Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-forwarded-proto: https added to HTTP inter-service calls by app name #1308

Open
1 task done
CezaryKlus opened this issue Oct 5, 2024 · 2 comments
Open
1 task done

x-forwarded-proto: https added to HTTP inter-service calls by app name #1308

CezaryKlus opened this issue Oct 5, 2024 · 2 comments
Labels
Needs: Investigation Issue has been assigned and tagged, pending them to process it

Comments

@CezaryKlus
Copy link

CezaryKlus commented Oct 5, 2024
edited
Loading

This issue is a:

  • bug report

Issue description

Calling from inside of the custom Vnet-integrated internal ACA environment:

curl **http**://api

On the api side in logs I find

Request starting HTTP/1.1 GET **http**://api
...
x-forwarded-proto: **https**
...
Request finished HTTP/1.1 GET **https:**//

This e.g. breaks internal IdentityServer calls that emit the https:// issuer instead of http://

Ingress configuration:

"ingress": {
    "external": false,
    "targetPort": 8080,
    "transport": "Auto",
    "traffic": [
        {
            "weight": 100,
            "latestRevision": true
        }
    ],
    "allowInsecure": true,
},

UseForwardedHeaders() is being used in our Apps.

Expected behavior
x-forwarded-proto equals to http when the request is HTTP

Actual behavior
x-forwarded-proto equals to https when the request is HTTP
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 Pending a first pass to read, tag, and assign label Oct 5, 2024
@anthonychu anthonychu added Needs: Investigation Issue has been assigned and tagged, pending them to process it and removed Needs: triage 🔍 Pending a first pass to read, tag, and assign labels Oct 16, 2024
@Tratcher
Copy link
Member

I was able to repro this and see where the confusion is coming from.

Short names like api are routed through the envoy sidecar container, which then uses https to communicate with the main envoy instance. That intermediate https is what causes envoy to add x-forwarded-proto: https.

Workaround: use the FQDN to bypass the envoy sidecar and communicate directly with the main envoy instance using http.
http://api.internal.kindwater-1f6ab775.azurecontainerapps.io.

We'll consider if there are other ways to enable this scenario in the future.

@CezaryKlus
Copy link
Author

Unfortunately, our solution heavily relies on simple names for inter-service calls. We resorted to a workaround to set the dynamically resolved URLs to fixed ones.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Investigation Issue has been assigned and tagged, pending them to process it
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Tratcher @anthonychu @CezaryKlus