cf-dev@lists.cloudfoundry.org | Running UAA on Kubernetes behind TLS-enabled ingress controller

Home Messages Hashtags Subgroups

Date Date 1 - 4 of 4

Running UAA on Kubernetes behind TLS-enabled ingress controller

#uaa

Enrique Cano #8677 Hi We are running UAA behind an ingress controller on Kubernetes. The connection to the ingress controller is https on a port other than 443 e.g. 8443. The connection to UAA pod is http. The issue we are facing is that the URLs UAA will return to the browser during the OAuth handshake include http instead of https. When we set X-Forwarded-Proto to "https" at the ingress controller, then the returned URLs contain https, but the port is set to 443. We believe this is because of this line of code: https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/FixHttpsSchemeRequest.java#L44 Is there another way of doing this? Basically, instead of redirecting to http://url:8080, we want a redirection to https://url:8443. Currently, what we get is https://url with the X-Forwarded-Proto header set to "https". Many thanks in advance Enrique.
More All Messages By This Member
Filip Hanik #8679 request.getScheme() can return https properly if you configure the web server (Tomcat/Jetty) to trust the headers X-Forwarded-Proto based on the IP address of the proxy server. If you're using uaa-release, you can configure https://github.com/cloudfoundry/uaa-release/blob/develop/jobs/uaa/spec#L148-L155 This will ensure that https is returned and line 44 is never invoked. Filip toggle quoted message Show quoted text On Tue, Jul 16, 2019 at 9:09 AM Enrique Cano <enrique.canocarballar@...> wrote: Hi We are running UAA behind an ingress controller on Kubernetes. The connection to the ingress controller is https on a port other than 443 e.g. 8443. The connection to UAA pod is http. The issue we are facing is that the URLs UAA will return to the browser during the OAuth handshake include http instead of https. When we set X-Forwarded-Proto to "https" at the ingress controller, then the returned URLs contain https, but the port is set to 443. We believe this is because of this line of code: https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/FixHttpsSchemeRequest.java#L44 Is there another way of doing this? Basically, instead of redirecting to http://url:8080, we want a redirection to https://url:8443. Currently, what we get is https://url with the X-Forwarded-Proto header set to "https". Many thanks in advance Enrique.
More All Messages By This Member
Enrique Cano #8684 Thank you, Filip. We are not using uaa-release, and we can control the protocol (https). Our issue is that the port number is forced to be 443 when we don't want that to happen. Regards Enrique
More All Messages By This Member
Filip Hanik #8687 hi Enrique, The port number will not be forced if the appropriate proxy headers are set AND the request comes from a trusted IP (Tomcat's RemoteIpValve) ie, the HttpServletRequest.getScheme does not return https because the web server (ie Apache Tomcat) does not trust the source of the request, so the headers are ignored. I'm not sure why that filter is even in the UAA. The code of the filter basically states _Apache Tomcat doesn't trust the X-Forwarded-Proto header, so our code will do so instead and override the behavior_ So that code should not exist, as it indicates a workaround for a misconfigured system. You need to configure your RemoteIpValve correctly, if you are using Apache Tomcat and then your problem will go away https://www.codebyamir.com/blog/configure-tomcat-logging-behind-load-balancer
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms