TLS Termination 'X-Forwarded-Proto' #95
Comments
|
Good point. We haven't covered how this works internally yet. I think with the Faking the proto header in Oathkeeper is also an option, although it sort of defeats the purpose of the header. We'll try to come up with a solution in case the admin/public port doesn't suit you. |
|
In fact, traefik is the TLS termination edge, right? So that should set the |
|
Im not sure, but usually if a request run behind the LB / traefik proxy, it will direct talk to hydra, instead of go thought traefik and go back to hydra again like my case, im using k8s Service Endpoint for the introspection_url of oathkeeper , turn out k8s will not include any extra header "X-Forwarded-Proto", as it havent go to the ingress controller or traefik controller; that means your application needed to add it, but as i go thought the source code you wrote it has not include "X-Forwarded-Proto" in the header, those hydra will reject it , even you include your internal IP in allow_termination_from setting |
|
Yeah, I can see that! Reopening. |
|
serve hydra admin and hydra public into 2 dockers, it is one of the solution too (as you mentioned, but im not sure what is the impact), at least it cant use memory database for testing purpose ^^ |
Hello again,
I am using full stack of your applications. I am having a problem now with working behind a proxy (traefik) that drops the tls. I would like to connect oathkeeper to the hydra within internal web but the hydra requires the 'X-Forwarded-Proto':'https' header.
Could you add please the feature that adds the XFP header i.e. using the environment variables when the protocol is 'http'?
The text was updated successfully, but these errors were encountered: