oathkeeper
oathkeeper copied to clipboard
ory
Oathkeeper does not support X-Forwarded headers properly
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Hi Ory Team
I guess the access rules of Ory Oathkeeper do not support X-Forwarded-* headers properly.
Reproducing the bug
Steps to reproduce a bug with x-forwarded headers
- Clone the repo
- Run the docker-compose.yml
- Perform this command:
curl -v -H "X-Forwarded-Host: dev.pp" -H "X-Forwarded-Proto: http" -H "x-forwarded-port: 4455" http://localhost:4455/header
Actual result:
404 Not Found
Expected result:
200 OK
{ "args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "/",
"Accept-Encoding": "gzip",
"Host": "dev.pp",
"User-Agent": "curl/7.68.0",
"X-Amzn-Trace-Id": "Root=1-654d02aa-1ed22ecf2a4623d66ae70ac3"
},
"json": null,
"method": "GET",
"origin": "91.215.139.68",
"url": "https://dev.pp/anything/header"
}
While, request with Host header works like a charm:
curl -v -H "Host: dev.pp:4455" http://localhost:4455/header
Response:
200 OK
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip",
"Host": "dev.pp",
"User-Agent": "curl/7.68.0",
"X-Amzn-Trace-Id": "Root=1-654d0c78-4f0df818446962ab50e760ab"
},
"json": null,
"method": "GET",
"origin": "91.215.139.68",
"url": "https://dev.pp/anything/header"
}
Relevant log output
No response
Relevant configuration
log:
level: debug
format: json
serve:
proxy:
trust_forwarded_headers: true
errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
access_rules:
matching_strategy: glob
repositories:
- file:///etc/config/oathkeeper/access-rules.yml
authenticators:
anonymous:
enabled: true
config:
subject: guest
noop:
enabled: true
authorizers:
allow:
enabled: true
mutators:
noop:
enabled: true
Version
0.40.6
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response
Same issue here with v0.40.7! Ory ppl, i am happy to send logs
@eratolekov have you been able to sort this out on your end?
I am in the same boat
When taking a look in the code. It seems that the bool trust_forwarded_headers does not tell Oathkeeper Proxy to use the x-forwarded-* headers to match the rules. But rather tells Oathkeeper Proxy to pass some headers to the outbound request as seen here:
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L112
I dug some deeper and I see that the decision api uses the x headers:
https://github.com/ory/oathkeeper/blob/master/api/decision.go#L42
But the Proxy does not: https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L168 https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L126
Facing the same issue when using oathkeeper with kong.
Oathkepper will not match the route properly when the incoming headers have x-forwared-*, despite host and path headers being correct.
And on kong side, it is quite hard to disable x-forwarded headers :(
