thibaultcha
commented
7 years ago Yes, the behavior between 0.10 and 0.11 indeed changed regarding the X-Forwarded-* headers, as noted in the release notes.
The X-Forwarded-* headers are now implemented as per their standard interpretation, instead of carrying Kong-specific information. The behavior you are seeing seems to be the one we intend to provide for Kong users. We do have plans to add X-Kong-Matched-* headers, that would carry upstream information about how a given requested was matched and proxied (such headers would have to be configurable, or provided by a plugin because we do not wish to include them by default).
NOTE: GitHub issues are reserved for bug reports only.
Please read the CONTRIBUTING.md guidelines to learn on which channels you can seek for help and ask general questions:
https://github.com/Mashape/kong/blob/master/CONTRIBUTING.md#where-to-seek-for-help
Summary
Behaviour of Kong changed between 0.10 and 0.11. Now, the x-forwarded-host will be set to the original host in the original uri and cannot be removed even using the request transformer.
Steps To Reproduce
Publish an api and have kong be fronted by a reverse proxy, then look at what the upstream for the api receives.
One can simulate this by having two apis : 1) First api: A, with uri /test and upstream localhost:8000/testupstream 2) Second api: B, with uri /testupstream and use the terminating plugin.
When you look at the log of the second api, you can see that x-forwared-host will be the host name in the uri of the first api. For example, if I call api.mycompany.org:8000/test I will have the x-forwared-for in the second api set to api.mycompany.org
Additional Details & Logs
$ kong version) 0.11.0$ kong start --vv) ''' kong start --vv 2017/09/14 17:34:52 [verbose] Kong: 0.11.0 2017/09/14 17:34:52 [debug] ngx_lua: 10008 2017/09/14 17:34:52 [debug] nginx: 1011002 2017/09/14 17:34:52 [debug] Lua: LuaJIT 2.1.0-beta2 2017/09/14 17:34:52 [verbose] reading config file at /etc/kong/kong.conf 2017/09/14 17:34:52 [debug] admin_access_log = "logs/admin_access.log" 2017/09/14 17:34:52 [debug] admin_error_log = "logs/error.log" 2017/09/14 17:34:52 [debug] admin_http2 = false 2017/09/14 17:34:52 [debug] admin_listen = "127.0.0.1:8001" 2017/09/14 17:34:52 [debug] admin_listen_ssl = "127.0.0.1:8444" 2017/09/14 17:34:52 [debug] admin_ssl = true 2017/09/14 17:34:52 [debug] admin_ssl_cert = "/usr/local/kong/ssl/admin-kong-dev.crt" 2017/09/14 17:34:52 [debug] admin_ssl_cert_key = "/usr/local/kong/ssl/admin-kong-dev.key" 2017/09/14 17:34:52 [debug] anonymous_reports = true 2017/09/14 17:34:52 [debug] cassandra_consistency = "LOCAL_QUORUM" 2017/09/14 17:34:52 [debug] cassandra_contact_points = {"dvllcs01a","dvllcs01b","dvllcs02a"} 2017/09/14 17:34:52 [debug] cassandra_data_centers = {"DCStJoseph:3","DCViger:3"} 2017/09/14 17:34:52 [debug] cassandra_keyspace = "kong" 2017/09/14 17:34:52 [debug] cassandra_lb_policy = "RoundRobin" 2017/09/14 17:34:52 [debug] cassandra_password = "**" 2017/09/14 17:34:52 [debug] cassandra_port = 9042 2017/09/14 17:34:52 [debug] cassandra_repl_factor = 3 2017/09/14 17:34:52 [debug] cassandra_repl_strategy = "NetworkTopologyStrategy" 2017/09/14 17:34:52 [debug] cassandra_schema_consensus_timeout = 10000 2017/09/14 17:34:52 [debug] cassandra_ssl = false 2017/09/14 17:34:52 [debug] cassandra_ssl_verify = false 2017/09/14 17:34:52 [debug] cassandra_timeout = 5000 2017/09/14 17:34:52 [debug] cassandra_username = "kong" 2017/09/14 17:34:52 [debug] client_body_buffer_size = "64k" 2017/09/14 17:34:52 [debug] client_max_body_size = "0" 2017/09/14 17:34:52 [debug] client_ssl = false 2017/09/14 17:34:52 [debug] custom_plugins = {"token-transformation"} 2017/09/14 17:34:52 [debug] database = "cassandra" 2017/09/14 17:34:52 [debug] db_cache_ttl = 3600 2017/09/14 17:34:52 [debug] db_update_frequency = 5 2017/09/14 17:34:52 [debug] db_update_propagation = 1 2017/09/14 17:34:52 [debug] dns_error_ttl = 1 2017/09/14 17:34:52 [debug] dns_hostsfile = "/etc/hosts" 2017/09/14 17:34:52 [debug] dns_no_sync = false 2017/09/14 17:34:52 [debug] dns_not_found_ttl = 30 2017/09/14 17:34:52 [debug] dns_order = {"LAST","SRV","A","CNAME"} 2017/09/14 17:34:52 [debug] dns_resolver = {} 2017/09/14 17:34:52 [debug] dns_stale_ttl = 4 2017/09/14 17:34:52 [debug] error_default_type = "text/plain" 2017/09/14 17:34:52 [debug] http2 = false 2017/09/14 17:34:52 [debug] latency_tokens = true 2017/09/14 17:34:52 [debug] log_level = "notice" 2017/09/14 17:34:52 [debug] lua_code_cache = "on" 2017/09/14 17:34:52 [debug] lua_package_cpath = "" 2017/09/14 17:34:52 [debug] lua_package_path = "/plugins/kong-plugin-token-transformation/?.lua;;" 2017/09/14 17:34:52 [debug] lua_socket_pool_size = 30 2017/09/14 17:34:52 [debug] lua_ssl_verify_depth = 1 2017/09/14 17:34:52 [debug] mem_cache_size = "128m" 2017/09/14 17:34:52 [debug] nginx_daemon = "on" 2017/09/14 17:34:52 [debug] nginx_optimizations = true 2017/09/14 17:34:52 [debug] nginx_user = "kong kong" 2017/09/14 17:34:52 [debug] nginx_worker_processes = "auto" 2017/09/14 17:34:52 [debug] pg_database = "kong" 2017/09/14 17:34:52 [debug] pg_host = "127.0.0.1" 2017/09/14 17:34:52 [debug] pg_port = 5432 2017/09/14 17:34:52 [debug] pg_ssl = false 2017/09/14 17:34:52 [debug] pg_ssl_verify = false 2017/09/14 17:34:52 [debug] pg_user = "kong" 2017/09/14 17:34:52 [debug] prefix = "/usr/local/kong/" 2017/09/14 17:34:52 [debug] proxy_access_log = "logs/access.log" 2017/09/14 17:34:52 [debug] proxy_error_log = "logs/error.log" 2017/09/14 17:34:52 [debug] proxy_listen = "0.0.0.0:8000" 2017/09/14 17:34:52 [debug] proxy_listen_ssl = "0.0.0.0:8443" 2017/09/14 17:34:52 [debug] real_ip_header = "X-Real-IP" 2017/09/14 17:34:52 [debug] real_ip_recursive = "off" 2017/09/14 17:34:52 [debug] server_tokens = true 2017/09/14 17:34:52 [debug] ssl = true 2017/09/14 17:34:52 [debug] ssl_cert = "/usr/local/kong/ssl/kong-dev.crt" 2017/09/14 17:34:52 [debug] ssl_cert_key = "/usr/local/kong/ssl/kong-dev.key" 2017/09/14 17:34:52 [debug] ssl_cipher_suite = "modern" 2017/09/14 17:34:52 [debug] ssl_ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" 2017/09/14 17:34:52 [debug] trusted_ips = {} 2017/09/14 17:34:52 [debug] upstream_keepalive = 60 2017/09/14 17:34:52 [verbose] prefix in use: /usr/local/kong 2017/09/14 17:34:52 [debug] sending signal to pid at: /usr/local/kong/pids/nginx.pid 2017/09/14 17:34:52 [debug] kill -0cat /usr/local/kong/pids/nginx.pid>/dev/null 2>&1 2017/09/14 17:34:52 [verbose] preparing nginx prefix directory at /usr/local/kong 2017/09/14 17:34:52 [warn] ulimit is currently set to "1024". For better performance set it to at least "4096" using "ulimit -n" 2017/09/14 17:34:53 [warn] Unable to set kong env permissions: 2017/09/14 17:34:53 [verbose] checking Cassandra schema consensus... 2017/09/14 17:34:53 [verbose] Cassandra schema consensus: reached 2017/09/14 17:34:53 [debug] searching for OpenResty 'nginx' executable 2017/09/14 17:34:53 [debug] /usr/local/openresty/nginx/sbin/nginx -v: 'nginx version: openresty/1.11.2.4' 2017/09/14 17:34:53 [debug] found OpenResty 'nginx' executable at /usr/local/openresty/nginx/sbin/nginx 2017/09/14 17:34:53 [debug] sending signal to pid at: /usr/local/kong/pids/nginx.pid 2017/09/14 17:34:53 [debug] kill -0cat /usr/local/kong/pids/nginx.pid>/dev/null 2>&1 2017/09/14 17:34:53 [debug] starting nginx: /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf 2017/09/14 17:34:53 [verbose] could not start Kong, stopping services 2017/09/14 17:34:53 [debug] sending signal to pid at: /usr/local/kong/pids/nginx.pid 2017/09/14 17:34:53 [debug] kill -0cat /usr/local/kong/pids/nginx.pid>/dev/null 2>&1 2017/09/14 17:34:53 [verbose] stopped services Error: /usr/local/share/lua/5.1/kong/cmd/start.lua:62: /usr/local/share/lua/5.1/kong/cmd/start.lua:51: nginx: [alert] could not open error log file: open() "/usr/local/kong/logs/error.log" failed (13: Permission denied) 2017/09/14 17:34:53 [warn] 30775#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/kong/nginx.conf:1 2017/09/14 17:34:53 [emerg] 30775#0: open() "/usr/local/kong/logs/error.log" failed (13: Permission denied)stack traceback: [C]: in function 'error' /usr/local/share/lua/5.1/kong/cmd/start.lua:62: in function 'cmd_exec' /usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:88> [C]: in function 'xpcall' /usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:45> /usr/local/bin/kong:7: in function 'file_gen' init_worker_by_lua:38: in function
[C]: in function 'xpcall'
init_worker_by_lua:45: in function
'''
<KONG_PREFIX>/logs/error.log)