Hi Stephen,
Out of interest: can you replicate your setup, but with no policies in
the chain to see what happens?
Second, perhaps you can try the simple-header-policy
(https://apiman.gitbooks.io/apiman-user-guide/user-guide/ )gateway/policies.html#_simple_ header_policy
and let me know what happens (just put some dummy config in and see
whether the headers still disappear).
I'll try to replicate your setup soon.
Regards,
Marc
On 22 August 2017 at 17:13, Stephen Henrie <stephen@saasindustries.com> wrote:
> FWIW, it is in the policy code where I am not seeing these headers being set
> correctly:
>
> https://github.com/apiman/apiman/blob/master/gateway/ engine/policies/src/main/java/ io/apiman/gateway/engine/ policies/IPWhitelistPolicy. java#L55
>
>
>
> On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie
> <stephen@saasindustries.com> wrote:
>>
>> Eric, thanks for the response.
>>
>> I had reviewed that code as well, so I believe you when you say that it
>> should be passing all of those proxy headers along. However, check out below
>> what I am seeing when posting a request to a test service that I am running.
>> It simply dumps the headers The first request is made directly to the
>> service without going through apiman and the second request is made through
>> apiman.
>>
>> I don't think that the issue is in the servlet code, but when these
>> headers are passed into where policies applied, like somewhere where the
>> ApiRequest class is created.
>>
>> Thanks
>> Stephen
>>
>>
>> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : HEADERS:
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
>> (darwin15.6.0)
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : accept: */*
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : accept-encoding: identity
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : host:
>> spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : authorization: Bearer
>> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ct ckJrVnZGUTNyNlhCWkVCNGZwamxGV2 FBcTBLWU1qZThEZnNjIn0. eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT RlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi LCJleHAiOjE1MDM0MTc1NDAsIm5iZi I6MCwiaWF0IjoxNTAzNDE3MjQwLCJp c3MiOiJodHRwOi8vYXBwLmRldjEuc2 Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2 ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx ZmU5LTNmYzUtNDJjMy04NTg0LWQwZW JlMzRhM2U5MyIsInR5cCI6IkJlYXJl ciIsImF6cCI6ImNoYXNzaS13ZWItYX BwIiwiYXV0aF90aW1lIjowLCJzZXNz aW9uX3N0YXRlIjoiN2NmZjVhZDEtNj E3NC00YzY1LTk5NGQtYzk4ZTdkNWFl YzNhIiwiYWNyIjoiMSIsImFsbG93ZW Qtb3JpZ2lucyI6WyJodHRwOi8vY2hh c3NpLWF1dGgtcHJveHktdXNlci1kZX Yucm91dGVyLmRldjIuc2Fhc2Zvcmdl LmNvbTo3ODg4IiwiaHR0cDovL2F1dG guZGV2MS5zYWFzZm9yZ2UuY29tLyoi LCJodHRwOi8vYXV0aC11c2VyLWRldi 5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu Y29tIiwiaHR0cDovL2FwcC5kZXYxLn NhYXNmb3JnZS5jb20vKiIsImh0dHA6 Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS 11cy1lYXN0LTEuYW1hem9uYXdzLmNv bS9kYXNoYm9hcmQiLCJodHRwOi8vbG 9jYWxob3N0OjMwMDEiLCJodHRwOi8v YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT o4MC8qIiwiaHR0cDovL2xvY2FsaG9z dDozMDAwIiwiaHR0cHM6Ly9hcGkuZG V2MS5zYWFzZm9yZ2UuY29tLyoiLCJo dHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm dlLmNvbS9kYXNoYm9hcmQvKiIsImh0 dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2 UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2 ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW 5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h bnQtb3duZXIiLCJkZXZlbG9wZXIiLC J1bWFfYXV0aG9yaXphdGlvbiJdfSwi cmVzb3VyY2VfYWNjZXNzIjp7ImFjY2 91bnQiOnsicm9sZXMiOlsibWFuYWdl LWFjY291bnQiLCJtYW5hZ2UtYWNjb3 VudC1saW5rcyIsInZpZXctcHJvZmls ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE hlbnJpZSIsInByZWZlcnJlZF91c2Vy bmFtZSI6InNoZW5yaWVAY2hhc3NpLm NvbSIsImdpdmVuX25hbWUiOiJTdGVw aGVuIiwiZmFtaWx5X25hbWUiOiJIZW 5yaWUiLCJlbWFpbCI6InNoZW5yaWVA Y2hhc3NpLmNvbSJ9. AxhMpP3gMbh96BI7HNqLwZNjmUAiif zGhouoLpHwjggWDf6YX- 6geJb7yhkWTg4b7i5wYBC7OQpstgmf g01RIjQ_ BJsJz8jxEwouvIufEDwWkmbtp9z0VP egRYi8y405RQya18W2- m7lbi7LsBrK4cAJ-kgQ_-k5R_ vxQFuAgmgZC-NYYtpvP0swrTNxHO- DHJEolYb9wXjk_ hFYEY9MBTqLeILvFEyjpkA_ 66WEWWE_ zA6RTw6ZU1uiwEDOCsDMHjejVDaZzX A78chQRAhlUcgQSG7ATZNKcU5hnDu2 bhQ79hugOdCa83Snl0RZUWXYoIB9vg apJosAP5rBUbTdJA
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-host:
>> spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-port: 80
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-proto: http
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : forwarded:
>> for=71.86.141.114;host=spring-boot-oauth-demo-user-dev. ;router.dev1.saasforge.com proto=http
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-for: 71.86.141.114
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.1
>>
>>
>>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : HEADERS:
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
>> (darwin15.6.0)
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : accept-encoding: identity
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : connection: Keep-Alive
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : authorization: Bearer
>> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ct ckJrVnZGUTNyNlhCWkVCNGZwamxGV2 FBcTBLWU1qZThEZnNjIn0. eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT RlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi LCJleHAiOjE1MDM0MTc1NDAsIm5iZi I6MCwiaWF0IjoxNTAzNDE3MjQwLCJp c3MiOiJodHRwOi8vYXBwLmRldjEuc2 Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2 ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx ZmU5LTNmYzUtNDJjMy04NTg0LWQwZW JlMzRhM2U5MyIsInR5cCI6IkJlYXJl ciIsImF6cCI6ImNoYXNzaS13ZWItYX BwIiwiYXV0aF90aW1lIjowLCJzZXNz aW9uX3N0YXRlIjoiN2NmZjVhZDEtNj E3NC00YzY1LTk5NGQtYzk4ZTdkNWFl YzNhIiwiYWNyIjoiMSIsImFsbG93ZW Qtb3JpZ2lucyI6WyJodHRwOi8vY2hh c3NpLWF1dGgtcHJveHktdXNlci1kZX Yucm91dGVyLmRldjIuc2Fhc2Zvcmdl LmNvbTo3ODg4IiwiaHR0cDovL2F1dG guZGV2MS5zYWFzZm9yZ2UuY29tLyoi LCJodHRwOi8vYXV0aC11c2VyLWRldi 5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu Y29tIiwiaHR0cDovL2FwcC5kZXYxLn NhYXNmb3JnZS5jb20vKiIsImh0dHA6 Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS 11cy1lYXN0LTEuYW1hem9uYXdzLmNv bS9kYXNoYm9hcmQiLCJodHRwOi8vbG 9jYWxob3N0OjMwMDEiLCJodHRwOi8v YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT o4MC8qIiwiaHR0cDovL2xvY2FsaG9z dDozMDAwIiwiaHR0cHM6Ly9hcGkuZG V2MS5zYWFzZm9yZ2UuY29tLyoiLCJo dHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm dlLmNvbS9kYXNoYm9hcmQvKiIsImh0 dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2 UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2 ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW 5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h bnQtb3duZXIiLCJkZXZlbG9wZXIiLC J1bWFfYXV0aG9yaXphdGlvbiJdfSwi cmVzb3VyY2VfYWNjZXNzIjp7ImFjY2 91bnQiOnsicm9sZXMiOlsibWFuYWdl LWFjY291bnQiLCJtYW5hZ2UtYWNjb3 VudC1saW5rcyIsInZpZXctcHJvZmls ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE hlbnJpZSIsInByZWZlcnJlZF91c2Vy bmFtZSI6InNoZW5yaWVAY2hhc3NpLm NvbSIsImdpdmVuX25hbWUiOiJTdGVw aGVuIiwiZmFtaWx5X25hbWUiOiJIZW 5yaWUiLCJlbWFpbCI6InNoZW5yaWVA Y2hhc3NpLmNvbSJ9. AxhMpP3gMbh96BI7HNqLwZNjmUAiif zGhouoLpHwjggWDf6YX- 6geJb7yhkWTg4b7i5wYBC7OQpstgmf g01RIjQ_ BJsJz8jxEwouvIufEDwWkmbtp9z0VP egRYi8y405RQya18W2- m7lbi7LsBrK4cAJ-kgQ_-k5R_ vxQFuAgmgZC-NYYtpvP0swrTNxHO- DHJEolYb9wXjk_ hFYEY9MBTqLeILvFEyjpkA_ 66WEWWE_ zA6RTw6ZU1uiwEDOCsDMHjejVDaZzX A78chQRAhlUcgQSG7ATZNKcU5hnDu2 bhQ79hugOdCa83Snl0RZUWXYoIB9vg apJosAP5rBUbTdJA
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : accept: */*
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : host:
>> spring-boot-oauth-demo.user-dev.svc:8080
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.6
>>
>>
>> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <eric.wittmann@redhat.com>
>> wrote:
>>>
>>> GitHub is back up. Here is the code (when running the servlet version of
>>> the gateway, not the vert.x version) that reads the inbound HTTP request
>>> headers, copying them into the ApiRequest bean:
>>>
>>>
>>> https://github.com/apiman/apiman/blob/master/gateway/ platforms/servlet/src/main/ java/io/apiman/gateway/ platforms/servlet/ GatewayServlet.java#L263-L280
>>>
>>> The only header that gets skipped is X-API-Version.
>>>
>>> -Eric
>>>
>>>
>>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann
>>> <eric.wittmann@redhat.com> wrote:
>>>>
>>>> That's very interesting because I don't believe Apiman is stripping out
>>>> any headers from the request (at any point). If that's happening I can't
>>>> think of what the root cause might be. IIRC we just copy all request
>>>> headers from the inbound HttpServletRequest into the ApiRequest bean.
>>>>
>>>> GitHub is currently down so I can't send a link to the relevant code....
>>>>
>>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie
>>>> <stephen@saasindustries.com> wrote:
>>>>>
>>>>>
>>>>> I have Apiman running in an openshift environment, which is essentially
>>>>> a similar configuration to running in kubernetes. Each container/pod is
>>>>> always receiving http/s requests through an HA Proxy server, so that the
>>>>> x-forwarded-* set of headers get added to each request by the proxy server.
>>>>>
>>>>> Unfortunately, it appears that the headers which are provided in the
>>>>> ApiRequet bean when the policy chain processor doApply() method is called
>>>>> does not include these proxy related headers. This means that the standard
>>>>> policies for the IP white and black listing policies do not work when the
>>>>> apiman gateway is behind a proxy server. The request.getRemoteAddr() method
>>>>> returns the ip address to the proxy server, so there is no way to get the ip
>>>>> address of the originator since the x-forwarded-for header ( and related
>>>>> headers ) are not found.
>>>>>
>>>>> Has anyone else experienced this? If so, is this by design?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Stephen
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Apiman-user mailing list
>>>>> Apiman-user@lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>