How to maintain X-Forwarded-Proto header to Pod through HTTP Route

Solution Unverified - Updated -

Issue

  • The external loadbalancer offloads SSL, so that connection between loadbalancer and OpenShift HAProxy Router is all HTTP
  • How to maintain the X-Forwarded-Proto header as defined by the client application?
Client -(https)-> Load balancer (SSL termination) -(http)-> Haproxy (Openshift Router) -> Container
  • The client application will send either http or https request. F5 loadbalancer offloads this to http.
  • The client application will send X-Forwarded-Proto. F5 loadbalancer does NOT overwrite this and will maintain it even if it offloads https to http.
  • We need HAProxy router to maintain the X-Forwarded-Proto as sent forward from F5 loadbalancer.
  • The built-in configuration will not work:
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
  • Because this is set based on the connection between F5 and HAProxy, which will always be http

Environment

  • Red Hat OpenShift Container Platform
    • 3.9+

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content