Open rauanmayemir opened 1 year ago
IIUC, there was a decent resolution where a server accepted HTTP traffic, BUT only if it had an inbound X-Forwarded-Proto: https
header. This signaled the workload is behind proxy and https is in-place.
Turns out hydra redirected to HTTPS not because it didn't like HTTP, but because it wanted /admin/oauth2/introspect
instead of /oauth2/introspect
(not seeing the endpoint part in the logs even in debug mode is what made it all confusing). #3339 is essentially the same issue.
I would still like to state that the DX of this change made it worse. My endpoint is already a hydra-admin
that runs on a separate port than public, introducing the change now was not necessary unless the ports were unified into a single endpoint.
Preflight checklist
Describe the bug
After upgrading to V2, there is no longer a
--dangerous-force-http
option.--dev
mode allows inboundhttp
request, but internally redirects tohttps
.First of all,
http
is not 'dangerous' as the defunct option suggested. Forcing everyone to deal with TLS inside the workload when people could have varying setups is overreaching.Hydra should not redirect to https at least because it is usually operated internally without exposing it to public. So TLS is terminated at the gateway level and the traffic inside the cluster is not encrypted.
Even if I use mTLS for internal traffic, it could still be handled by other tools, e.g istio will encrypt on the transport level but then still terminate mTLS on the sidecar, so that way the workload never has to bother and deal with certificates, keys, etc.
Bonus point: internal endpoints can only use self-signed certificates, but oathkeeper will not be able to call such endpoints because it doesn't support self-signed and will fail to process requests.
Reproducing the bug
--dev
optionRelevant log output
No response
Relevant configuration
No response
Version
2.0.3
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes
Additional Context
No response