emissary: x-forwad-proto header is not forwarded correctly to authentication service
Describe the bug
We use datawire ambassador behind nginx as an ingress controller. Since Nginx does the tls termination there is already an x-forwad-proto header set when the request hits ambassador.
If the request is now forwarded to our authentication service the value of this header changes from https to http.
To Reproduce
Deploy an Authentication Service like described here https://www.getambassador.io/user-guide/auth-tutorial/#1-deploy-the-authentication-service but with ambassador behind nginx as ingress controller doing also tls termination.
Expected behavior
x-forward-proto should not be changed and forwarded with the correct value https to the authentication service.
Versions
- Ambassador: 0.50.rc
- Kubernetes environment bare metal
- Version 1.13.0
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 15 (9 by maintainers)
From looking at this thread, it appears that only the authentication gets the “correct” header (https), but upstream services still see http.
In our case, we use fly.io’s wormhole to do edge ssl termination which forwards requests to port 80 within ambassador. We would except the x-forwarded-proto to respect the original proto header, but it is changing it to http.
The headers we received in 0.40.2 looked like:
However, the headers in all of the 0.50.0-* releases look like (this is 0.50.0-rc5):
Is this by design?
@gsagula, can you speak to this?
Hi Richard,
we use https://github.com/kubernetes-incubator/external-dns for dns automation and https://github.com/jetstack/kube-lego for automating let’s encrypt certificates. This are two very important components for us as this saves us a lot of manual effort and makes it very convenient to for developers to bring their services online. I did this one year ago and back then there was no easy way to do it with ambassador. I don’t know if this changed today.