[Apiman-user] Proxy headers missing for processing policies
Stephen Henrie
stephen at saasindustries.com
Tue Aug 22 12:13:16 EDT 2017
FWIW, it is in the policy code where I am not seeing these headers being
set correctly:
https://github.com/apiman/apiman/blob/master/gateway/engine/policies/src/main/java/io/apiman/gateway/engine/policies/IPWhitelistPolicy.java#L55
On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie <stephen at saasindustries.com
> wrote:
> Eric, thanks for the response.
>
> I had reviewed that code as well, so I believe you when you say that it
> should be passing all of those proxy headers along. However, check out
> below what I am seeing when posting a request to a test service that I am
> running. It simply dumps the headers The first request is made directly to
> the service without going through apiman and the second request is made
> through apiman.
>
> I don't think that the issue is in the servlet code, but when these
> headers are passed into where policies applied, like somewhere where the
> ApiRequest class is created.
>
> Thanks
> Stephen
>
>
> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : HEADERS:
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : user-agent: Wget/1.19.1 (darwin15.6.0)
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : accept: */*
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : accept-encoding: identity
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : host: spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2
> FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT
> RlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZi
> I6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2
> Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2
> ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZW
> JlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYX
> BwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNj
> E3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZW
> Qtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZX
> Yucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dG
> guZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi
> 5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLn
> NhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS
> 11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG
> 9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT
> o4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZG
> V2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm
> dlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2
> UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2
> ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW
> 5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLC
> J1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY2
> 91bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3
> VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE
> hlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLm
> NvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW
> 5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.
> AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-
> 6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VP
> egRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-
> DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_
> zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2
> bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : x-forwarded-host: spring-boot-oauth-demo-user-
> dev.router.dev1.saasforge.com
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : x-forwarded-port: 80
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : x-forwarded-proto: http
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : forwarded: for=71.86.141.114;host=spring-boot-oauth-demo-user-dev.
> router.dev1.saasforge.com;proto=http
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : x-forwarded-for: 71.86.141.114
> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7] com.saas.controller.ApiRestController
> : RemoteAddr: 172.17.0.1
>
>
>
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : HEADERS:
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : user-agent: Wget/1.19.1 (darwin15.6.0)
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : accept-encoding: identity
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : connection: Keep-Alive
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2
> FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LT
> RlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZi
> I6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2
> Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2
> ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZW
> JlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYX
> BwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNj
> E3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZW
> Qtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZX
> Yucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dG
> guZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi
> 5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLn
> NhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS
> 11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG
> 9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbT
> o4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZG
> V2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2Zvcm
> dlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2
> UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2
> ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW
> 5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLC
> J1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY2
> 91bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3
> VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIE
> hlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLm
> NvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW
> 5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.
> AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-
> 6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VP
> egRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-
> DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_
> zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2
> bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : accept: */*
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : host: spring-boot-oauth-demo.user-dev.svc:8080
> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9] com.saas.controller.ApiRestController
> : RemoteAddr: 172.17.0.6
>
>
> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <eric.wittmann at redhat.com>
> wrote:
>
>> GitHub is back up. Here is the code (when running the servlet version of
>> the gateway, not the vert.x version) that reads the inbound HTTP request
>> headers, copying them into the ApiRequest bean:
>>
>> https://github.com/apiman/apiman/blob/master/gateway/platfor
>> ms/servlet/src/main/java/io/apiman/gateway/platforms/
>> servlet/GatewayServlet.java#L263-L280
>>
>> The only header that gets skipped is X-API-Version.
>>
>> -Eric
>>
>>
>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann <eric.wittmann at redhat.com
>> > wrote:
>>
>>> That's very interesting because I don't believe Apiman is stripping out
>>> any headers from the request (at any point). If that's happening I can't
>>> think of what the root cause might be. IIRC we just copy all request
>>> headers from the inbound HttpServletRequest into the ApiRequest bean.
>>>
>>> GitHub is currently down so I can't send a link to the relevant code....
>>>
>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie <
>>> stephen at saasindustries.com> wrote:
>>>
>>>>
>>>> I have Apiman running in an openshift environment, which is essentially
>>>> a similar configuration to running in kubernetes. Each container/pod is
>>>> always receiving http/s requests through an HA Proxy server, so that the
>>>> x-forwarded-* set of headers get added to each request by the proxy server.
>>>>
>>>> Unfortunately, it appears that the headers which are provided in the
>>>> ApiRequet bean when the policy chain processor doApply() method is called
>>>> does not include these proxy related headers. This means that the standard
>>>> policies for the IP white and black listing policies do not work when the
>>>> apiman gateway is behind a proxy server. The request.getRemoteAddr()
>>>> method returns the ip address to the proxy server, so there is no way to
>>>> get the ip address of the originator since the x-forwarded-for header ( and
>>>> related headers ) are not found.
>>>>
>>>> Has anyone else experienced this? If so, is this by design?
>>>>
>>>> Thanks!
>>>>
>>>> Stephen
>>>>
>>>>
>>>> _______________________________________________
>>>> Apiman-user mailing list
>>>> Apiman-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20170822/3c025b5a/attachment-0001.html
More information about the Apiman-user
mailing list