HTTP header X-Forwarded-Proto not defined correctly on the backend app

[iuriipro]

Hi, we are using Kong behind AWS NLB, where we have ssl/tls termination, also we are using Gateway API with HTTPRoute, so the client connection looks like this:
AWS NLB -> Kong -> Gateway -> HTTPRoute -> k8s-service - backend-app

The backend app is an Express application and should work with secure cookies, for this purpose it should get X-Forwarded-Port 443 and X-Forwarded-Proto https.

But somewhere on the Kong level, X-Forwarded-Port is set to 80 and X-Forwarded-Proto to http.
We have tried to change these headers with the help of KongClusterPlugin post-function and suggestions from this issue #5559

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: pre-function-x-forwarded-headers
  annotations:
    kubernetes.io/ingress.class: kong-internal
  labels:
    global: "true"
plugin: post-function
config:
  access:
    - |
      ngx.var.upstream_x_forwarded_port=443
      ngx.var.upstream_x_forwarded_proto=https

Then X-Forwarded-Port was changed successfully, but X-Forwarded-Proto disappeared at all.
Please suggest what we can do in this case.

Also additional question: If we're not using Ingress and instead want to use Gateway API resources, do we still need to define an annotation with an ingress class for the creation of the plugin, because without it Kong is not recognize a plugin? Is there an annotation for GatewayClass, or do we still need to use IngressClass for this purpose?

Thanks in advance!
Waiting for response.

[randmonkey]

@iuriipro Could you enable KIC's configuration dump server by updating the following environment varaibles of KIC container:

CONTROLLER_DUMP_CONFIG=true

and then expose the diagnostics server on KIC's port 10256:

kubectl port-forward pod/<KIC_POD_NAME> -n <KIC_NAMESPACE> 10256

Then you can dump the results of translated configuration by

curl 127.0.0.1:10256/debug/config/successful

and please paste the "plugin" section of dumped configuration. Then it is clear whether the problem happens in KIC's translation or Kong gateway's processing of the plugin.

[iuriipro]

HI @randmonkey thank you for your reply, here is a dumped configuration:

"plugins": [
      {
        "name": "post-function",
        "config": {
          "access": [
            "ngx.var.upstream_x_forwarded_port=443",
            "ngx.var.upstream_x_forwarded_proto=https"
          ],
          "body_filter": [],
          "certificate": [],
          "header_filter": [],
          "log": [],
          "rewrite": []
        },
        "route": "httproute.default.echoserver-dev.0.0",
        "enabled": true,
        "protocols": [
          "grpc",
          "grpcs",
          "http",
          "https"
        ],
        "tags": [
          "k8s-name:post-function-x-forwarded-headers",
          "k8s-kind:KongClusterPlugin",
          "k8s-uid:f2bdd416-f8d3-4f25-a0b7-df4d819e6da3",
          "k8s-group:configuration.konghq.com",
          "k8s-version:v1"
        ]
      },
      {
        "name": "post-function",
        "config": {
          "access": [
            "ngx.var.upstream_x_forwarded_port=443",
            "ngx.var.upstream_x_forwarded_proto=https"
          ],
          "body_filter": [],
          "certificate": [],
          "header_filter": [],
          "log": [],
          "rewrite": []
        },
        "route": "default.nginx-ingress.echoserver-service.echo-ing.rs-test.dev.test.com.8080",
        "enabled": true,
        "protocols": [
          "grpc",
          "grpcs",
          "http",
          "https"
        ],
        "tags": [
          "k8s-name:post-function-x-forwarded-headers",
          "k8s-kind:KongClusterPlugin",
          "k8s-uid:f2bdd416-f8d3-4f25-a0b7-df4d819e6da3",
          "k8s-group:configuration.konghq.com",
          "k8s-version:v1"
        ]
      }
    ],

[ProBrian]

Hi @iuriipro I've reproduced your issue, since https is a string, you need to quote it, try change it to:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
...
plugin: post-function
config:
  access:
    - |
      ngx.var.upstream_x_forwarded_port=443
      ngx.var.upstream_x_forwarded_proto="https"

Then you will get the upstream_x_forwarded_proto variable correctly.

[iuriipro]

Hi @ProBrian, thank you, rechecked from my side also works.