Support X-Forwarded-Proto Header for Device URL

deisterhold · August 8, 2019, 10:02pm

Please add support for the x-forwarded-proto header so that when an application is running behind the proxy and accessed using the device url, the app can determine the protocol used to connect to it.

pdcastro · August 9, 2019, 12:30am

Thank you for this feature request! I will forward it to the team to find out exactly which component the implementation belongs to, and to add it to our regular feature discussions and triaging.

imrehg · August 13, 2019, 10:04am

Hi @regedad, it seems like your question is incomplete? Can you please elaborate?

wrboyce · August 14, 2019, 12:48pm

Hi @deisterhold,

I’ve taken a look at this and unfortunately it is not possible given our setup. We terminate SSL at our layer 4 load balancers so by the time the Proxy service is handling the request it believes it is handling a http request, so the X-Forwarded-Proto would be reported as http. There are various reasons why we do not/cannot operate the load balancers at layer 7 (which would allow them to insert the appropriate X-Forwarded-* headers) but it boils down to a requirement to use ProxyProtocol between the Load Balancers and the Proxy service.

regedad · September 10, 2019, 10:24am

Sarkari Result Pnr Status 192.168.l.l

hedss · September 10, 2019, 12:14pm

Hi @regedad,

Unfortunately the thread your comment is in doesn’t give me any context. Could you please expand your comment into a full question for us, please?

Best regards,

Heds

ab77 · December 15, 2020, 10:58pm

… for posterity and assuming all traffic is only HTTPS, a haproxy container listening on device URL port 80 and forwarding traffic to the payload container on some other local port is a valid workaround.

We’ve hit this issue with Jenkins, proxied via balena device URLs. Since the web browser client is communicating over HTTPS via a device URL, but the traffic coming out of the device URL SNI tunnel into Jenkins is HTTP, Jenkins, in absence of appropriate X-Forwarded-For-Proto header will (rightfully) redirect every request back to HTTP, which is undesirable for obvious resons.

A haproxy between device URLs tunnel and Jenkins, with the following simple config sorts this out (e.g.):

global
    log stdout format raw daemon debug

defaults
    log global
    mode http
    timeout client    30s
    timeout server    30s
    timeout connect   30s

frontend balena-jenkins-http-frontend
    bind :::80 v4v6
    use_backend balena-jenkins-http-backend

backend balena-jenkins-http-backend
    http-request add-header X-Forwarded-Proto https
    server balena-jenkins jenkins-master:1234