Hi, I'm using a re-encrypt configuration to preserve the x-forwrded-for information. The configuration is:
Name: callcentergw-dev-external Namespace: dev-shared Created: 17 hours ago Labels: <none> Annotations: <none> Requested Host: callcenter.test.local exposed on router router 17 hours ago Path: <none> TLS Termination: reencrypt Insecure Policy: Redirect Endpoint Port: 443-tcp Service: callcentergw-dev Weight: 100 (100%) Endpoints: 10.131.0.138:443, 10.131.0.138:80 Marcello Il 16 Ott 2017 20:45, "Aleksandar Lazic" <al...@me2digital.eu> ha scritto: > Hi Marcello. > > on Montag, 16. Oktober 2017 at 15:23 was written: > > > Hi, > > I have tried it and it worked fine but the problem is override the > > default wildcard certificate and configure a different certificate, > > because it's not possible to configure the intermediate CA chain into > > the admin panel. I tried to configure the CA cert with the root CA and > > the subordinate CA files and the router is ok but if I navigate the > > new route I received a security error. > > do you use reencrypted or passthrough route > > please can you show us the output of. > > oc get route -n your-project > oc describe route -n your-project your-route > > Best Regards > Aleks > > > > Marcello > > > On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <al...@me2digital.eu> > wrote: > > > > > Hi Marcello Lorenzi. > > > have you used -servername in s_client? > > > The ssl solution is based on sni ( > > https://en.wikipedia.org/wiki/Server_Name_Indication ) > > > Regards > > Aleks > > > on Donnerstag, 12. Oktober 2017 at 13:02 was written: > > > > > Hi All, > > thanks for the response and we checked the configuration. If I tried > > to check the certificated propagate with the passthrough configuration > > with openssl s_client and the certificate provided is the wilcard > > domain certificate and not the pod itself. Is it normal? > > > Thanks, > > Marcello > > > On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <al...@me2digital.eu> > wrote: > > > Hi. > > > Additionally to joel suggestion can you also use reencrypted route > > if you want to talk encrypted with apache webserver. > > > https://docs.openshift.org/3.6/architecture/networking/route > s.html#re-encryption-termination > > > Regards > > Aleks > > > on Mittwoch, 11. Oktober 2017 at 15:51 was written: > > > > Sorry I meant it say, it *cannot modify the http request in any way. > > On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson > > <japear...@agiledigital.com.au> wrote: > > > Hi Marcelo, > > > If you use Passthrough termination then that means that OpenShift > > cannot add the X-Forwarded-For header, because as the name suggests it > > is just passing the packets through and because it’s encrypted it can > > modify the http request in anyway. > > > If you want X-Forwarded-For you will need to switch to Edge termination. > > > Thanks, > > > Joel > > On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cell...@gmail.com> > wrote: > > > Hi All, > > we tried to configure a route on Origin 3.6 with a Passthrough > > termination to an Apache webserver present into a single POD but we > > can't notice the X-Forwarded-Header to Apache logs. We tried to capture > it without success. > > > Could you confirm if there are some method to extract it from the POD > side? > > > Thanks, > > Marcello > > _______________________________________________ > > users mailing list > > users@lists.openshift.redhat.com > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users-- > > Kind Regards, > > > Joel Pearson > > Agile Digital | Senior Software Consultant > > > Love Your Software™ | ABN 98 106 361 273 > > p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au-- > > Kind Regards, > > > Joel Pearson > > Agile Digital | Senior Software Consultant > > > Love Your Software™ | ABN 98 106 361 273 > > p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users