x-forwarded-proto is always HTTP when Fabio is behind ELB

[hauleth]

I have applications hidden behind ELB and Fabio and x-forwarded-proto is always http even when connecting via HTTPS.

ELB configuration is here: https://github.com/appunite/terraform-modules/blob/68c0cd1df550d379141aa4be7e25f30938d2a443/aws/elb/main.tf

And sample headers list is:

[{"host", "sample.example.com"}, {"user-agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.4 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.4"}, {"accept", "image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"}, {"accept-encoding", "gzip, deflate"}, {"accept-language", "pl-pl"}, {"cache-control", "max-age=0"}, {"forwarded", "for=77.65.83.86; proto=http; by=10.66.101.29; httpproto=http/1.1"}, {"if-none-match", "1016597"}, {"referer", "https://sample.example.com/menu"}, {"x-forwarded-for", "77.65.83.86"}, {"x-forwarded-port", "80"}, {"x-forwarded-proto", "http"}, {"x-real-ip", "77.65.83.86"}]

[magiconair]

fabio does not touch the X-Forwarded-Proto header if it is set:

https://github.com/fabiolb/fabio/blob/master/proxy/http_headers.go#L48-L64

and the way I read the AWS docs on the ELB and SSL termination the ELB should set it to https

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-proto

Based on your comment from #296 I assume that isn't the case. Do you know why?

[hauleth]

Ok, after further investigation it seems that there are no support in ELB for WebSockets so when one connect to ELB and termination happens then there are no x-forwarded- headers. However this still presents a bug in Fabio as PROXY protocol reveals connection port (which I could use as a replacement), however it always set it to 80 from what I see.

[magiconair]

Hmm, could you try using the port from the RemoteAddr instead?

https://github.com/fabiolb/fabio/blob/master/proxy/http_headers.go#L22

and set it here with strconv.Itoa() ?

https://github.com/fabiolb/fabio/blob/master/proxy/http_headers.go#L67

[hauleth]

@magiconair I am not familiar with Go and Fabio internals, so I am not quite sure what you are saying.

[magiconair]

Ah, ok. I thought you could make a simple patch and rebuild it since I was in a hurry but wanted to give something to you to test. I'll provide a proper patch and instructions.

[shuoyenl]

Hi, I was looking into the same recently. My understanding is aws ELB does support WebSockets with TCP/SSL being used. It also supports proxy protocol v1 to carry over the original connection information. Fabio however only sets X-Forwarded-For when it's websocket (i.e. header Upgrade is set to "websocket".) And that could potentially break backend services relying on the header but doesn't use websocket. Also, proxy protocol v1 does not seem to keep the protocol of the original request. So there may be no way for fabio to know the protocol used between the client and the elb. Please let me know if it makes sense / if I miss anything. Thanks.