[Apiman-user] Proxy headers missing for processing policies
Stephen Henrie
stephen at saasindustries.com
Tue Aug 22 12:01:04 EDT 2017
Eric, thanks for the response.
I had reviewed that code as well, so I believe you when you say that it
should be passing all of those proxy headers along. However, check out
below what I am seeing when posting a request to a test service that I am
running. It simply dumps the headers The first request is made directly to
the service without going through apiman and the second request is made
through apiman.
I don't think that the issue is in the servlet code, but when these headers
are passed into where policies applied, like somewhere where the ApiRequest
class is created.
Thanks
Stephen
2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : HEADERS:
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
(darwin15.6.0)
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : accept: */*
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : accept-encoding: identity
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : host:
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VPegRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : x-forwarded-host:
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : x-forwarded-port: 80
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : x-forwarded-proto: http
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : forwarded:
for=71.86.141.114;host=
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com;proto=http
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : x-forwarded-for: 71.86.141.114
2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.1
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : HEADERS:
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
(darwin15.6.0)
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : accept-encoding: identity
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : connection: Keep-Alive
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VPegRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : accept: */*
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : host:
spring-boot-oauth-demo.user-dev.svc:8080
2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.6
On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <eric.wittmann at redhat.com>
wrote:
> GitHub is back up. Here is the code (when running the servlet version of
> the gateway, not the vert.x version) that reads the inbound HTTP request
> headers, copying them into the ApiRequest bean:
>
> https://github.com/apiman/apiman/blob/master/gateway/
> platforms/servlet/src/main/java/io/apiman/gateway/platforms/servlet/
> GatewayServlet.java#L263-L280
>
> The only header that gets skipped is X-API-Version.
>
> -Eric
>
>
> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann <eric.wittmann at redhat.com>
> wrote:
>
>> That's very interesting because I don't believe Apiman is stripping out
>> any headers from the request (at any point). If that's happening I can't
>> think of what the root cause might be. IIRC we just copy all request
>> headers from the inbound HttpServletRequest into the ApiRequest bean.
>>
>> GitHub is currently down so I can't send a link to the relevant code....
>>
>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie <
>> stephen at saasindustries.com> wrote:
>>
>>>
>>> I have Apiman running in an openshift environment, which is essentially
>>> a similar configuration to running in kubernetes. Each container/pod is
>>> always receiving http/s requests through an HA Proxy server, so that the
>>> x-forwarded-* set of headers get added to each request by the proxy server.
>>>
>>> Unfortunately, it appears that the headers which are provided in the
>>> ApiRequet bean when the policy chain processor doApply() method is called
>>> does not include these proxy related headers. This means that the standard
>>> policies for the IP white and black listing policies do not work when the
>>> apiman gateway is behind a proxy server. The request.getRemoteAddr()
>>> method returns the ip address to the proxy server, so there is no way to
>>> get the ip address of the originator since the x-forwarded-for header ( and
>>> related headers ) are not found.
>>>
>>> Has anyone else experienced this? If so, is this by design?
>>>
>>> Thanks!
>>>
>>> Stephen
>>>
>>>
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20170822/a75a276c/attachment.html
More information about the Apiman-user
mailing list