-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Support Client IP Detection using XFF on ClientTrafficPolicy #2535
feat: Support Client IP Detection using XFF on ClientTrafficPolicy #2535
Conversation
a91f771
to
622273f
Compare
…Policy Signed-off-by: David Alger <davidmalger@gmail.com>
622273f
to
c3d18a4
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2535 +/- ##
==========================================
- Coverage 64.50% 64.46% -0.05%
==========================================
Files 116 116
Lines 17757 17790 +33
==========================================
+ Hits 11455 11468 +13
- Misses 5560 5579 +19
- Partials 742 743 +1 ☔ View full report in Codecov by Sentry. |
thanks for building this out @davidalger . Here's how I'm hoping we can make progress in this PR
|
I'm +1 for that. In fact, I've already proposed this in #2500 . |
I like the idea of organizing things better, but not 100% sure @arkodg Since HCM supports either a combination of originalIpDetection:
useRemoteAddress: true # True by default, false if `extensions` is specified (not present in CRD, as suggested)
xffNumTrustedHops: number # Mutually exclusive with `extensions` configures `xff_num_trusted_hops` HCM built-in
extensions:
# Configures type.googleapis.com/envoy.extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig
customHeader:
headerName: string
rejectWithStatus: enum
# Configures type.googleapis.com/envoy.extensions.http.original_ip_detection.xff.v3.XffConfig
xff:
numTrustedHops: number Supporting config for the custom headers IP detection extension will be of use to me in deployments of EG, so even if precluded from this MR for sake of keeping it single-purpose I would like to consider planning for it and can introduce it in a future change set. |
…pDetection Signed-off-by: David Alger <davidmalger@gmail.com>
Signed-off-by: David Alger <davidmalger@gmail.com>
cabbb38
to
e6de174
Compare
…mgr-settings Signed-off-by: David Alger <davidmalger@gmail.com>
so we have two options here, (please ignore the exact names of the fields)
cc @envoyproxy/gateway-maintainers |
Signed-off-by: David Alger <davidmalger@gmail.com>
discussed this in the community meeting today and folks prefer 2 over 1 (generic
|
|
sg @davidalger, lets go with |
…mgr-settings Signed-off-by: David Alger <davidmalger@gmail.com>
Signed-off-by: David Alger <davidmalger@gmail.com>
Signed-off-by: David Alger <davidmalger@gmail.com>
aed86d9
to
76f64a9
Compare
@arkodg Implemented first pass here with the following structure: clientIPDetection:
xffNumTrustedHops: number # Mutually exclusive with `extensions` configures `xff_num_trusted_hops` HCM built-in
extensions:
# Configures type.googleapis.com/envoy.extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig
customHeader:
headerName: string
rejectWithStatus: number
# Configures type.googleapis.com/envoy.extensions.http.original_ip_detection.xff.v3.XffConfig
xff:
numTrustedHops: number
Once envoyproxy/envoy#31831 is merged, I would see there being an additional field to control the trusted CIDRs: clientIPDetection:
extensions:
xff:
trustedCIDRs:
- "130.211.0.0/22"
- "35.191.0.0/16" Would it be better to keep things a little more flat given this won't support arbitrary extensions? clientIPDetection:
xffNumTrustedHops: 2
customHeaderExtension:
// ...
xffExtension:
// ... |
Signed-off-by: David Alger <davidmalger@gmail.com>
@davidalger curious if you know the difference between the numTrustedHops field in the top level vs extension setting in envoy ? |
At the moment the only difference I believe is the extensions were marked incompatible with It's been asked by maintainers to implement additions to XFF handling in So something that could be considered is supporting Something like this I imagine: clientIPDetection:
xForwardedFor:
# Top-level xff_num_trusted_hops field with no support for same field in XFF extension
numTrustedHops: 2
# Future ability to skip appending to xff header
skipAppend: true
# Future ability to evaluate xff header based on trusted CIDRs rather than number of hops (uses extension)
sourceCIDRs:
- "130.211.0.0/22"
- "35.191.0.0/16"
# Configures type.googleapis.com/envoy.extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig
customHeader:
headerName: x-client-ip-address
rejectWithStatus: 403 Anything other than I'll update this MR to only add the ability to set |
sounds like a good plan ! this keeps any envoyisms out of the API increasing its ability to be moved into the upstream gateway api in the future |
Signed-off-by: David Alger <davidmalger@gmail.com>
…mgr-settings Signed-off-by: David Alger <davidmalger@gmail.com>
Signed-off-by: David Alger <davidmalger@gmail.com>
Signed-off-by: David Alger <davidmalger@gmail.com>
@arkodg updated and should be ready for review |
PR looks good @davidalger, added a minor comment around optional fields |
Signed-off-by: David Alger <davidmalger@gmail.com>
4d7472c
to
518157d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks !
need a user doc for this? |
was part of this PR https://gateway.envoyproxy.io/latest/user/client-traffic-policy/#configure-client-ip-detection |
What type of PR is this?
feat: Support Client IP Detection using XFF on ClientTrafficPolicy
What this PR does / why we need it:
Implements client IP detection support on
ClientTrafficPolicy
usingxff_num_trusted_hops
allowing listeners to be configured to trust XFF headers such asx-forwarded-for
andx-forwarded-proto
Which issue(s) this PR fixes:
Related to #2252