Add ability to pass X-Forwarded-* headers unchanged to upstream #4772
Labels
backlog
Pull requests/issues that are backlog items
good first issue
Issues identified as good for first-time contributors
proposal
An issue that proposes a feature request
Milestone
Problem description
In our app we generate full urls based on
Host
orX-Forwarded-Host
andX-Forwarded-Proto
headers. This is kind of default way in Django apps and there are no much flexibility present to control it, especially when a url is generated not in our code but in 3rd party library code.On the ingress we have a "private" domain name because the app is behind a CloudFront CDN so the "public" domain is configured on CDN. This is what happens with clients requests:
Host: example.com
. It setsX-Forwarded-Host
and passes request to nginx ingress with following headers:X-Forwarded-Host
and passes request to upstream with following headers:You can notice that
X-Forwarded-Host
from CDN gets lost and therefore urls generated by the app looks likehttps://api.services.example.com/*
.Solution I'd like to have
I'm thinking about a couple of options.
Option 1.
Add an annotation config key for ingress resource to tell nginx to pass particular headers to upstream without changes, something like this:
Then in location block in nginx config we would add configuration like this:
I don't 100% like it because it is a custom one and not very intuitive due to different semantics comparing to other annotations that maps 1 to 1 to nginx directives (e.g.
nginx.org/proxy-pass-headers
addsproxy_pass_headers
in config while there are noproxy_set_headers_from_downstream
directive in nginx).Option 2.
Add an annotation that allows to add
proxy_set_header
to location block:I don't 100% like it because of dynamic annotation keys (wouldn't it be hard to parse in controller?). It seems we currently have no dynamic annotation keys.
Alternatives I've considered
We ended up using VirtualHost resource instead of Ingress with following configuration:
It works as we need but we had to use VirtualServer custom resource while I would prefer to have Ingress.
The text was updated successfully, but these errors were encountered: