Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oathkeeper does not support X-Forwarded headers properly #1139

Open
3 of 5 tasks
eratolekov opened this issue Nov 9, 2023 · 4 comments
Open
3 of 5 tasks

Oathkeeper does not support X-Forwarded headers properly #1139

eratolekov opened this issue Nov 9, 2023 · 4 comments
Labels
bug Something is not working.

Comments

@eratolekov
Copy link

Preflight checklist

Ory Network Project

No response

Describe the bug

Hi Ory Team

I guess the access rules of Ory Oathkeeper do not support X-Forwarded-* headers properly.

Reproducing the bug

Steps to reproduce a bug with x-forwarded headers

  1. Clone the repo
  2. Run the docker-compose.yml
  3. Perform this command:
curl -v -H "X-Forwarded-Host: dev.pp" -H "X-Forwarded-Proto: http" -H "x-forwarded-port: 4455"  http://localhost:4455/header

Actual result:

404 Not Found

Expected result:

200 OK

{ "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": { 
    "Accept": "/", 
    "Accept-Encoding": "gzip", 
    "Host": "dev.pp", 
    "User-Agent": "curl/7.68.0", 
    "X-Amzn-Trace-Id": "Root=1-654d02aa-1ed22ecf2a4623d66ae70ac3" 
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "91.215.139.68", 
  "url": "https://dev.pp/anything/header" 
}

While, request with Host header works like a charm:

curl -v -H "Host: dev.pp:4455" http://localhost:4455/header

Response:

200 OK

{
  "args": {},
  "data": "",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Host": "dev.pp",
    "User-Agent": "curl/7.68.0",
    "X-Amzn-Trace-Id": "Root=1-654d0c78-4f0df818446962ab50e760ab"
  },
  "json": null,
  "method": "GET",
  "origin": "91.215.139.68",
  "url": "https://dev.pp/anything/header"
}

Relevant log output

No response

Relevant configuration

log:
  level: debug
  format: json
serve:
  proxy:
    trust_forwarded_headers: true
errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/access-rules.yml
authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  noop:
    enabled: true
authorizers:
  allow:
    enabled: true
mutators:
  noop:
    enabled: true

Version

0.40.6

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

@eratolekov eratolekov added the bug Something is not working. label Nov 9, 2023
@8th-block
Copy link

8th-block commented Apr 20, 2024

Same issue here with v0.40.7! Ory ppl, i am happy to send logs

@eratolekov have you been able to sort this out on your end?

@eratolekov
Copy link
Author

@eratolekov have you been able to sort this out on your end?

nope

@robinknaapen
Copy link

I am in the same boat

When taking a look in the code. It seems that the bool trust_forwarded_headers does not tell Oathkeeper Proxy to use the x-forwarded-* headers to match the rules. But rather tells Oathkeeper Proxy to pass some headers to the outbound request as seen here:
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L112

I dug some deeper and I see that the decision api uses the x headers:
https://github.com/ory/oathkeeper/blob/master/api/decision.go#L42

But the Proxy does not:
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L168
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L126

@alapini
Copy link

alapini commented Jun 20, 2024

Facing the same issue when using oathkeeper with kong.

Oathkepper will not match the route properly when the incoming headers have x-forwared-*, despite host and path headers being correct.

And on kong side, it is quite hard to disable x-forwarded headers :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

4 participants