Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mesh: support configuring XFF trusted cidrs #3344

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

mesh: support configuring XFF trusted cidrs #3344

wants to merge 1 commit into from

Conversation

rudrakhp
Copy link
Member

Ref istio/istio#53185
Related feature in envoy here.

@rudrakhp rudrakhp requested a review from a team as a code owner October 29, 2024 14:01
@istio-policy-bot
Copy link

😊 Welcome @rudrakhp! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 29, 2024
@rudrakhp rudrakhp force-pushed the xff_trusted_cidrs branch 2 times, most recently from 6e02798 to 902e15f Compare November 2, 2024 04:59
hzxuzhonghu
hzxuzhonghu reviewed Nov 4, 2024
View reviewed changes
mesh/v1alpha1/proxy.proto Outdated Show resolved Hide resolved
mesh/v1alpha1/proxy.proto Outdated Show resolved Hide resolved
mesh/v1alpha1/proxy.proto Outdated Show resolved Hide resolved
mesh/v1alpha1/proxy.proto Outdated Show resolved Hide resolved
@rudrakhp
support configuring xff trusted cidrs
f1f3a7b 
Signed-off-by: Rudrakh Panigrahi <[email protected]>
@rudrakhp
Copy link
Member Author

rudrakhp commented Dec 1, 2024

@istio/technical-oversight-committee bumping this up. Thanks!

howardjohn
howardjohn requested changes Dec 2, 2024
View reviewed changes
mesh/v1alpha1/proxy.proto
// If all addresses in X-Forwarded-For (XFF) header are within the trusted list, the first (leftmost) entry is used.
// See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
// header handling for more details. Only one of `numTrustedProxies` and `trustedCidrs` may be set.
repeated string trusted_cidrs = 4;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The envoy docs say we cannot use it with UseRemoteAddress. UseRemoteAddress is currently always set to 'true' for gateways.

What will be the behavior if a user sets this? Will we set useRemoteAddress=false? What side effects does this have beyond deciding how to parse the XFF header?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@howardjohn Yes we will have to always set UseRemoteAddress to false if we decide to use the XFF original IP detection extension (which is recommended over the alternative we use today, might soon be on deprecation path).

What side effects does this have beyond deciding how to parse the XFF header?

From the docs it does look like the only thing that changes is how the original IP is determined, HCM does it natively today, we will be moving to original IP detection extension.

Meanwhile waiting on a probable fix for difference in behaviour of HCM and the XFF origin detection extension: envoyproxy/envoy#37780

@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Dec 4, 2024
@istio-testing
Copy link
Collaborator

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn requested changes

@hzxuzhonghu hzxuzhonghu hzxuzhonghu approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

@jaellio jaellio

Labels
needs-rebase Indicates a PR needs to be rebased before being merged size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rudrakhp @istio-policy-bot @istio-testing @howardjohn @hzxuzhonghu @jaellio