Honor X-Forwarded-Port header #11391
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
miminar
changed the title
miminar
force-pushed
the
honor-x-forwarded-port
branch
from
b8913d3 to
a9ff442
Compare
|
Let's wait on upstream review of distribution/distribution#2008. |
miminar
force-pushed
the
honor-x-forwarded-port
branch
from
a9ff442 to
c427997
Compare
miminar
changed the title
…rded headers Prefer non-standard headers like X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Port over the standard Forwarded header to maintain backwards compatibility. If a port is not specified neither in Host nor in forwarded headers but it is specified just with X-Forwarded-Port, use its value in base urls for redirects. Forwarded header is defined in rfc7239. X-Forwarded-Port is a non-standard header. Here's a description copied from "HTTP Headers and Elastic Load Balancing" of AWS ELB docs: > The X-Forwarded-Port request header helps you identify the port that > an HTTP or HTTPS load balancer uses to connect to the client. Signed-off-by: Michal Minář <miminar@redhat.com>
miminar
force-pushed
the
honor-x-forwarded-port
branch
from
c427997 to
f1eca13
Compare
This was referenced Nov 8, 2016
|
/cc @legionus |
|
LGTM (tested manually and confirmed it works as expected). |
|
[merge] |
|
(also fixes: #12260) |
|
Evaluated for origin merge up to f1eca13 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/12379/) (Base Commit: 993395c) (Image: devenv-rhel7_5546) |
rlaurika
added a commit
to CSCfi/pouta-openshift-cluster
that referenced
this pull request
Oct 30, 2017
The registry is by default deployed using a certificate signed by the OpenShift CA. As this is not generally recognized, create a new re-encrypting edge route to the registry that uses a proper certificate. This way it is possible to login to the registry normally. Using the re-encrypting route triggers a bug in the Docker registry that is fixed in a newer version. To work around this bug, manually update the Docker image used for the registry to a newer one. See: openshift/origin#14249 and also openshift/origin#11391. The registry console also needs to be reconfigured with the new route to the registry. Make this configuration change using the oc_env module from openshift-ansible. For this to work, add modules from the lib_openshift role into the library path. Replace the certificate of the registry console with a proper recognized certificate so that warnings are not shown when accessing the console from a browser. Write tests for checking correct connectivity to the routes used for the registry and the registry console. These should verify that there are no certificate issues with the endpoints.
rlaurika
added a commit
to CSCfi/pouta-openshift-cluster
that referenced
this pull request
Oct 30, 2017
The registry is by default deployed using a certificate signed by the OpenShift CA. As this is not generally recognized, create a new re-encrypting edge route to the registry that uses a proper certificate. This way it is possible to login to the registry normally. Using the re-encrypting route triggers a bug in the Docker registry that is fixed in a newer version. To work around this bug, manually update the Docker image used for the registry to a newer one. See: openshift/origin#14249 and also openshift/origin#11391. The registry console also needs to be reconfigured with the new route to the registry. Make this configuration change using the oc_env module from openshift-ansible. For this to work, add modules from the lib_openshift role into the library path. Replace the certificate of the registry console with a proper recognized certificate so that warnings are not shown when accessing the console from a browser. Write tests for checking correct connectivity to the routes used for the registry and the registry console. These should verify that there are no certificate issues with the endpoints. Split the registry config changes into their own playbook from the post-install playbook to keep things tidy.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If the explicit port is specified using this header, use it in base urls
for redirects.
As documented in article "HTTP Headers and Elastic Load Balancing" of
AWS ELB docs:
Resolves #11337
Fixes bz#1383439