Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add X-Forwarded-Proto: https header via VirtualService #926

Closed
brendangadd opened this issue Mar 9, 2022 · 4 comments
Closed

Add X-Forwarded-Proto: https header via VirtualService #926

brendangadd opened this issue Mar 9, 2022 · 4 comments
Assignees
@rohank07
Labels
area/security kind/feature New feature or request size/L 4-5 days

Comments

@brendangadd
Copy link
Contributor

brendangadd commented Mar 9, 2022
edited
Loading

Trino won't support authentication unless TLS is configured. However, it allows (and recommends) terminating TLS at the load balancer, so it will trust that the connection was secured if it sees an X-Forwarded-Proto: https header.

Istio is automatically encrypting all cluster traffic on the service mesh, but it does so completely transparently. Thus, we need to explicitly set the proxy header to let Trino know our traffic is indeed encrypted – even though clients will be using standard HTTP protocol when they connect.
@brendangadd brendangadd mentioned this issue Mar 9, 2022
Closed
54 tasks
@brendangadd brendangadd added area/security kind/feature New feature or request labels Mar 9, 2022
@rohank07
Copy link
Contributor

rohank07 commented Mar 19, 2022
edited
Loading

Breaking this task down into:

  1. Setting up a virutal service/ingress and connect using https service to the pod level (trino coordinator)
  2. Once verified 1. works, add x-forwarded proto header

@rohank07 rohank07 added the size/L 4-5 days label Mar 22, 2022
@rohank07
Copy link
Contributor

rohank07 commented Mar 28, 2022
edited
Loading

Step 1 ✔️
Created Gateway and Virtual Service. Gateway has both http and https ports. httpsRedirect is enabled on the Gateway. The http traffic is directed to https (80 to 443). Deployed MetalLb on local cluster to resolve host via browser (temporarily using https://trino.example.com/ui/) configured to use the istio-ingressgateway's external-IP. Virtual service resolves to host: trino.example.com

@rohank07
Copy link
Contributor

rohank07 commented Apr 4, 2022
edited
Loading

Step 2:
Added X-forwarded proto header in the virtual service (no need for EnvoyFilter). Unable to verify using request headers via httpbin. This will be verified when jwt auth is set up.
Breakdown: Browser gets request -> istio adds request header -> passes request to Trino

@rohank07 rohank07 closed this as completed Apr 5, 2022
@rohank07 rohank07 changed the title Add X-Forwarded-Proto: https header via EnvoyFilter Add X-Forwarded-Proto: https header via VirtualService Apr 5, 2022
@rohank07
Copy link
Contributor

rohank07 commented Apr 6, 2022
edited
Loading

Got the X-Forwarded-Proto: https header to show when using httpbin api. curl -s -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers?show_env

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rohank07 rohank07

Labels
area/security kind/feature New feature or request size/L 4-5 days
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brendangadd @rohank07