Kong: Cannot make http_if_terminated work (0.12.1)

Created on 25 Jan 2018 · 5Comments · Source: Kong/kong

Summary

Our SSL is terminated before reaching Kong, and I need the X-Forwarded-Proto header be forwarded all the way to the service behind Kong.

As I understand it, I need to enabled https_only AND http_if_terminated for the api to do that. But it keeps telling me to use HTTPS even after enabling http_if_terminated.

Steps To Reproduce

enable https_only and http_if_terminated
Send http request to the api with X-Forwarded-Proto: https

Additional Details & Logs

Kong version (0.12.1)

Setting the fields

# curl -i http://localhost:8001/apis/eg-security-keycloak-v1-production \
    -X PATCH \
    -d "http_if_terminated=true" \
    -d "https_only=true"
HTTP/1.1 200 OK
Date: Thu, 25 Jan 2018 12:40:59 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.12.1

{"created_at":1516882688627,"strip_uri":true,"id":"a4349d9c-776d-4889-b65b-4e4879649c47","hosts":["auth.codezoo.io"],"name":"eg-security-keycloak-v1-production","http_if_terminated":true,"https_only":true,"retries":5,"upstream_url":"http:\/\/eg-security-keycloak-v1-production:8080","upstream_send_timeout":60000,"upstream_read_timeout":60000,"upstream_connect_timeout":60000,"preserve_host":true}

Sending the request

# curl -i http://localhost:8000/auth/realms/master/.well-known/openid-configuration \
    -H "host: auth.codezoo.io" \
    -H "X-Forwarded-Proto:https"
HTTP/1.1 426 
Date: Thu, 25 Jan 2018 12:41:17 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
connection: Upgrade
upgrade: TLS/1.2, HTTP/1.1
Server: kong/0.12.1

{"message":"Please use HTTPS protocol"}

Source

michaelkrog

Most helpful comment

Yes, I saw that.

I just misread it as a client that I trust, and not as a client registered among the trusted ips.

michaelkrog on 25 Jan 2018

👍2

All 5 comments

We appreciate you took the time to open an issue for this. However, kong github issues are for bug reports only. I'd like to ask you to post this on the Kong Nation forum

That said, have you set up the trusted ips? Not sure, but I think the forwarding/terminating proxy must be added. See https://github.com/Kong/kong/blob/master/kong.conf.default#L192-L234

Tieske on 25 Jan 2018

Ahh. Okay.

I was following the documentation her: https://getkong.org/docs/0.12.x/proxy/#configuring-ssl-for-an-api

It was not really clear to me that trusted ips was need to do that.

Now I just need to figure out how to configure the trusted ips when using the docker image. :)

Edit:
For the sake of others looking for this, trusted ips can be set via env variables like this:

KONG_TRUSTED_IPS=0.0.0.0/0,::/0

michaelkrog on 25 Jan 2018

👍1

at The http_if_terminated property, it is stated that:

And we make a request with the X-Forwarded-Proto header (assuming it is coming from a trusted client):

Tieske on 25 Jan 2018

Yes, I saw that.

I just misread it as a client that I trust, and not as a client registered among the trusted ips.

michaelkrog on 25 Jan 2018

👍2

@michaelkrog we certainly welcome PRs to clarify GetKong.org documentation at https://github.com/Kong/getkong.org - thanks in advance for any contribution you choose to make.