[cf-dev] Running UAA on Kubernetes behind TLS-enabled ingress controller #uaa

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Running UAA on Kubernetes behind TLS-enabled ingress controller #uaa

Enrique Cano
Hi

We are running UAA behind an ingress controller on Kubernetes. The connection to the ingress controller is https on a port other than 443 e.g. 8443. The connection to UAA pod is http.
The issue we are facing is that the URLs UAA will return to the browser during the OAuth handshake include http instead of https. When we set X-Forwarded-Proto to "https" at the ingress controller, then the returned URLs contain https, but the port is set to 443. We believe this is because of this line of code: https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/FixHttpsSchemeRequest.java#L44
Is there another way of doing this? Basically, instead of redirecting to <a href="http://url:8080," target="_blank" rel="noopener">http://url:8080, we want a redirection to https://url:8443. Currently, what we get is https://url with the X-Forwarded-Proto header set to "https".

Many thanks in advance

Enrique.
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8677) | [hidden email] | [hidden email] | Mute This Topic | New Topic
Mute #uaa
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Running UAA on Kubernetes behind TLS-enabled ingress controller #uaa

Filip Hanik
request.getScheme() can return https properly if you configure the web server (Tomcat/Jetty) to trust the headers X-Forwarded-Proto based on the IP address of the proxy server.

If you're using uaa-release, you can configure

This will ensure that https is returned and line 44 is never invoked.
Filip

On Tue, Jul 16, 2019 at 9:09 AM Enrique Cano <[hidden email]> wrote:
Hi

We are running UAA behind an ingress controller on Kubernetes. The connection to the ingress controller is https on a port other than 443 e.g. 8443. The connection to UAA pod is http.
The issue we are facing is that the URLs UAA will return to the browser during the OAuth handshake include http instead of https. When we set X-Forwarded-Proto to "https" at the ingress controller, then the returned URLs contain https, but the port is set to 443. We believe this is because of this line of code: https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/FixHttpsSchemeRequest.java#L44
Is there another way of doing this? Basically, instead of redirecting to http://url:8080, we want a redirection to https://url:8443. Currently, what we get is https://url with the X-Forwarded-Proto header set to "https".

Many thanks in advance

Enrique.

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8679) | [hidden email] | [hidden email] | Mute This Topic | New Topic
Mute #uaa
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Running UAA on Kubernetes behind TLS-enabled ingress controller #uaa

Enrique Cano
Thank you, Filip.

We are not using uaa-release, and we can control the protocol (https). Our issue is that the port number is forced to be 443 when we don't want that to happen.

Regards

Enrique
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8684) | [hidden email] | [hidden email] | Mute This Topic | New Topic
Mute #uaa
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Running UAA on Kubernetes behind TLS-enabled ingress controller #uaa

Filip Hanik
In reply to this post by Enrique Cano
hi Enrique,

The port number will not be forced if 
  the appropriate proxy headers are set 
*AND* 
  the request comes from a trusted IP (Tomcat's RemoteIpValve)

ie, the HttpServletRequest.getScheme does not return https because the web server (ie Apache Tomcat) does not trust the source of the request, so the headers are ignored.

I'm not sure why that filter is even in the UAA. The code of the filter basically states

_Apache Tomcat doesn't trust the X-Forwarded-Proto header, so our code will do so instead and override the behavior_

So that code should not exist, as it indicates a workaround for a misconfigured system.

You need to configure your RemoteIpValve correctly, if you are using Apache Tomcat
and then your problem will go away



_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8687) | [hidden email] | [hidden email] | Mute This Topic | New Topic
Mute #uaa
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]

_._,_._,_