search

ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
3.2k stars 349 forks source link

Oathkeeper does not support X-Forwarded headers properly #1139

Open eratolekov opened 8 months ago

eratolekov commented 8 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

Hi Ory Team

I guess the access rules of Ory Oathkeeper do not support X-Forwarded-* headers properly.

Reproducing the bug

Steps to reproduce a bug with x-forwarded headers

  1. Clone the repo
  2. Run the docker-compose.yml
  3. Perform this command: 
    curl -v -H "X-Forwarded-Host: dev.pp" -H "X-Forwarded-Proto: http" -H "x-forwarded-port: 4455"  http://localhost:4455/header

Actual result: 

404 Not Found

Expected result:

200 OK

{ "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": { 
    "Accept": "/", 
    "Accept-Encoding": "gzip", 
    "Host": "dev.pp", 
    "User-Agent": "curl/7.68.0", 
    "X-Amzn-Trace-Id": "Root=1-654d02aa-1ed22ecf2a4623d66ae70ac3" 
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "91.215.139.68", 
  "url": "https://dev.pp/anything/header" 
}

While, request with Host header works like a charm:

curl -v -H "Host: dev.pp:4455" http://localhost:4455/header

Response:

200 OK

{
  "args": {},
  "data": "",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Host": "dev.pp",
    "User-Agent": "curl/7.68.0",
    "X-Amzn-Trace-Id": "Root=1-654d0c78-4f0df818446962ab50e760ab"
  },
  "json": null,
  "method": "GET",
  "origin": "91.215.139.68",
  "url": "https://dev.pp/anything/header"
}

Relevant log output

No response

Relevant configuration

log:
  level: debug
  format: json
serve:
  proxy:
    trust_forwarded_headers: true
errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/access-rules.yml
authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  noop:
    enabled: true
authorizers:
  allow:
    enabled: true
mutators:
  noop:
    enabled: true

Version

0.40.6

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

8th-block commented 2 months ago

Same issue here with v0.40.7! Ory ppl, i am happy to send logs

@eratolekov have you been able to sort this out on your end?

eratolekov commented 2 months ago

@eratolekov have you been able to sort this out on your end?

nope

robinknaapen commented 1 month ago

I am in the same boat

When taking a look in the code. It seems that the bool trust_forwarded_headers does not tell Oathkeeper Proxy to use the x-forwarded-* headers to match the rules. But rather tells Oathkeeper Proxy to pass some headers to the outbound request as seen here: https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L112

I dug some deeper and I see that the decision api uses the x headers: https://github.com/ory/oathkeeper/blob/master/api/decision.go#L42

But the Proxy does not: https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L168 https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L126

alapini commented 3 weeks ago

Facing the same issue when using oathkeeper with kong.

Oathkepper will not match the route properly when the incoming headers have x-forwared-*, despite host and path headers being correct.

And on kong side, it is quite hard to disable x-forwarded headers :(