Thanks for the update, Stephen. Useful to know this as I'm sure other
folk could run into the same issue.
On 31 August 2017 at 18:34, Stephen Henrie <stephen(a)saasindustries.com> wrote:
Hi Marc,
Thanks for having had spent some time looking into this, but after a
discussion with my network architect this morning, which I have not been
able to get a hold of until today, I think we may have found the source of
the issue and it most likely has nothing to do with Apiman. We are going to
try to confirm it today. Apparently the default HAProxy configuration for
the HTTPS protocol within kubernetes does not set the proxy headers like
they do for http traffic; not sure why this is.
Stephen
On Wed, Aug 23, 2017 at 4:59 AM, Marc Savy <marc.savy(a)redhat.com> wrote:
>
> Hi Stephen,
>
> Out of interest: can you replicate your setup, but with no policies in
> the chain to see what happens?
>
> Second, perhaps you can try the simple-header-policy
>
>
(
https://apiman.gitbooks.io/apiman-user-guide/user-guide/gateway/policies....)
> and let me know what happens (just put some dummy config in and see
> whether the headers still disappear).
>
> I'll try to replicate your setup soon.
>
> Regards,
> Marc
>
> On 22 August 2017 at 17:13, Stephen Henrie <stephen(a)saasindustries.com>
> wrote:
> > FWIW, it is in the policy code where I am not seeing these headers being
> > set
> > correctly:
> >
> >
> >
https://github.com/apiman/apiman/blob/master/gateway/engine/policies/src/...
> >
> >
> >
> > On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie
> > <stephen(a)saasindustries.com> wrote:
> >>
> >> Eric, thanks for the response.
> >>
> >> I had reviewed that code as well, so I believe you when you say that it
> >> should be passing all of those proxy headers along. However, check out
> >> below
> >> what I am seeing when posting a request to a test service that I am
> >> running.
> >> It simply dumps the headers The first request is made directly to the
> >> service without going through apiman and the second request is made
> >> through
> >> apiman.
> >>
> >> I don't think that the issue is in the servlet code, but when these
> >> headers are passed into where policies applied, like somewhere where
> >> the
> >> ApiRequest class is created.
> >>
> >> Thanks
> >> Stephen
> >>
> >>
> >> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : HEADERS:
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
> >> (darwin15.6.0)
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : accept: */*
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : accept-encoding: identity
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : host:
> >>
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : authorization: Bearer
> >>
> >>
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VPegRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-host:
> >>
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-port: 80
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-proto: http
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : forwarded:
> >>
> >>
for=71.86.141.114;host=spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com;proto=http
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-for:
> >> 71.86.141.114
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.1
> >>
> >>
> >>
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : HEADERS:
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
> >> (darwin15.6.0)
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : accept-encoding: identity
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : connection: Keep-Alive
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : authorization: Bearer
> >>
> >>
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VPegRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : accept: */*
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : host:
> >> spring-boot-oauth-demo.user-dev.svc:8080
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.6
> >>
> >>
> >> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann
> >> <eric.wittmann(a)redhat.com>
> >> wrote:
> >>>
> >>> GitHub is back up. Here is the code (when running the servlet version
> >>> of
> >>> the gateway, not the vert.x version) that reads the inbound HTTP
> >>> request
> >>> headers, copying them into the ApiRequest bean:
> >>>
> >>>
> >>>
> >>>
https://github.com/apiman/apiman/blob/master/gateway/platforms/servlet/sr...
> >>>
> >>> The only header that gets skipped is X-API-Version.
> >>>
> >>> -Eric
> >>>
> >>>
> >>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann
> >>> <eric.wittmann(a)redhat.com> wrote:
> >>>>
> >>>> That's very interesting because I don't believe Apiman is
stripping
> >>>> out
> >>>> any headers from the request (at any point). If that's
happening I
> >>>> can't
> >>>> think of what the root cause might be. IIRC we just copy all
request
> >>>> headers from the inbound HttpServletRequest into the ApiRequest
bean.
> >>>>
> >>>> GitHub is currently down so I can't send a link to the relevant
> >>>> code....
> >>>>
> >>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie
> >>>> <stephen(a)saasindustries.com> wrote:
> >>>>>
> >>>>>
> >>>>> I have Apiman running in an openshift environment, which is
> >>>>> essentially
> >>>>> a similar configuration to running in kubernetes. Each
container/pod
> >>>>> is
> >>>>> always receiving http/s requests through an HA Proxy server, so
that
> >>>>> the
> >>>>> x-forwarded-* set of headers get added to each request by the
proxy
> >>>>> server.
> >>>>>
> >>>>> Unfortunately, it appears that the headers which are provided in
the
> >>>>> ApiRequet bean when the policy chain processor doApply() method
is
> >>>>> called
> >>>>> does not include these proxy related headers. This means that
the
> >>>>> standard
> >>>>> policies for the IP white and black listing policies do not
work
> >>>>> when the
> >>>>> apiman gateway is behind a proxy server. The
> >>>>> request.getRemoteAddr() method
> >>>>> returns the ip address to the proxy server, so there is no way
to
> >>>>> get the ip
> >>>>> address of the originator since the x-forwarded-for header (
and
> >>>>> related
> >>>>> headers ) are not found.
> >>>>>
> >>>>> Has anyone else experienced this? If so, is this by design?
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Stephen
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Apiman-user mailing list
> >>>>> Apiman-user(a)lists.jboss.org
> >>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
> >>>>>
> >>>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/apiman-user
> >