Missing X-Forwarded-Proto

mpelesh · March 3, 2021, 6:31am

I am using Kong Ingress controller with TLS termination. Looks like X-Forwarded-Proto is not set by Kong. Other X-Forwarded-* headers are there. This is incoming request in httpbin container:

{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-US,en;q=0.9,uk;q=0.8",
    "Cache-Control": "no-cache",
    "Connection": "keep-alive",
    "Host": "localhost",
    "Pragma": "no-cache",
    "Sec-Ch-Ua": "\"Chromium\";v=\"88\", \"Google Chrome\";v=\"88\", \";Not A Brand\";v=\"99\"",
    "Sec-Ch-Ua-Mobile": "?0",
    "Sec-Fetch-Dest": "document",
    "Sec-Fetch-Mode": "navigate",
    "Sec-Fetch-Site": "none",
    "Sec-Fetch-User": "?1",
    "Sec-Gpc": "1",
    "Upgrade-Insecure-Requests": "1",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36",
    "X-Forwarded-Host": "localhost",
    "X-Forwarded-Path": "/httpbin/anything",
    "X-Forwarded-Prefix": "/httpbin"
},
"json": null,
"method": "GET",
"origin": "<IP address>",
"url": "https://localhost/anything"

}

Am I missing something in my config?
Helm chart version 1.14.3. App version 2.2.

traines · March 5, 2021, 12:45am

This appears to be something inherent to httpbin. If I try to ignore Kong altogether and send that header directly to it via a port-forward, it still disappears:

kubectl port-forward svc/httpbin 8999:80

$ http -v localhost:8999/anything X-Forwarded-Proto:https 
GET /anything HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost:8999
User-Agent: HTTPie/2.4.0
X-Forwarded-Proto: https

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 352
Content-Type: application/json
Date: Fri, 05 Mar 2021 00:29:57 GMT
Server: gunicorn/19.9.0

{
    "args": {},
    "data": "",
    "files": {},
    "form": {},
    "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate",
        "Connection": "keep-alive",
        "Host": "localhost:8999",
        "User-Agent": "HTTPie/2.4.0"
    },
    "json": null,
    "method": "GET",
    "origin": "127.0.0.1",
    "url": "https://localhost:8999/anything"
}

The HTTP echo server used in the Minikube example does echo it:

HEADERS RECEIVED:
accept=*/*
accept-encoding=gzip, deflate
connection=keep-alive
host=localhost:8999
user-agent=HTTPie/2.4.0
x-forwarded-proto=https

On the Kong end, that header should always be set to the contents of the upstream_x_forwarded_proto variable. That variable is set to either the inbound client protocol or inbound X-Forwarded-Proto. You can overwrite that variable with a plugin after, but it should always be set otherwise.

mpelesh · March 8, 2021, 5:57pm

Thank you, @traines . I also figured this out with Wireshark. Indeed it is a problem with httbin (or Gunicorn it is using). All headers are there.

Topic		Replies	Views
X-Forwarded-Proto forcing HTTPS redirect Questions kubernetes	1	781	January 20, 2023
HTTP to HTTPS redirect with kong-ingress and TLS-offloading Questions service-mesh , kubernetes	22	9791	August 11, 2022
Kong Ingress Controller transcoding requests require a .proto file error Questions kubernetes	0	166	February 26, 2024
Kong not sending x-forwarded-for header to upstream Questions kubernetes	4	4768	March 8, 2021
X-forwarded-port Questions	13	5187	August 31, 2020

Missing X-Forwarded-Proto

Related topics