<div dir="ltr">There is also the Log policy that could be added, which will output the request headers to the wildfly console *before* proxying to the back-end API.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 23, 2017 at 7:59 AM, Marc Savy <span dir="ltr"><<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Stephen,<br>
<br>
Out of interest: can you replicate your setup, but with no policies in<br>
the chain to see what happens?<br>
<br>
Second, perhaps you can try the simple-header-policy<br>
(<a href="https://apiman.gitbooks.io/apiman-user-guide/user-guide/gateway/policies.html#_simple_header_policy" rel="noreferrer" target="_blank">https://apiman.gitbooks.io/<wbr>apiman-user-guide/user-guide/<wbr>gateway/policies.html#_simple_<wbr>header_policy</a>)<br>
and let me know what happens (just put some dummy config in and see<br>
whether the headers still disappear).<br>
<br>
I'll try to replicate your setup soon.<br>
<br>
Regards,<br>
Marc<br>
<div class="HOEnZb"><div class="h5"><br>
On 22 August 2017 at 17:13, Stephen Henrie <<a href="mailto:stephen@saasindustries.com">stephen@saasindustries.com</a>> wrote:<br>
> FWIW, it is in the policy code where I am not seeing these headers being set<br>
> correctly:<br>
><br>
> <a href="https://github.com/apiman/apiman/blob/master/gateway/engine/policies/src/main/java/io/apiman/gateway/engine/policies/IPWhitelistPolicy.java#L55" rel="noreferrer" target="_blank">https://github.com/apiman/<wbr>apiman/blob/master/gateway/<wbr>engine/policies/src/main/java/<wbr>io/apiman/gateway/engine/<wbr>policies/IPWhitelistPolicy.<wbr>java#L55</a><br>
><br>
><br>
><br>
> On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie<br>
> <<a href="mailto:stephen@saasindustries.com">stephen@saasindustries.com</a>> wrote:<br>
>><br>
>> Eric, thanks for the response.<br>
>><br>
>> I had reviewed that code as well, so I believe you when you say that it<br>
>> should be passing all of those proxy headers along. However, check out below<br>
>> what I am seeing when posting a request to a test service that I am running.<br>
>> It simply dumps the headers The first request is made directly to the<br>
>> service without going through apiman and the second request is made through<br>
>> apiman.<br>
>><br>
>> I don't think that the issue is in the servlet code, but when these<br>
>> headers are passed into where policies applied, like somewhere where the<br>
>> ApiRequest class is created.<br>
>><br>
>> Thanks<br>
>> Stephen<br>
>><br>
>><br>
>> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : HEADERS:<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : user-agent: Wget/1.19.1<br>
>> (darwin15.6.0)<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : accept: */*<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : accept-encoding: identity<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : host:<br>
>> <a href="http://spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com" rel="noreferrer" target="_blank">spring-boot-oauth-demo-user-<wbr>dev.router.dev1.saasforge.com</a><br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : authorization: Bearer<br>
>> eyJhbGciOiJSUzI1NiIsInR5cCIgOi<wbr>AiSldUIiwia2lkIiA6ICJ1bVJaV1ct<wbr>ckJrVnZGUTNyNlhCWkVCNGZwamxGV2<wbr>FBcTBLWU1qZThEZnNjIn0.<wbr>eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT<wbr>RlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi<wbr>LCJleHAiOjE1MDM0MTc1NDAsIm5iZi<wbr>I6MCwiaWF0IjoxNTAzNDE3MjQwLCJp<wbr>c3MiOiJodHRwOi8vYXBwLmRldjEuc2<wbr>Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt<wbr>cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2<wbr>ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx<wbr>ZmU5LTNmYzUtNDJjMy04NTg0LWQwZW<wbr>JlMzRhM2U5MyIsInR5cCI6IkJlYXJl<wbr>ciIsImF6cCI6ImNoYXNzaS13ZWItYX<wbr>BwIiwiYXV0aF90aW1lIjowLCJzZXNz<wbr>aW9uX3N0YXRlIjoiN2NmZjVhZDEtNj<wbr>E3NC00YzY1LTk5NGQtYzk4ZTdkNWFl<wbr>YzNhIiwiYWNyIjoiMSIsImFsbG93ZW<wbr>Qtb3JpZ2lucyI6WyJodHRwOi8vY2hh<wbr>c3NpLWF1dGgtcHJveHktdXNlci1kZX<wbr>Yucm91dGVyLmRldjIuc2Fhc2Zvcmdl<wbr>LmNvbTo3ODg4IiwiaHR0cDovL2F1dG<wbr>guZGV2MS5zYWFzZm9yZ2UuY29tLyoi<wbr>LCJodHRwOi8vYXV0aC11c2VyLWRldi<wbr>5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu<wbr>Y29tIiwiaHR0cDovL2FwcC5kZXYxLn<wbr>NhYXNmb3JnZS5jb20vKiIsImh0dHA6<wbr>Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS<wbr>11cy1lYXN0LTEuYW1hem9uYXdzLmNv<wbr>bS9kYXNoYm9hcmQiLCJodHRwOi8vbG<wbr>9jYWxob3N0OjMwMDEiLCJodHRwOi8v<wbr>YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT<wbr>o4MC8qIiwiaHR0cDovL2xvY2FsaG9z<wbr>dDozMDAwIiwiaHR0cHM6Ly9hcGkuZG<wbr>V2MS5zYWFzZm9yZ2UuY29tLyoiLCJo<wbr>dHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm<wbr>dlLmNvbS9kYXNoYm9hcmQvKiIsImh0<wbr>dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2<wbr>UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi<wbr>aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2<wbr>ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj<wbr>Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW<wbr>5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h<wbr>bnQtb3duZXIiLCJkZXZlbG9wZXIiLC<wbr>J1bWFfYXV0aG9yaXphdGlvbiJdfSwi<wbr>cmVzb3VyY2VfYWNjZXNzIjp7ImFjY2<wbr>91bnQiOnsicm9sZXMiOlsibWFuYWdl<wbr>LWFjY291bnQiLCJtYW5hZ2UtYWNjb3<wbr>VudC1saW5rcyIsInZpZXctcHJvZmls<wbr>ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE<wbr>hlbnJpZSIsInByZWZlcnJlZF91c2Vy<wbr>bmFtZSI6InNoZW5yaWVAY2hhc3NpLm<wbr>NvbSIsImdpdmVuX25hbWUiOiJTdGVw<wbr>aGVuIiwiZmFtaWx5X25hbWUiOiJIZW<wbr>5yaWUiLCJlbWFpbCI6InNoZW5yaWVA<wbr>Y2hhc3NpLmNvbSJ9.<wbr>AxhMpP3gMbh96BI7HNqLwZNjmUAiif<wbr>zGhouoLpHwjggWDf6YX-<wbr>6geJb7yhkWTg4b7i5wYBC7OQpstgmf<wbr>g01RIjQ_<wbr>BJsJz8jxEwouvIufEDwWkmbtp9z0VP<wbr>egRYi8y405RQya18W2-<wbr>m7lbi7LsBrK4cAJ-kgQ_-k5R_<wbr>vxQFuAgmgZC-NYYtpvP0swrTNxHO-<wbr>DHJEolYb9wXjk_<wbr>hFYEY9MBTqLeILvFEyjpkA_<wbr>66WEWWE_<wbr>zA6RTw6ZU1uiwEDOCsDMHjejVDaZzX<wbr>A78chQRAhlUcgQSG7ATZNKcU5hnDu2<wbr>bhQ79hugOdCa83Snl0RZUWXYoIB9vg<wbr>apJosAP5rBUbTdJA<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : x-forwarded-host:<br>
>> <a href="http://spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com" rel="noreferrer" target="_blank">spring-boot-oauth-demo-user-<wbr>dev.router.dev1.saasforge.com</a><br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : x-forwarded-port: 80<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : x-forwarded-proto: http<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : forwarded:<br>
>> for=71.86.141.114;host=<a href="http://spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com" rel="noreferrer" target="_blank">spring-<wbr>boot-oauth-demo-user-dev.<wbr>router.dev1.saasforge.com</a>;<wbr>proto=http<br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : x-forwarded-for: <a href="tel:71.86.141.114" value="+17186141114">71.86.141.114</a><br>
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]<br>
>> com.saas.controller.<wbr>ApiRestController : RemoteAddr: 172.17.0.1<br>
>><br>
>><br>
>><br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : HEADERS:<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : user-agent: Wget/1.19.1<br>
>> (darwin15.6.0)<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : accept-encoding: identity<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : connection: Keep-Alive<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : authorization: Bearer<br>
>> eyJhbGciOiJSUzI1NiIsInR5cCIgOi<wbr>AiSldUIiwia2lkIiA6ICJ1bVJaV1ct<wbr>ckJrVnZGUTNyNlhCWkVCNGZwamxGV2<wbr>FBcTBLWU1qZThEZnNjIn0.<wbr>eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT<wbr>RlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi<wbr>LCJleHAiOjE1MDM0MTc1NDAsIm5iZi<wbr>I6MCwiaWF0IjoxNTAzNDE3MjQwLCJp<wbr>c3MiOiJodHRwOi8vYXBwLmRldjEuc2<wbr>Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt<wbr>cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2<wbr>ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx<wbr>ZmU5LTNmYzUtNDJjMy04NTg0LWQwZW<wbr>JlMzRhM2U5MyIsInR5cCI6IkJlYXJl<wbr>ciIsImF6cCI6ImNoYXNzaS13ZWItYX<wbr>BwIiwiYXV0aF90aW1lIjowLCJzZXNz<wbr>aW9uX3N0YXRlIjoiN2NmZjVhZDEtNj<wbr>E3NC00YzY1LTk5NGQtYzk4ZTdkNWFl<wbr>YzNhIiwiYWNyIjoiMSIsImFsbG93ZW<wbr>Qtb3JpZ2lucyI6WyJodHRwOi8vY2hh<wbr>c3NpLWF1dGgtcHJveHktdXNlci1kZX<wbr>Yucm91dGVyLmRldjIuc2Fhc2Zvcmdl<wbr>LmNvbTo3ODg4IiwiaHR0cDovL2F1dG<wbr>guZGV2MS5zYWFzZm9yZ2UuY29tLyoi<wbr>LCJodHRwOi8vYXV0aC11c2VyLWRldi<wbr>5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu<wbr>Y29tIiwiaHR0cDovL2FwcC5kZXYxLn<wbr>NhYXNmb3JnZS5jb20vKiIsImh0dHA6<wbr>Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS<wbr>11cy1lYXN0LTEuYW1hem9uYXdzLmNv<wbr>bS9kYXNoYm9hcmQiLCJodHRwOi8vbG<wbr>9jYWxob3N0OjMwMDEiLCJodHRwOi8v<wbr>YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT<wbr>o4MC8qIiwiaHR0cDovL2xvY2FsaG9z<wbr>dDozMDAwIiwiaHR0cHM6Ly9hcGkuZG<wbr>V2MS5zYWFzZm9yZ2UuY29tLyoiLCJo<wbr>dHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm<wbr>dlLmNvbS9kYXNoYm9hcmQvKiIsImh0<wbr>dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2<wbr>UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi<wbr>aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2<wbr>ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj<wbr>Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW<wbr>5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h<wbr>bnQtb3duZXIiLCJkZXZlbG9wZXIiLC<wbr>J1bWFfYXV0aG9yaXphdGlvbiJdfSwi<wbr>cmVzb3VyY2VfYWNjZXNzIjp7ImFjY2<wbr>91bnQiOnsicm9sZXMiOlsibWFuYWdl<wbr>LWFjY291bnQiLCJtYW5hZ2UtYWNjb3<wbr>VudC1saW5rcyIsInZpZXctcHJvZmls<wbr>ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE<wbr>hlbnJpZSIsInByZWZlcnJlZF91c2Vy<wbr>bmFtZSI6InNoZW5yaWVAY2hhc3NpLm<wbr>NvbSIsImdpdmVuX25hbWUiOiJTdGVw<wbr>aGVuIiwiZmFtaWx5X25hbWUiOiJIZW<wbr>5yaWUiLCJlbWFpbCI6InNoZW5yaWVA<wbr>Y2hhc3NpLmNvbSJ9.<wbr>AxhMpP3gMbh96BI7HNqLwZNjmUAiif<wbr>zGhouoLpHwjggWDf6YX-<wbr>6geJb7yhkWTg4b7i5wYBC7OQpstgmf<wbr>g01RIjQ_<wbr>BJsJz8jxEwouvIufEDwWkmbtp9z0VP<wbr>egRYi8y405RQya18W2-<wbr>m7lbi7LsBrK4cAJ-kgQ_-k5R_<wbr>vxQFuAgmgZC-NYYtpvP0swrTNxHO-<wbr>DHJEolYb9wXjk_<wbr>hFYEY9MBTqLeILvFEyjpkA_<wbr>66WEWWE_<wbr>zA6RTw6ZU1uiwEDOCsDMHjejVDaZzX<wbr>A78chQRAhlUcgQSG7ATZNKcU5hnDu2<wbr>bhQ79hugOdCa83Snl0RZUWXYoIB9vg<wbr>apJosAP5rBUbTdJA<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : accept: */*<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : host:<br>
>> spring-boot-oauth-demo.user-<wbr>dev.svc:8080<br>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]<br>
>> com.saas.controller.<wbr>ApiRestController : RemoteAddr: 172.17.0.6<br>
>><br>
>><br>
>> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <<a href="mailto:eric.wittmann@redhat.com">eric.wittmann@redhat.com</a>><br>
>> wrote:<br>
>>><br>
>>> GitHub is back up. Here is the code (when running the servlet version of<br>
>>> the gateway, not the vert.x version) that reads the inbound HTTP request<br>
>>> headers, copying them into the ApiRequest bean:<br>
>>><br>
>>><br>
>>> <a href="https://github.com/apiman/apiman/blob/master/gateway/platforms/servlet/src/main/java/io/apiman/gateway/platforms/servlet/GatewayServlet.java#L263-L280" rel="noreferrer" target="_blank">https://github.com/apiman/<wbr>apiman/blob/master/gateway/<wbr>platforms/servlet/src/main/<wbr>java/io/apiman/gateway/<wbr>platforms/servlet/<wbr>GatewayServlet.java#L263-L280</a><br>
>>><br>
>>> The only header that gets skipped is X-API-Version.<br>
>>><br>
>>> -Eric<br>
>>><br>
>>><br>
>>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann<br>
>>> <<a href="mailto:eric.wittmann@redhat.com">eric.wittmann@redhat.com</a>> wrote:<br>
>>>><br>
>>>> That's very interesting because I don't believe Apiman is stripping out<br>
>>>> any headers from the request (at any point). If that's happening I can't<br>
>>>> think of what the root cause might be. IIRC we just copy all request<br>
>>>> headers from the inbound HttpServletRequest into the ApiRequest bean.<br>
>>>><br>
>>>> GitHub is currently down so I can't send a link to the relevant code....<br>
>>>><br>
>>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie<br>
>>>> <<a href="mailto:stephen@saasindustries.com">stephen@saasindustries.com</a>> wrote:<br>
>>>>><br>
>>>>><br>
>>>>> I have Apiman running in an openshift environment, which is essentially<br>
>>>>> a similar configuration to running in kubernetes. Each container/pod is<br>
>>>>> always receiving http/s requests through an HA Proxy server, so that the<br>
>>>>> x-forwarded-* set of headers get added to each request by the proxy server.<br>
>>>>><br>
>>>>> Unfortunately, it appears that the headers which are provided in the<br>
>>>>> ApiRequet bean when the policy chain processor doApply() method is called<br>
>>>>> does not include these proxy related headers. This means that the standard<br>
>>>>> policies for the IP white and black listing policies do not work when the<br>
>>>>> apiman gateway is behind a proxy server. The request.getRemoteAddr() method<br>
>>>>> returns the ip address to the proxy server, so there is no way to get the ip<br>
>>>>> address of the originator since the x-forwarded-for header ( and related<br>
>>>>> headers ) are not found.<br>
>>>>><br>
>>>>> Has anyone else experienced this? If so, is this by design?<br>
>>>>><br>
>>>>> Thanks!<br>
>>>>><br>
>>>>> Stephen<br>
>>>>><br>
>>>>><br>
>>>>> ______________________________<wbr>_________________<br>
>>>>> Apiman-user mailing list<br>
>>>>> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
>>>>> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/apiman-user</a><br>
>>>>><br>
>>>><br>
>>><br>
>><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Apiman-user mailing list<br>
> <a href="mailto:Apiman-user@lists.jboss.org">Apiman-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/apiman-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/apiman-user</a><br>
><br>
</div></div></blockquote></div><br></div>