Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: use X-Forwarded-Host from the reverse proxy before #910

Closed
LoicMahieu opened this issue Jun 27, 2017 · 6 comments · Fixed by #911
Closed

Feature request: use X-Forwarded-Host from the reverse proxy before #910

LoicMahieu opened this issue Jun 27, 2017 · 6 comments · Fixed by #911

Comments

@LoicMahieu
Copy link
Contributor

I don't think the title of this issue is clear. Feel free to edit ;)

I use the nginx ingress controller behind a another nginx which is from my legacy infrastructure, moving progressively to Kubernetes.

Everything works perfectly except the X-Forwarded-Host. Basically, my old legacy nginx uses a proxy_set_header for forwarding the original HTTP host (like ingress controller does).

The ingress controller uses the X-Forwarded-For but not the X-Forwarded-Host.

We can see in the nginx.tmpl:

    # Obtain best http host
    map $http_host $best_http_host {
        default          $http_host;
        ''               $host;
    }

Do you think it could be reliable/secure to add make X-Forwarded-Host the priority for the $best_http_host variable ?
@aledbf aledbf mentioned this issue Jun 27, 2017
Merged
@aledbf
Copy link
Member

aledbf commented Jun 27, 2017

Please use quay.io/aledbf/nginx-ingress-controller:0.153 This image contains PR #911

@LoicMahieu
Copy link
Contributor Author

Thanks for extremely quick response :D ! Awesome! I will try your image soon.

The same problem appears for the X-Forwarded-Proto and the $pass_access_scheme variable. Do you think it could be resolve in the same patch ?

Thanks for your work! Really awesome this controller!

@aledbf
Copy link
Member

aledbf commented Jun 27, 2017

@LoicMahieu what change do you suggest? I think we already have this in the template with

    map $http_x_forwarded_proto $pass_access_scheme {
        default          $http_x_forwarded_proto;
        ''               $scheme;
    }

    map $http_x_forwarded_port $pass_server_port {
       default           $http_x_forwarded_port;
       ''                $server_port;
    }

@LoicMahieu
Copy link
Contributor Author

Yes yes! You are right! I am currently testing it. Works for X-Forwarded-Proto, my bad! :)

@redbaron
Copy link

Is it a right thing to do? X-Forwarded* headers just accumulate values as requests passes through proxies. Setting other headers based on them doesn't sound like a good idea, especially in a generic ingress config.

More specifically #911 breaks terribly when X-Forwarded-Host has more than 1 value (in our case passed more than 1 Apache's mod_proxy), it sets value of Host: to a full value of X-Forwarded-Host which by definition is a comma separated list of values. As you can imagine, nothing good comes out of it :)

@octete octete mentioned this issue May 2, 2018
Closed
@atkaper atkaper mentioned this issue May 31, 2018
Merged
@pingles
Copy link

pingles commented Oct 25, 2018

To add some context to this and @redbaron's comment. We had a production outage in one of our systems last night caused by the introduction of a CDN at the front of Apache and some nginx ingress; it took a while to figure out what it was the X-Fowarded-Host header and that it was the ingress that was failing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve X-Forwarded-Host support aledbf/ingress-nginx
4 participants
@pingles @redbaron @aledbf @LoicMahieu