<div dir="ltr">FWIW, it is in the policy code where I am not seeing these headers being set correctly: <br><br><a href="https://github.com/apiman/apiman/blob/master/gateway/engine/policies/src/main/java/io/apiman/gateway/engine/policies/IPWhitelistPolicy.java#L55">https://github.com/apiman/apiman/blob/master/gateway/engine/policies/src/main/java/io/apiman/gateway/engine/policies/IPWhitelistPolicy.java#L55</a><br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie <span dir="ltr"><<a href="mailto:stephen@saasindustries.com" target="_blank">stephen@saasindustries.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Eric, thanks for the response.<br><br></div>I had reviewed that code as well, so I believe you when you say that it should be passing all of those proxy headers along. However, check out below what I am seeing when posting a request to a test service that I am running. It simply dumps the headers The first request is made directly to the service without going through apiman and the second request is made through apiman. <br><br></div>I don't think that the issue is in the servlet code, but when these headers are passed into where policies applied, like somewhere where the ApiRequest class is created.<br><br></div>Thanks<br></div>Stephen<br><br><div><div><div><br>2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : HEADERS:<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : user-agent: Wget/1.19.1 (darwin15.6.0)<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : accept: */*<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : accept-encoding: identity<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : host: <a href="http://spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com" target="_blank">spring-boot-oauth-demo-user-<wbr>dev.router.dev1.saasforge.com</a><br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi<wbr>AiSldUIiwia2lkIiA6ICJ1bVJaV1ct<wbr>ckJrVnZGUTNyNlhCWkVCNGZwamxGV2<wbr>FBcTBLWU1qZThEZnNjIn0.<wbr>eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT<wbr>RlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi<wbr>LCJleHAiOjE1MDM0MTc1NDAsIm5iZi<wbr>I6MCwiaWF0IjoxNTAzNDE3MjQwLCJp<wbr>c3MiOiJodHRwOi8vYXBwLmRldjEuc2<wbr>Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt<wbr>cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2<wbr>ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx<wbr>ZmU5LTNmYzUtNDJjMy04NTg0LWQwZW<wbr>JlMzRhM2U5MyIsInR5cCI6IkJlYXJl<wbr>ciIsImF6cCI6ImNoYXNzaS13ZWItYX<wbr>BwIiwiYXV0aF90aW1lIjowLCJzZXNz<wbr>aW9uX3N0YXRlIjoiN2NmZjVhZDEtNj<wbr>E3NC00YzY1LTk5NGQtYzk4ZTdkNWFl<wbr>YzNhIiwiYWNyIjoiMSIsImFsbG93ZW<wbr>Qtb3JpZ2lucyI6WyJodHRwOi8vY2hh<wbr>c3NpLWF1dGgtcHJveHktdXNlci1kZX<wbr>Yucm91dGVyLmRldjIuc2Fhc2Zvcmdl<wbr>LmNvbTo3ODg4IiwiaHR0cDovL2F1dG<wbr>guZGV2MS5zYWFzZm9yZ2UuY29tLyoi<wbr>LCJodHRwOi8vYXV0aC11c2VyLWRldi<wbr>5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu<wbr>Y29tIiwiaHR0cDovL2FwcC5kZXYxLn<wbr>NhYXNmb3JnZS5jb20vKiIsImh0dHA6<wbr>Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS<wbr>11cy1lYXN0LTEuYW1hem9uYXdzLmNv<wbr>bS9kYXNoYm9hcmQiLCJodHRwOi8vbG<wbr>9jYWxob3N0OjMwMDEiLCJodHRwOi8v<wbr>YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT<wbr>o4MC8qIiwiaHR0cDovL2xvY2FsaG9z<wbr>dDozMDAwIiwiaHR0cHM6Ly9hcGkuZG<wbr>V2MS5zYWFzZm9yZ2UuY29tLyoiLCJo<wbr>dHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm<wbr>dlLmNvbS9kYXNoYm9hcmQvKiIsImh0<wbr>dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2<wbr>UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi<wbr>aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2<wbr>ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj<wbr>Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW<wbr>5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h<wbr>bnQtb3duZXIiLCJkZXZlbG9wZXIiLC<wbr>J1bWFfYXV0aG9yaXphdGlvbiJdfSwi<wbr>cmVzb3VyY2VfYWNjZXNzIjp7ImFjY2<wbr>91bnQiOnsicm9sZXMiOlsibWFuYWdl<wbr>LWFjY291bnQiLCJtYW5hZ2UtYWNjb3<wbr>VudC1saW5rcyIsInZpZXctcHJvZmls<wbr>ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE<wbr>hlbnJpZSIsInByZWZlcnJlZF91c2Vy<wbr>bmFtZSI6InNoZW5yaWVAY2hhc3NpLm<wbr>NvbSIsImdpdmVuX25hbWUiOiJTdGVw<wbr>aGVuIiwiZmFtaWx5X25hbWUiOiJIZW<wbr>5yaWUiLCJlbWFpbCI6InNoZW5yaWVA<wbr>Y2hhc3NpLmNvbSJ9.<wbr>AxhMpP3gMbh96BI7HNqLwZNjmUAiif<wbr>zGhouoLpHwjggWDf6YX-<wbr>6geJb7yhkWTg4b7i5wYBC7OQpstgmf<wbr>g01RIjQ_<wbr>BJsJz8jxEwouvIufEDwWkmbtp9z0VP<wbr>egRYi8y405RQya18W2-<wbr>m7lbi7LsBrK4cAJ-kgQ_-k5R_<wbr>vxQFuAgmgZC-NYYtpvP0swrTNxHO-<wbr>DHJEolYb9wXjk_<wbr>hFYEY9MBTqLeILvFEyjpkA_<wbr>66WEWWE_<wbr>zA6RTw6ZU1uiwEDOCsDMHjejVDaZzX<wbr>A78chQRAhlUcgQSG7ATZNKcU5hnDu2<wbr>bhQ79hugOdCa83Snl0RZUWXYoIB9vg<wbr>apJosAP5rBUbTdJA<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : x-forwarded-host: <a href="http://spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com" target="_blank">spring-boot-oauth-demo-user-<wbr>dev.router.dev1.saasforge.com</a><br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : x-forwarded-port: 80<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : x-forwarded-proto: http<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : forwarded: for=71.86.141.114;host=<a href="http://spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com" target="_blank">spring-<wbr>boot-oauth-demo-user-dev.<wbr>router.dev1.saasforge.com</a>;<wbr>proto=http<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : x-forwarded-for: 71.86.141.114<br>2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.<wbr>ApiRestController : RemoteAddr: 172.17.0.1<br><br><br><br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : HEADERS:<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : user-agent: Wget/1.19.1 (darwin15.6.0)<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : accept-encoding: identity<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : connection: Keep-Alive<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi<wbr>AiSldUIiwia2lkIiA6ICJ1bVJaV1ct<wbr>ckJrVnZGUTNyNlhCWkVCNGZwamxGV2<wbr>FBcTBLWU1qZThEZnNjIn0.<wbr>eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT<wbr>RlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi<wbr>LCJleHAiOjE1MDM0MTc1NDAsIm5iZi<wbr>I6MCwiaWF0IjoxNTAzNDE3MjQwLCJp<wbr>c3MiOiJodHRwOi8vYXBwLmRldjEuc2<wbr>Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt<wbr>cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2<wbr>ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx<wbr>ZmU5LTNmYzUtNDJjMy04NTg0LWQwZW<wbr>JlMzRhM2U5MyIsInR5cCI6IkJlYXJl<wbr>ciIsImF6cCI6ImNoYXNzaS13ZWItYX<wbr>BwIiwiYXV0aF90aW1lIjowLCJzZXNz<wbr>aW9uX3N0YXRlIjoiN2NmZjVhZDEtNj<wbr>E3NC00YzY1LTk5NGQtYzk4ZTdkNWFl<wbr>YzNhIiwiYWNyIjoiMSIsImFsbG93ZW<wbr>Qtb3JpZ2lucyI6WyJodHRwOi8vY2hh<wbr>c3NpLWF1dGgtcHJveHktdXNlci1kZX<wbr>Yucm91dGVyLmRldjIuc2Fhc2Zvcmdl<wbr>LmNvbTo3ODg4IiwiaHR0cDovL2F1dG<wbr>guZGV2MS5zYWFzZm9yZ2UuY29tLyoi<wbr>LCJodHRwOi8vYXV0aC11c2VyLWRldi<wbr>5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu<wbr>Y29tIiwiaHR0cDovL2FwcC5kZXYxLn<wbr>NhYXNmb3JnZS5jb20vKiIsImh0dHA6<wbr>Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS<wbr>11cy1lYXN0LTEuYW1hem9uYXdzLmNv<wbr>bS9kYXNoYm9hcmQiLCJodHRwOi8vbG<wbr>9jYWxob3N0OjMwMDEiLCJodHRwOi8v<wbr>YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT<wbr>o4MC8qIiwiaHR0cDovL2xvY2FsaG9z<wbr>dDozMDAwIiwiaHR0cHM6Ly9hcGkuZG<wbr>V2MS5zYWFzZm9yZ2UuY29tLyoiLCJo<wbr>dHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm<wbr>dlLmNvbS9kYXNoYm9hcmQvKiIsImh0<wbr>dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2<wbr>UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi<wbr>aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2<wbr>ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj<wbr>Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW<wbr>5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h<wbr>bnQtb3duZXIiLCJkZXZlbG9wZXIiLC<wbr>J1bWFfYXV0aG9yaXphdGlvbiJdfSwi<wbr>cmVzb3VyY2VfYWNjZXNzIjp7ImFjY2<wbr>91bnQiOnsicm9sZXMiOlsibWFuYWdl<wbr>LWFjY291bnQiLCJtYW5hZ2UtYWNjb3<wbr>VudC1saW5rcyIsInZpZXctcHJvZmls<wbr>ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE<wbr>hlbnJpZSIsInByZWZlcnJlZF91c2Vy<wbr>bmFtZSI6InNoZW5yaWVAY2hhc3NpLm<wbr>NvbSIsImdpdmVuX25hbWUiOiJTdGVw<wbr>aGVuIiwiZmFtaWx5X25hbWUiOiJIZW<wbr>5yaWUiLCJlbWFpbCI6InNoZW5yaWVA<wbr>Y2hhc3NpLmNvbSJ9.<wbr>AxhMpP3gMbh96BI7HNqLwZNjmUAiif<wbr>zGhouoLpHwjggWDf6YX-<wbr>6geJb7yhkWTg4b7i5wYBC7OQpstgmf<wbr>g01RIjQ_<wbr>BJsJz8jxEwouvIufEDwWkmbtp9z0VP<wbr>egRYi8y405RQya18W2-<wbr>m7lbi7LsBrK4cAJ-kgQ_-k5R_<wbr>vxQFuAgmgZC-NYYtpvP0swrTNxHO-<wbr>DHJEolYb9wXjk_<wbr>hFYEY9MBTqLeILvFEyjpkA_<wbr>66WEWWE_<wbr>zA6RTw6ZU1uiwEDOCsDMHjejVDaZzX<wbr>A78chQRAhlUcgQSG7ATZNKcU5hnDu2<wbr>bhQ79hugOdCa83Snl0RZUWXYoIB9vg<wbr>apJosAP5rBUbTdJA<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : accept: */*<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : host: spring-boot-oauth-demo.user-<wbr>dev.svc:8080<br>2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.<wbr>ApiRestController : RemoteAddr: 172.17.0.6<br><div><br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <span dir="ltr"><<a href="mailto:eric.wittmann@redhat.com" target="_blank">eric.wittmann@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">GitHub is back up. Here is the code (when running the servlet version of the gateway, not the vert.x version) that reads the inbound HTTP request headers, copying them into the ApiRequest bean:<div><br></div><div><a href="https://github.com/apiman/apiman/blob/master/gateway/platforms/servlet/src/main/java/io/apiman/gateway/platforms/servlet/GatewayServlet.java#L263-L280" target="_blank">https://github.com/apiman/apim<wbr>an/blob/master/gateway/platfor<wbr>ms/servlet/src/main/java/io/<wbr>apiman/gateway/platforms/<wbr>servlet/GatewayServlet.java#<wbr>L263-L280</a><br></div><div><br></div><div>The only header that gets skipped is X-API-Version.</div><div><br></div><div>-Eric</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann <span dir="ltr"><<a href="mailto:eric.wittmann@redhat.com" target="_blank">eric.wittmann@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">That's very interesting because I don't believe Apiman is stripping out any headers from the request (at any point). If that's happening I can't think of what the root cause might be. IIRC we just copy all request headers from the inbound HttpServletRequest into the ApiRequest bean.<div><br></div><div>GitHub is currently down so I can't send a link to the relevant code.... </div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_5229921678017232076m_2037964914919027775h5">On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie <span dir="ltr"><<a href="mailto:stephen@saasindustries.com" target="_blank">stephen@saasindustries.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_5229921678017232076m_2037964914919027775h5"><div dir="ltr"><div><div><div><div><br></div>I have Apiman running in an openshift environment, which is essentially a similar configuration to running in kubernetes. Each container/pod is always receiving http/s requests through an HA Proxy server, so that the x-forwarded-* set of headers get added to each request by the proxy server. <br><br>Unfortunately, it appears that the headers which are provided in the ApiRequet bean when the policy chain processor doApply() method is called does not include these proxy related headers. This means that the standard policies for the IP white and black listing policies do not work when the apiman gateway is behind a proxy server. The request.getRemoteAddr() method returns the ip address to the proxy server,
so there is no way to get the ip address of the originator since the x-forwarded-for header ( and related headers ) are not found.<br><br></div>Has anyone else experienced this? If so, is this by design?<br><br></div>Thanks!<span class="m_5229921678017232076m_2037964914919027775m_842804619941529027HOEnZb"><font color="#888888"><br><br></font></span></div><span class="m_5229921678017232076m_2037964914919027775m_842804619941529027HOEnZb"><font color="#888888">Stephen<br><br></font></span></div>
<br></div></div>______________________________<wbr>_________________<br>
Apiman-user mailing list<br>
<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/apiman-user</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>
</blockquote></div><br></div>
</blockquote></div><br></div>