How to maintain X-Forwarded-Proto header to Pod through HTTP Route

Solution Unverified - Updated -

Issue

  • The external loadbalancer offloads SSL, so that connection between loadbalancer and OpenShift HAProxy Router is all HTTP
  • How to maintain the X-Forwarded-Proto header as defined by the client application?
Client -(https)-> Load balancer (SSL termination) -(http)-> Haproxy (Openshift Router) -> Container
  • The client application will send either http or https request. F5 loadbalancer offloads this to http.
  • The client application will send X-Forwarded-Proto. F5 loadbalancer does NOT overwrite this and will maintain it even if it offloads https to http.
  • We need HAProxy router to maintain the X-Forwarded-Proto as sent forward from F5 loadbalancer.
  • The built-in configuration will not work:
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
  • Because this is set based on the connection between F5 and HAProxy, which will always be http

Environment

  • Red Hat OpenShift Container Platform
    • 3.9+

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In