What do we need to do to WRT OpenShift routers or other infrastructure where existing reverse proxies are in place?

[sheaphillips]

For applications that will be accessed via existing reverse proxies, do we need to do anything to maintain traffic flowing through them, but destined for OpenShift.

Initial thought would be to use an internal-only dns name for the app on OpenShift and then configure the RP to use this when forwarding traffic. As long as the OpenShift router is in "pass through" mode, it should work fine.

[ckayfish]

One consideration will be to ensure traffic is reaching our app only from the source IPs expected from the RP, to prevent people from getting around them with something like a hosts file entry. even SM HTTP Headers can be spoofed, so checking for those only helps so much.

Technically nothing different should be required from what people are doing now to ensure this, we may just have different options to accomplish this.

[sheaphillips]

Thanks @ckayfish! I've just opened #15 to for the specific scenario you describe.

[ll911]

I believe this issue addressed by gateway for HTTP, HTTPS can be workaround with edge or re-encryption with sslcert/key duplication at ocp route. Ideal solution would be allow PROXY_PROTOCOL on ocp HA router.