Kong can not remove or replace x-forwarded-for by Request Transformer Plugin

[jagerzhang]

Summary

I try to remove or replace the x-forwarded-for Header by Request Transformer Plugin, but the header x-forwarded-for is already exsit or nothing changes when the real server received.

Steps To Reproduce

1. i am try remove the x-forwarded-for by Request Transformer Plugin:
   

2. but it seens not work, the x-forwarded-for is already exsits:
   

3. the same result when i try replace the value of x-forwarded-for:
   

4.but it works well when i add a Header:

So, Is Kong unable to delete x-forwarded-for?

[carnei-ro]

@jagerzhang I also need to overwrite x-forwarded-for, the solution I'm using is to comment it at nginx template.

sed -i -e 's/proxy_set_header\ *X-Forwarded-For\ *$upstream_x_forwarded_for;/#&/g' /usr/local/share/lua/5.1/kong/templates/nginx_kong.lua

Following this thread for an elegant solution.

[bungle]

You can always override ngx.var.upstream_x_forwarded_for(on access phase with plugin, e.g. with post-function)

[bungle]

See e.g.: #5559 (comment)

[carnei-ro]

@bungle set the ngx.var directly is different from using ngx.req.set_header? The solution of comment the line we made in the past, and I'm not sure if set_header works without comment it. I'll try setting the var.
edit: It seems to have a difference setting the var directly to use set_header. The set_header does not work really well.
Thanks for the tip!

[dndx]

@carnei-ro The reason of explicitly setting this header (and others) using variable is to prevent downstream client trying to forge those headers (Nginx passes them to the upstream as-is by default). By using the variable, Kong can assert full control over contents inside those header at all time.

[jagerzhang]

You can always override ngx.var.upstream_x_forwarded_for(on access phase with plugin, e.g. with post-function)

@bungle Thanks for your reply, I solved it with pre-function plugin.

[bungle]

Great to hear that it solved the issue. We can later think should we not hardcode these or not (to use variables):
https://github.com/Kong/kong/blob/next/kong/templates/nginx_kong.lua#L141-L150

But as there is a work-around already I will close this. We might need to add better docs, though.

[shoyuf]

You can always override ngx.var.upstream_x_forwarded_for(on access phase with plugin, e.g. with post-function)

It's correct for x-forwarded-* headers. But x-real-ip can't removed when use this solution.

How to disable the x-real-ip header on a single route so they do not get sent to the upstream.