Hi,
I'm using a re-encrypt configuration to preserve the x-forwrded-for
information. The configuration is:
Name: callcentergw-dev-external
Namespace: dev-shared
Created: 17 hours ago
Labels: <none>
Annotations: <none>
Requested Host: callcenter.test.local
exposed on router router 17 hours ago
Path: <none>
TLS Termination: reencrypt
Insecure Policy: Redirect
Endpoint Port: 443-tcp
Service: callcentergw-dev
Weight: 100 (100%)
Endpoints: 10.131.0.138:443, 10.131.0.138:80
Marcello
Il 16 Ott 2017 20:45, "Aleksandar Lazic" <[email protected]> ha scritto:
> Hi Marcello.
>
> on Montag, 16. Oktober 2017 at 15:23 was written:
>
> > Hi,
> > I have tried it and it worked fine but the problem is override the
> > default wildcard certificate and configure a different certificate,
> > because it's not possible to configure the intermediate CA chain into
> > the admin panel. I tried to configure the CA cert with the root CA and
> > the subordinate CA files and the router is ok but if I navigate the
> > new route I received a security error.
>
> do you use reencrypted or passthrough route
>
> please can you show us the output of.
>
> oc get route -n your-project
> oc describe route -n your-project your-route
>
> Best Regards
> Aleks
>
>
> > Marcello
>
> > On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <[email protected]>
> wrote:
>
> >
> > Hi Marcello Lorenzi.
>
> > have you used -servername in s_client?
>
> > The ssl solution is based on sni (
> > https://en.wikipedia.org/wiki/Server_Name_Indication )
>
> > Regards
> > Aleks
>
> > on Donnerstag, 12. Oktober 2017 at 13:02 was written:
>
>
>
> > Hi All,
> > thanks for the response and we checked the configuration. If I tried
> > to check the certificated propagate with the passthrough configuration
> > with openssl s_client and the certificate provided is the wilcard
> > domain certificate and not the pod itself. Is it normal?
>
> > Thanks,
> > Marcello
>
> > On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <[email protected]>
> wrote:
>
> > Hi.
>
> > Additionally to joel suggestion can you also use reencrypted route
> > if you want to talk encrypted with apache webserver.
>
> > https://docs.openshift.org/3.6/architecture/networking/route
> s.html#re-encryption-termination
>
> > Regards
> > Aleks
>
> > on Mittwoch, 11. Oktober 2017 at 15:51 was written:
>
>
> > Sorry I meant it say, it *cannot modify the http request in any way.
> > On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson
> > <[email protected]> wrote:
>
> > Hi Marcelo,
>
> > If you use Passthrough termination then that means that OpenShift
> > cannot add the X-Forwarded-For header, because as the name suggests it
> > is just passing the packets through and because it’s encrypted it can
> > modify the http request in anyway.
>
> > If you want X-Forwarded-For you will need to switch to Edge termination.
>
> > Thanks,
>
> > Joel
> > On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <[email protected]>
> wrote:
>
> > Hi All,
> > we tried to configure a route on Origin 3.6 with a Passthrough
> > termination to an Apache webserver present into a single POD but we
> > can't notice the X-Forwarded-Header to Apache logs. We tried to capture
> it without success.
>
> > Could you confirm if there are some method to extract it from the POD
> side?
>
> > Thanks,
> > Marcello
> > _______________________________________________
> > users mailing list
> > [email protected]
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users--
> > Kind Regards,
>
> > Joel Pearson
> > Agile Digital | Senior Software Consultant
>
> > Love Your Software™ | ABN 98 106 361 273
> > p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au--
> > Kind Regards,
>
> > Joel Pearson
> > Agile Digital | Senior Software Consultant
>
> > Love Your Software™ | ABN 98 106 361 273
> > p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au
>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
