Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Termination 'X-Forwarded-Proto' #95

Open
kucjac opened this issue Aug 7, 2018 · 5 comments
Labels
Milestone

Comments

@kucjac
Copy link

@kucjac kucjac commented Aug 7, 2018

Hello again,

I am using full stack of your applications. I am having a problem now with working behind a proxy (traefik) that drops the tls. I would like to connect oathkeeper to the hydra within internal web but the hydra requires the 'X-Forwarded-Proto':'https' header.
Could you add please the feature that adds the XFP header i.e. using the environment variables when the protocol is 'http'?

@aeneasr aeneasr added the enhancement label Aug 8, 2018
@aeneasr

This comment has been minimized.

Copy link
Member

@aeneasr aeneasr commented Aug 8, 2018

Good point. We haven't covered how this works internally yet. I think with the beta.8 release of ORY Hydra this will get easier because we separate admin and public endpoints. You could probably run admin port with HTTP (no TLS termination) as it's inwards facing and talk to it directly.

Faking the proto header in Oathkeeper is also an option, although it sort of defeats the purpose of the header. We'll try to come up with a solution in case the admin/public port doesn't suit you.

@aeneasr aeneasr modified the milestones: v1.0.0-rc.1, v1.0.0 Oct 27, 2018
@aeneasr

This comment has been minimized.

Copy link
Member

@aeneasr aeneasr commented Oct 27, 2018

In fact, traefik is the TLS termination edge, right? So that should set the X-Forwarded-Proto header, not this proxy (unless oathkeeper is the TLS edge). Since Oathkeeper forwards all headers - except sensitives one that are filtered like Authorization - that should work out of the box. I'm closing this, but let me know if I missed a spot.

@aeneasr aeneasr closed this Oct 27, 2018
@stanleyyuenyiu

This comment has been minimized.

Copy link

@stanleyyuenyiu stanleyyuenyiu commented Aug 29, 2019

Im not sure, but usually if a request run behind the LB / traefik proxy, it will direct talk to hydra, instead of go thought traefik and go back to hydra again

like my case, im using k8s Service Endpoint for the introspection_url of oathkeeper , turn out k8s will not include any extra header "X-Forwarded-Proto", as it havent go to the ingress controller or traefik controller; that means your application needed to add it, but as i go thought the source code you wrote

it has not include "X-Forwarded-Proto" in the header, those hydra will reject it , even you include your internal IP in allow_termination_from setting

@aeneasr

This comment has been minimized.

Copy link
Member

@aeneasr aeneasr commented Aug 29, 2019

Yeah, I can see that! Reopening.

@stanleyyuenyiu

This comment has been minimized.

Copy link

@stanleyyuenyiu stanleyyuenyiu commented Aug 29, 2019

serve hydra admin and hydra public into 2 dockers, it is one of the solution too (as you mentioned, but im not sure what is the impact), at least it cant use memory database for testing purpose ^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.