-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow proxy-rewrite plugin to rewrite x-forwarded-port request header #4942
Comments
What's the result of requesting to the backend directly? |
it is normal,can redirect to the login api and logged in. |
the response is not processed by the gateway (apisix). See the nginx conf the following x-forwarded-* headers is to send to upstream server
so you can add some header to the previous proxy. set the X-Forwarded-Port to 80 to resolve it |
Good job, let see whether it can help @eastearth to solve his problems. If so, I think we need to add a FAQ entry to record this. |
my previous proxy is Layer 4 proxy,can not add headers,and I think this is a bug,cant fix it? |
Is it possible to specify X-Forwarded-Port by configuring configmap? The corresponding configuration is not found. Where should I configure it? For example, which parameter should be set for this configuration?
|
You could take a test for it. Does your APISIX use port 9080? What is the relationship between port 80 and 9080? |
@eastearth Can your layer 4 proxy be configured in a transparent manner? |
@eastearth tell me wechat |
jxd1075943283 |
How did you install APISIX? See https://github.com/apache/apisix/blob/master/apisix/cli/ngx_tpl.lua, currently, the related items are not configurable. |
actually,I install apisix by helm in k8s, but i think this still need a configurable item, The operation performed by poststart does not necessarily complete before the main program entry enterpoint starts this is k8s official document introduction: " |
That's right, the postStart hook is not a reliable way to do this. Would you like to submit a PR to let these |
Yes,I would very much want to let these items to be configurable, What should I do? |
The ngx_tpl.lua is a template to customize the nginx.conf file, so just let these items to be templated. You can see more in |
Yes,I see,you mean that I modify ngx_tpl.lua to be configurable myself and change the X-Forwarded-Port in k8s configmap? Actually, my lua is not good,I can't do it myself. Can you help? |
I have a request, can someone help me to change the x-forward-* in the https://github.com/apache/apisix/blob/master/apisix/cli/ngx_tpl.lua to configurable? |
Especially the X-Forwarded-Port |
eg. I request this url http://eks-jenkins-test.invik.com:80 when jenkins response 302 to browser, and the browser request http://eks-jenkins-test.invik.com:9080/login The port of apisix is 9080, and 80 is the port of aws LB layer 4 |
As an example, you can see how the |
you can use https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/proxy-rewrite.md |
@eastearth @nic-chen @tokers I checked the instructions about reverse proxy in jenkins’ own documentation. Regarding the way to set the request header, this is the method I have tried, but it has no effect. Jenkins still returns the redirection address with port 9080:
Then because I am not sure whether this is a problem with Jenkins itself or a problem with the apisix plug-in, I now want to try another method of modifying the Location in the response header. Is there any way that I can modify the Location in the response header? Do you perform regular matching and modify it? The desired effect is roughly this: I know that there is a "response-rewrite" plug-in that can modify the Location mentioned above, but because the plug-in provides The instructions of How should I configure it? Thank you. In addition, one method that I think is probably effective is to open port 9080, and then reconfigure a route to identify requests from port 9080, and redirect them to port 80, but To be honest, I don't really want to open a new port unless I have to, and this way of handling it will add one more http request, which doesn't always feel good. |
hi @z-yuxie |
@nic-chen 您好,我有配置别的路由,但是jenkins能命中的路由仅有这一个,因为我的每个路由都是针对独立的域名配置的 My routing strategy is based on the domain name. Although there are multiple routes configured, Jenkins will only hit its own route and not the others. |
@z-yuxie Try to use the |
@z-yuxie Or use a temporary solution, comment out these lines https://github.com/apache/apisix/blob/master/apisix/cli/ngx_tpl.lua#L612-L613, and restart APISIX. |
I have encountered exactly the same problem here, using k8s + apisix ingress + jenkins. |
I have this issue too, could you show me how to rewrite using serverless-functions? |
你字多,就回复你吧。你域名解析到哪里了,是 nginx 还是 slb?如果是 Nginx 加一个 proxy_set_header X-Forwarded-Port 443; slb 应该有单独的选项可以设置。 |
where does your domain a.com resolve to? Add |
I have the same problem, using k8s + apisix ingress + jenkins. |
|
For anyone needs workaround: "plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function(conf, ctx) ngx.var.var_x_forwarded_port = 443 end"
]
}
}, |
Maybe we can allow proxy-rewrite plugin to rewrite x_forwarded_port. What about everyone's opinion? |
LGTM |
agree +1 |
What's the action |
Currently this header is generated via Line 683 in d7e49c9
|
We can apply the same handling like: Line 228 in d7e49c9
|
Maybe I still don't get the accurate meanings, I guess that take plugin proxy-rewrite to rewrite attributes If these extensible headers supported one by one, it seems not a good idea. Why not reuse the existed attribute
|
We don't need to extend the schema with new attributes |
Once we let proxy-rewrite plugin support modifying these headers, also take care the precedence between it and |
If proxy-rewrite can modify
My questions:
|
If Jenkins is deployed in kubernetes, you can add another Nginx container to the pod, forward the traffic to Jenkins through Nginx, and set server {
listen 80;
listen [::]:80;
server_name localhost;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 80;
proxy_pass http://localhost:8080;
}
} |
Thank you so much bro.
|
Another alternative is to modify the listen ports for apisix to the following:
Since these are privileged ports, in kubernetes if you don't want to run as root, this will require you to use the following securityContext on the pod (not container):
|
for anyone from the future looking to have flattened X-Forwarded-For headers with a list of explicit good IPs, this is what we ended up doing:
This parses XFF and sets |
Issue description
If the upstream service through the APISIX proxy returns 302 redirect, the client redirected the port to the 9080 port of apisix,
For example, client access http://a.com:80/,
Normally, it would be redirected to the http://a.com:80/login
But it’s actually redirected to the http://a.com:9080/login
Environment
apisix version: 2.7.0(helm chart installed,and chart version is apisix-0.3,6)
apisixroute:
Service:
Steps to reproduce
1.client access http://a.com:80/,
2.Normally, upstream response 302 to the http://a.com:80/login
3.But it’s actually redirected to the http://a.com:9080/login
Actual result
3.But it’s actually redirected to the http://a.com:9080/login
and the browser is waitting
Error log
the browser return:
无法访问此网站eks-jenkins-test.invik.com 的响应时间过长。
Expected result
No response
The text was updated successfully, but these errors were encountered: