Oathkeeper does not support X-Forwarded headers properly

[eratolekov]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Hi Ory Team

I guess the access rules of Ory Oathkeeper do not support X-Forwarded-* headers properly.

Reproducing the bug

Steps to reproduce a bug with x-forwarded headers

1. Clone the repo
2. Run the docker-compose.yml
3. Perform this command:

curl -v -H "X-Forwarded-Host: dev.pp" -H "X-Forwarded-Proto: http" -H "x-forwarded-port: 4455"  http://localhost:4455/header

Actual result:

404 Not Found

Expected result:

200 OK

{ "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": { 
    "Accept": "/", 
    "Accept-Encoding": "gzip", 
    "Host": "dev.pp", 
    "User-Agent": "curl/7.68.0", 
    "X-Amzn-Trace-Id": "Root=1-654d02aa-1ed22ecf2a4623d66ae70ac3" 
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "91.215.139.68", 
  "url": "https://dev.pp/anything/header" 
}

While, request with Host header works like a charm:

curl -v -H "Host: dev.pp:4455" http://localhost:4455/header

Response:

200 OK

{
  "args": {},
  "data": "",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Host": "dev.pp",
    "User-Agent": "curl/7.68.0",
    "X-Amzn-Trace-Id": "Root=1-654d0c78-4f0df818446962ab50e760ab"
  },
  "json": null,
  "method": "GET",
  "origin": "91.215.139.68",
  "url": "https://dev.pp/anything/header"
}

Relevant log output

No response

Relevant configuration

log:
  level: debug
  format: json
serve:
  proxy:
    trust_forwarded_headers: true
errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/access-rules.yml
authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  noop:
    enabled: true
authorizers:
  allow:
    enabled: true
mutators:
  noop:
    enabled: true

Version

0.40.6

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

[8th-block]

Same issue here with v0.40.7! Ory ppl, i am happy to send logs

@eratolekov have you been able to sort this out on your end?

[eratolekov]

@eratolekov have you been able to sort this out on your end?

nope

[robinknaapen]

I am in the same boat

When taking a look in the code. It seems that the bool trust_forwarded_headers does not tell Oathkeeper Proxy to use the x-forwarded-* headers to match the rules. But rather tells Oathkeeper Proxy to pass some headers to the outbound request as seen here:
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L112

I dug some deeper and I see that the decision api uses the x headers:
https://github.com/ory/oathkeeper/blob/master/api/decision.go#L42

But the Proxy does not:
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L168
https://github.com/ory/oathkeeper/blob/master/proxy/proxy.go#L126

[alapini]

Facing the same issue when using oathkeeper with kong.

Oathkepper will not match the route properly when the incoming headers have x-forwared-*, despite host and path headers being correct.

And on kong side, it is quite hard to disable x-forwarded headers :(