[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Origin router and X-Forwarded-For



Hi Marcello.

on Dienstag, 17. Oktober 2017 at 09:11 was written:

> Hi,
> I'm using a re-encrypt configuration to preserve the x-forwrded-for information. The configuration is:
>
> Name:                   callcentergw-dev-external
> Namespace:              dev-shared
> Created:                17 hours ago
> Labels:                 <none>
> Annotations:            <none>
> Requested Host:         callcenter.test.local
>                           exposed on router router 17 hours ago
> Path:                   <none>
> TLS Termination:        reencrypt
> Insecure Policy:        Redirect
> Endpoint Port:          443-tcp

> Service:        callcentergw-dev
> Weight:         100 (100%)
> Endpoints:      10.131.0.138:443, 10.131.0.138:80

I miss the destinationCACertificate maybe it's shown with export.

oc export route -n dev-shared callcentergw-dev-external

You can add in the GUI (=> Webinterface ) all four values under 
"Security" settings. There is a section "Certificates" .

key: [as in edge termination]
certificate: [as in edge termination]
caCertificate: [as in edge termination]
destinationCACertificate: ...

Please can you also show us the output of 

curl -vk callcenter.test.local

> Marcello

Best Regards
Aleks

> Il 16 Ott 2017 20:45, "Aleksandar Lazic" <aleks me2digital eu> ha scritto:

> Hi Marcello.

>  on Montag, 16. Oktober 2017 at 15:23 was written:

 >> Hi,
 >> I have tried it and it worked fine but the problem is override the
 >> default wildcard certificate and configure a different certificate,
 >> because it's not possible to configure the intermediate CA chain into
 >> the admin panel. I tried to configure the CA cert with the root CA and
 >> the subordinate CA files and the router is ok but if I navigate the
 >> new route I received a security error.

>  do you use reencrypted or passthrough route

>  please can you show us the output of.

>  oc get route -n your-project
>  oc describe route -n your-project your-route

>  Best Regards
>  Aleks


 >> Marcello

 >> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <aleks me2digital eu> wrote:

 >>
 >> Hi Marcello Lorenzi.

 >>  have you used -servername in s_client?

 >>  The ssl solution is based on sni (
 >> https://en.wikipedia.org/wiki/Server_Name_Indication )

 >> Regards
 >>  Aleks

 >> on Donnerstag, 12. Oktober 2017 at 13:02 was written:



 >> Hi All,
 >>  thanks for the response and we checked the configuration. If I tried
 >> to check the certificated propagate with the passthrough configuration
 >> with openssl s_client  and the certificate provided is the wilcard
 >> domain certificate and not the pod itself. Is it normal?

 >>  Thanks,
 >>  Marcello

 >>  On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <aleks me2digital eu> wrote:

 >> Hi.

 >>  Additionally to joel suggestion can you also use reencrypted route
 >> if you want to talk encrypted with apache webserver.

 >> https://docs.openshift.org/3.6/architecture/networking/routes.html#re-encryption-termination

 >> Regards
 >>  Aleks

 >>  on Mittwoch, 11. Oktober 2017 at 15:51 was written:


 >> Sorry I meant it say, it *cannot modify the http request in any way.
 >>  On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson
 >> <japearson agiledigital com au> wrote:

 >> Hi Marcelo,

 >>  If you use Passthrough termination then that means that OpenShift
 >> cannot add the X-Forwarded-For header, because as the name suggests it
 >> is just passing the packets through and because it’s encrypted it can
 >> modify the http request in anyway.

 >>  If you want X-Forwarded-For you will need to switch to Edge termination.

 >>  Thanks,

 >>  Joel
 >>  On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cello86 gmail com> wrote:

 >> Hi All,
 >>  we tried to configure a route on Origin 3.6 with a Passthrough
 >> termination to an Apache webserver present into a single POD but we
 >> can't notice the X-Forwarded-Header to Apache logs. We tried to capture it without success.

 >>  Could you confirm if there are some method to extract it from the POD side?

 >>  Thanks,
 >> Marcello
 >> _______________________________________________
 >>  users mailing list
 >> users lists openshift redhat com
 >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users--
 >> Kind Regards,

 >>  Joel Pearson
 >>  Agile Digital | Senior Software Consultant

 >>  Love Your Software™ | ABN 98 106 361 273
 >>  p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au--
 >> Kind Regards,

 >>  Joel Pearson
 >>  Agile Digital | Senior Software Consultant

 >>  Love Your Software™ | ABN 98 106 361 273
 >>  p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]