Improve the logic for XFF and internal/external client detection #2590
Comments
mattklein123
added
enhancement
|
I just stumbled upon this problem while trying to figure out why my local Envoy in a Docker container allowed my For reference, the configuration I use (inspired by https://www.envoyproxy.io/docs/envoy/v1.12.0/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for): static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: AUTO
use_remote_address: true
xff_num_trusted_hops: 0
route_config:
name: local_route
virtual_hosts:
{
name: local_service,
domains: ["*"],
routes: [
{
match: { prefix: "/" },
route: { cluster: backend },
}
]
}
http_filters:
- name: envoy.routerDoing a curl request like this: $ curl -sv -H "x-envoy-external-address: 1.2.3.4" http://localhost/foo..and the traffic dump shows that the backend request actually got the spoofed We would like to put Envoy in front of all incoming HTTP traffic to our backend services. The problem is that our edge might see untrusted traffic from both internal and external IP addresses. Having read through some discussions in e.g. #2559 and #4383, it sounds like just another configuration option is not the way forward here? Not asking for a solution, just want to start a discussion about the right way to solve this problem. |
|
I just realized that another way of solving our use-case would be if Envoy supported removing any |
|
@slovdahl having stirred some waters around this, found that in the connection manager
Interesting. Sounds like you desire that internal traffic to be treated external, But with the default |
|
Thanks for the insights, @robinp-tw 👍
Unfortunately not. In this case, all incoming requests are actual end-user browsers, some behind NAT and a public IP, and some on IP addresses considered internal by Envoy. One thing that just occurred to me (I haven't checked yet), but could a Lua script help here in some way? 🤔 |
Description: Remove the support for h2 raw domains. Fixes envoyproxy/envoy-mobile#2530. Risk Level: Low, remove features. Setting an HTTP header using `addUpstreamHttpProtocol` should allow users to continue to enforce the use of HTTP/2 as needed. Testing: Integration tests in example apps. Docs Changes: N/A Release Notes: Yes Signed-off-by: Rafal Augustyniak <raugustyniak@lyft.com> Signed-off-by: JP Simard <jp@jpsim.com>
Description: Remove the support for h2 raw domains. Fixes envoyproxy/envoy-mobile#2530. Risk Level: Low, remove features. Setting an HTTP header using `addUpstreamHttpProtocol` should allow users to continue to enforce the use of HTTP/2 as needed. Testing: Integration tests in example apps. Docs Changes: N/A Release Notes: Yes Signed-off-by: Rafal Augustyniak <raugustyniak@lyft.com> Signed-off-by: JP Simard <jp@jpsim.com>
Description:
Per the discussion in PR 2559, Envoy's logic for determining whether any given request is internal or external, and what the trusted address of the origin client is, has become very complicated. And even with this complexity, the mechanism isn't sufficiently general to cover the needs of all users.
One potential improvement would be to create a plug-in interface so Envoy users can plug in their own logic. Another would be to simplify the configuration semantics for the current functionality.
The text was updated successfully, but these errors were encountered: