: 80 X-Forwarded-Proto: http Forwarded: for=::ffff:172.17.0.3;host=hello-openshift-default.router.default.svc.cluster.local;proto=http X-Forwarded-For: ::ffff:172.17.0.3 Expected results: GET / HTTP/1.1 User-Agent: curl/7.51.0 Accept: */* Host: hello-openshift-default.router.default.svc.cluster.local X-Forwarded-Host: hello-openshift-default.router.default.svc.cluster.local X-Forwarded-Port: 80 X-Forwarded-Proto: http Forwarded: for=172.17.0.3;host=hello-openshift-default.router.default.svc.cluster.local;proto=http X-Forwarded-For: 172.17.0.3 Additional info:
PR https://github.com/openshift/origin/pull/15229
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/7821bd5070fb167dfe455d017d338e22673d4cf3 Add an ENV to control ipv6 behavior in the router This patch adds an environent variable called ROUTER_IP_V4_V6_MODE which must be set to "v4" (the default), "v6", or "v4v6" to control whether the router to binds to IPv4, IPv6, or both. Note that when set to 'v6' or 'v4v6', the X-Forwarded-For and Forwarded http headers will be in IPv6 form (even when the connection was an IPv4 one, if set to 'v4v6'). Fixes bug 1471255 (https://bugzilla.redhat.com/show_bug.cgi?id=1471255)
The fix had been merged into latest ocp build, move it forward.
Assigning this to @pcameron to shepherd in. The PR is https://github.com/openshift/origin/pull/15566 to correct an issue.
verified in atomic-openshift-3.7.0-0.143.1.git.0.e152287 and the bug has been fixed. 1. ROUTER_IP_V4_V6_MODE=v4 (by default) forwarded: for=10.8.241.59;host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http x-forwarded-for: 10.8.241.59 2. ROUTER_IP_V4_V6_MODE=v4v6 forwarded: for="[::ffff:10.8.241.59]";host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http x-forwarded-for: ::ffff:10.8.241.59 or forwarded: for="[3037::37]";host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http x-forwarded-for: 3037::37 2. ROUTER_IP_V4_V6_MODE=v6 forwarded: for="[3037::37]";host=header-test-insecure-hongli.apps.1009-e6s.qe.rhcloud.com;proto=http x-forwarded-for: 3037::37
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188