TLS Termination 'X-Forwarded-Proto' about oathkeeper HOT 6 CLOSED

Good point. We haven't covered how this works internally yet. I think with the beta.8 release of ORY Hydra this will get easier because we separate admin and public endpoints. You could probably run admin port with HTTP (no TLS termination) as it's inwards facing and talk to it directly.

Faking the proto header in Oathkeeper is also an option, although it sort of defeats the purpose of the header. We'll try to come up with a solution in case the admin/public port doesn't suit you.

from oathkeeper.

In fact, traefik is the TLS termination edge, right? So that should set the X-Forwarded-Proto header, not this proxy (unless oathkeeper is the TLS edge). Since Oathkeeper forwards all headers - except sensitives one that are filtered like Authorization - that should work out of the box. I'm closing this, but let me know if I missed a spot.

from oathkeeper.

Im not sure, but usually if a request run behind the LB / traefik proxy, it will direct talk to hydra, instead of go thought traefik and go back to hydra again

like my case, im using k8s Service Endpoint for the introspection_url of oathkeeper , turn out k8s will not include any extra header "X-Forwarded-Proto", as it havent go to the ingress controller or traefik controller; that means your application needed to add it, but as i go thought the source code you wrote

it has not include "X-Forwarded-Proto" in the header, those hydra will reject it , even you include your internal IP in allow_termination_from setting

from oathkeeper.

Yeah, I can see that! Reopening.

from oathkeeper.

serve hydra admin and hydra public into 2 dockers, it is one of the solution too (as you mentioned, but im not sure what is the impact), at least it cant use memory database for testing purpose ^^

from oathkeeper.

Resolved via: https://github.com/ory/oathkeeper/blob/master/pipeline/authn/authenticator_oauth2_introspection.go#L30

from oathkeeper.