From 8ddb095c48d80464e8b1d1028c4b10cc49c04541 Mon Sep 17 00:00:00 2001 From: Brian Pane Date: Sun, 4 Feb 2018 23:03:39 +0000 Subject: [PATCH 1/2] enable configuration of the number of trusted addresses in x-forwarded-for Signed-off-by: Brian Pane --- envoy/api/v2/route/route.proto | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/envoy/api/v2/route/route.proto b/envoy/api/v2/route/route.proto index feb07bf55..46ad640be 100644 --- a/envoy/api/v2/route/route.proto +++ b/envoy/api/v2/route/route.proto @@ -97,6 +97,12 @@ message VirtualHost { // [#not-implemented-hide:] // Return a 401/403 when auth checks fail. auth.AuthAction auth = 9; + + // [#not-implemented-hide:] + // Specifies the number of proxies between the origin client and this Envoy instance that + // are known to append an accurate source IP address to the X-Forwarded-For HTTP request + // header. The default is 1. + uint32 num_trusted_ingress_proxies = 12; } // A route is both a specification of how to match a request as well as an indication of what to do From 8a55acf718c575b640b455a1d0ceac1ef5e50d95 Mon Sep 17 00:00:00 2001 From: Brian Pane Date: Tue, 6 Feb 2018 01:48:14 +0000 Subject: [PATCH 2/2] Move to http_connection_manager, update naming to specify xff, and add doc link Signed-off-by: Brian Pane --- envoy/api/v2/route/route.proto | 6 ------ .../v2/http_connection_manager.proto | 9 +++++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/envoy/api/v2/route/route.proto b/envoy/api/v2/route/route.proto index 46ad640be..feb07bf55 100644 --- a/envoy/api/v2/route/route.proto +++ b/envoy/api/v2/route/route.proto @@ -97,12 +97,6 @@ message VirtualHost { // [#not-implemented-hide:] // Return a 401/403 when auth checks fail. auth.AuthAction auth = 9; - - // [#not-implemented-hide:] - // Specifies the number of proxies between the origin client and this Envoy instance that - // are known to append an accurate source IP address to the X-Forwarded-For HTTP request - // header. The default is 1. - uint32 num_trusted_ingress_proxies = 12; } // A route is both a specification of how to match a request as well as an indication of what to do diff --git a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto index 286c33cdc..559bc2fe0 100644 --- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto @@ -160,6 +160,15 @@ message HttpConnectionManager { // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information. google.protobuf.BoolValue use_remote_address = 14; + // [#not-implemented-hide:] + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. The default is zero if this option + // is not specified. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + uint32 xff_num_trusted_hops = 19; + + // of the client connection as the origin client address if *use_remote_address* is true // Whether the connection manager will generate the :ref:`x-request-id // ` header if it does not exist. This defaults to // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature