Kong nginx_kong.lua template overrides request proxy headers

[jussiarpalahti]

Summary

These lines from 84 to 87 in default Nginx config template override X-Real-IP, X-Forwarded-For and X-Forwarded-Proto headers in request that Kong makes for client to the API. We have multiple proxies between client and API in addition of Kong, so we need to put this information forward through all of them as is.

I can work around this by using my own nginx_kong.lua template, but this means essentially forking this whole important piece of the configuration. Perhaps this part of the config could be made configuration dependent?

Steps To Reproduce

1. Install Kong 0.9 as per instructions
2. Make a request through another proxy to any Kong configured API

Additional Details & Logs

• Kong version 0.9.1
• Kong configuration (the default, should work with any API config which doesn't change the aforementioned headers)
• Ubuntu 16.04

[thibaultcha]

We would welcome a pull request for this.

[jussiarpalahti]

Ok. I see what I can do.

[jmdacruz]

Just to contribute another scenario to this issue: AWS adds an X-Forwarded-Proto header on its elastic load balancer (ELB). If you are terminating SSL at the ELB, this means that you are forwarding the request to Kong via http, but the external URL is https. This makes the X-Forwarded-Proto header unusable for the application to determine how to construct URLs (e.g., Location header, hypermedia on REST APIs)

[jussiarpalahti]

I merely added this like the nginx_optimizations setting:

> if nginx_set_x_request_headers then
>--        proxy_set_header X-Real-IP $remote_addr;
>--        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>--        proxy_set_header X-Forwarded-Proto $scheme;
> end

I couldn't see if #1662 changes this option, but I'll refrain from making a pull request at this stage. Also, I did not see if there's tests for configuration template behavior where I could add my change. I went with the assumption that the variable is by default true, maintaining 0.9.x settings.

[thibaultcha]

but I'll refrain from making a pull request at this stage.

We would really appreciate it, in addition to #1662 (I feel like both of those options are essential to have at this point, that is being able to disable the X-Forwarded headers all together, or configure them with more fine-grained settings).

I did not see if there's tests for configuration template behavior where I could add my change.

Definitely, see https://github.com/Mashape/kong/blob/master/spec/01-unit/03-prefix_handler_spec.lua#L37.

---

At this time, we are still waiting for some tests in #1662, but we might add them ourselves for an upcoming 0.9.4 release.

[bungle]

The issue is moved to #2202, and the feature is implemented in #2236. I won't promise, but I think it is going to be released soon, if not with the next version, possibly with the one after it. I will close this now.