[Apiman-user] Proxy headers missing for processing policies
Marc Savy
marc.savy at redhat.com
Thu Aug 31 14:02:25 EDT 2017
Thanks for the update, Stephen. Useful to know this as I'm sure other
folk could run into the same issue.
On 31 August 2017 at 18:34, Stephen Henrie <stephen at saasindustries.com> wrote:
> Hi Marc,
>
> Thanks for having had spent some time looking into this, but after a
> discussion with my network architect this morning, which I have not been
> able to get a hold of until today, I think we may have found the source of
> the issue and it most likely has nothing to do with Apiman. We are going to
> try to confirm it today. Apparently the default HAProxy configuration for
> the HTTPS protocol within kubernetes does not set the proxy headers like
> they do for http traffic; not sure why this is.
>
> Stephen
>
> On Wed, Aug 23, 2017 at 4:59 AM, Marc Savy <marc.savy at redhat.com> wrote:
>>
>> Hi Stephen,
>>
>> Out of interest: can you replicate your setup, but with no policies in
>> the chain to see what happens?
>>
>> Second, perhaps you can try the simple-header-policy
>>
>> (https://apiman.gitbooks.io/apiman-user-guide/user-guide/gateway/policies.html#_simple_header_policy)
>> and let me know what happens (just put some dummy config in and see
>> whether the headers still disappear).
>>
>> I'll try to replicate your setup soon.
>>
>> Regards,
>> Marc
>>
>> On 22 August 2017 at 17:13, Stephen Henrie <stephen at saasindustries.com>
>> wrote:
>> > FWIW, it is in the policy code where I am not seeing these headers being
>> > set
>> > correctly:
>> >
>> >
>> > https://github.com/apiman/apiman/blob/master/gateway/engine/policies/src/main/java/io/apiman/gateway/engine/policies/IPWhitelistPolicy.java#L55
>> >
>> >
>> >
>> > On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie
>> > <stephen at saasindustries.com> wrote:
>> >>
>> >> Eric, thanks for the response.
>> >>
>> >> I had reviewed that code as well, so I believe you when you say that it
>> >> should be passing all of those proxy headers along. However, check out
>> >> below
>> >> what I am seeing when posting a request to a test service that I am
>> >> running.
>> >> It simply dumps the headers The first request is made directly to the
>> >> service without going through apiman and the second request is made
>> >> through
>> >> apiman.
>> >>
>> >> I don't think that the issue is in the servlet code, but when these
>> >> headers are passed into where policies applied, like somewhere where
>> >> the
>> >> ApiRequest class is created.
>> >>
>> >> Thanks
>> >> Stephen
>> >>
>> >>
>> >> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : HEADERS:
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
>> >> (darwin15.6.0)
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : accept: */*
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : accept-encoding: identity
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : host:
>> >> spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : authorization: Bearer
>> >>
>> >> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VPegRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : x-forwarded-host:
>> >> spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : x-forwarded-port: 80
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : x-forwarded-proto: http
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : forwarded:
>> >>
>> >> for=71.86.141.114;host=spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com;proto=http
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : x-forwarded-for:
>> >> 71.86.141.114
>> >> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> >> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.1
>> >>
>> >>
>> >>
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : HEADERS:
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
>> >> (darwin15.6.0)
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : accept-encoding: identity
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : connection: Keep-Alive
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : authorization: Bearer
>> >>
>> >> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ctckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2YiLCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJpc3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxtcy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIxZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFlYzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hhc3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2ZvcmdlLmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2UuY29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0IiwiaHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5hbnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVwaGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVAY2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VPegRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : accept: */*
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : host:
>> >> spring-boot-oauth-demo.user-dev.svc:8080
>> >> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> >> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.6
>> >>
>> >>
>> >> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann
>> >> <eric.wittmann at redhat.com>
>> >> wrote:
>> >>>
>> >>> GitHub is back up. Here is the code (when running the servlet version
>> >>> of
>> >>> the gateway, not the vert.x version) that reads the inbound HTTP
>> >>> request
>> >>> headers, copying them into the ApiRequest bean:
>> >>>
>> >>>
>> >>>
>> >>> https://github.com/apiman/apiman/blob/master/gateway/platforms/servlet/src/main/java/io/apiman/gateway/platforms/servlet/GatewayServlet.java#L263-L280
>> >>>
>> >>> The only header that gets skipped is X-API-Version.
>> >>>
>> >>> -Eric
>> >>>
>> >>>
>> >>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann
>> >>> <eric.wittmann at redhat.com> wrote:
>> >>>>
>> >>>> That's very interesting because I don't believe Apiman is stripping
>> >>>> out
>> >>>> any headers from the request (at any point). If that's happening I
>> >>>> can't
>> >>>> think of what the root cause might be. IIRC we just copy all request
>> >>>> headers from the inbound HttpServletRequest into the ApiRequest bean.
>> >>>>
>> >>>> GitHub is currently down so I can't send a link to the relevant
>> >>>> code....
>> >>>>
>> >>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie
>> >>>> <stephen at saasindustries.com> wrote:
>> >>>>>
>> >>>>>
>> >>>>> I have Apiman running in an openshift environment, which is
>> >>>>> essentially
>> >>>>> a similar configuration to running in kubernetes. Each container/pod
>> >>>>> is
>> >>>>> always receiving http/s requests through an HA Proxy server, so that
>> >>>>> the
>> >>>>> x-forwarded-* set of headers get added to each request by the proxy
>> >>>>> server.
>> >>>>>
>> >>>>> Unfortunately, it appears that the headers which are provided in the
>> >>>>> ApiRequet bean when the policy chain processor doApply() method is
>> >>>>> called
>> >>>>> does not include these proxy related headers. This means that the
>> >>>>> standard
>> >>>>> policies for the IP white and black listing policies do not work
>> >>>>> when the
>> >>>>> apiman gateway is behind a proxy server. The
>> >>>>> request.getRemoteAddr() method
>> >>>>> returns the ip address to the proxy server, so there is no way to
>> >>>>> get the ip
>> >>>>> address of the originator since the x-forwarded-for header ( and
>> >>>>> related
>> >>>>> headers ) are not found.
>> >>>>>
>> >>>>> Has anyone else experienced this? If so, is this by design?
>> >>>>>
>> >>>>> Thanks!
>> >>>>>
>> >>>>> Stephen
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Apiman-user mailing list
>> >>>>> Apiman-user at lists.jboss.org
>> >>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>> >>>>>
>> >>>>
>> >>>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Apiman-user mailing list
>> > Apiman-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/apiman-user
>> >
>
>
More information about the Apiman-user
mailing list