[Apiman-user] Proxy headers missing for processing policies
Eric Wittmann
eric.wittmann at redhat.com
Wed Aug 23 08:13:57 EDT 2017
There is also the Log policy that could be added, which will output the
request headers to the wildfly console *before* proxying to the back-end
API.
On Wed, Aug 23, 2017 at 7:59 AM, Marc Savy <marc.savy at redhat.com> wrote:
> Hi Stephen,
>
> Out of interest: can you replicate your setup, but with no policies in
> the chain to see what happens?
>
> Second, perhaps you can try the simple-header-policy
> (https://apiman.gitbooks.io/apiman-user-guide/user-guide/
> gateway/policies.html#_simple_header_policy)
> and let me know what happens (just put some dummy config in and see
> whether the headers still disappear).
>
> I'll try to replicate your setup soon.
>
> Regards,
> Marc
>
> On 22 August 2017 at 17:13, Stephen Henrie <stephen at saasindustries.com>
> wrote:
> > FWIW, it is in the policy code where I am not seeing these headers being
> set
> > correctly:
> >
> > https://github.com/apiman/apiman/blob/master/gateway/
> engine/policies/src/main/java/io/apiman/gateway/engine/
> policies/IPWhitelistPolicy.java#L55
> >
> >
> >
> > On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie
> > <stephen at saasindustries.com> wrote:
> >>
> >> Eric, thanks for the response.
> >>
> >> I had reviewed that code as well, so I believe you when you say that it
> >> should be passing all of those proxy headers along. However, check out
> below
> >> what I am seeing when posting a request to a test service that I am
> running.
> >> It simply dumps the headers The first request is made directly to the
> >> service without going through apiman and the second request is made
> through
> >> apiman.
> >>
> >> I don't think that the issue is in the servlet code, but when these
> >> headers are passed into where policies applied, like somewhere where the
> >> ApiRequest class is created.
> >>
> >> Thanks
> >> Stephen
> >>
> >>
> >> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : HEADERS:
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
> >> (darwin15.6.0)
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : accept: */*
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : accept-encoding: identity
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : host:
> >> spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : authorization: Bearer
> >> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ct
> ckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.
> eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi
> LCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJp
> c3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt
> cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx
> ZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJl
> ciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNz
> aW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFl
> YzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hh
> c3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2Zvcmdl
> LmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoi
> LCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu
> Y29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6
> Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNv
> bS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8v
> YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9z
> dDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJo
> dHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0
> dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi
> aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj
> Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h
> bnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwi
> cmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdl
> LWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmls
> ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2Vy
> bmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVw
> aGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVA
> Y2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-
> 6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VP
> egRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-
> DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_
> zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2
> bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-host:
> >> spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-port: 80
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-proto: http
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : forwarded:
> >> for=71.86.141.114;host=spring-boot-oauth-demo-user-dev.
> router.dev1.saasforge.com;proto=http
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : x-forwarded-for:
> 71.86.141.114
> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
> >> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.1
> >>
> >>
> >>
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : HEADERS:
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
> >> (darwin15.6.0)
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : accept-encoding: identity
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : connection: Keep-Alive
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : authorization: Bearer
> >> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ct
> ckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.
> eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi
> LCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJp
> c3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt
> cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx
> ZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJl
> ciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNz
> aW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFl
> YzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hh
> c3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2Zvcmdl
> LmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoi
> LCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu
> Y29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6
> Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNv
> bS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8v
> YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9z
> dDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJo
> dHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0
> dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi
> aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj
> Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h
> bnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwi
> cmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdl
> LWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmls
> ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2Vy
> bmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVw
> aGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVA
> Y2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-
> 6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VP
> egRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-
> DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_
> zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2
> bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : accept: */*
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : host:
> >> spring-boot-oauth-demo.user-dev.svc:8080
> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
> >> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.6
> >>
> >>
> >> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <
> eric.wittmann at redhat.com>
> >> wrote:
> >>>
> >>> GitHub is back up. Here is the code (when running the servlet version
> of
> >>> the gateway, not the vert.x version) that reads the inbound HTTP
> request
> >>> headers, copying them into the ApiRequest bean:
> >>>
> >>>
> >>> https://github.com/apiman/apiman/blob/master/gateway/
> platforms/servlet/src/main/java/io/apiman/gateway/platforms/servlet/
> GatewayServlet.java#L263-L280
> >>>
> >>> The only header that gets skipped is X-API-Version.
> >>>
> >>> -Eric
> >>>
> >>>
> >>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann
> >>> <eric.wittmann at redhat.com> wrote:
> >>>>
> >>>> That's very interesting because I don't believe Apiman is stripping
> out
> >>>> any headers from the request (at any point). If that's happening I
> can't
> >>>> think of what the root cause might be. IIRC we just copy all request
> >>>> headers from the inbound HttpServletRequest into the ApiRequest bean.
> >>>>
> >>>> GitHub is currently down so I can't send a link to the relevant
> code....
> >>>>
> >>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie
> >>>> <stephen at saasindustries.com> wrote:
> >>>>>
> >>>>>
> >>>>> I have Apiman running in an openshift environment, which is
> essentially
> >>>>> a similar configuration to running in kubernetes. Each container/pod
> is
> >>>>> always receiving http/s requests through an HA Proxy server, so that
> the
> >>>>> x-forwarded-* set of headers get added to each request by the proxy
> server.
> >>>>>
> >>>>> Unfortunately, it appears that the headers which are provided in the
> >>>>> ApiRequet bean when the policy chain processor doApply() method is
> called
> >>>>> does not include these proxy related headers. This means that the
> standard
> >>>>> policies for the IP white and black listing policies do not work
> when the
> >>>>> apiman gateway is behind a proxy server. The
> request.getRemoteAddr() method
> >>>>> returns the ip address to the proxy server, so there is no way to
> get the ip
> >>>>> address of the originator since the x-forwarded-for header ( and
> related
> >>>>> headers ) are not found.
> >>>>>
> >>>>> Has anyone else experienced this? If so, is this by design?
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Stephen
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Apiman-user mailing list
> >>>>> Apiman-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
> >>>>>
> >>>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20170823/70642bb1/attachment-0001.html
More information about the Apiman-user
mailing list