Bind listener to 0.0.0.0 or 127.0.0.1

[huggsboson]

I noticed in the docs:

port: (required, integer) The TCP port that the listener should listen on. Currently only TCP listeners are supported which bind to all local interfaces.

I would like to use envoy to terminate both incoming and outgoing Mutual Auth TLS (with service type specific certs). For this to work in a secure fashion I need egress ports to bind to 127.0.0.1 so that random folks on the network can't hit envoy and use it to impersonate the service using envoy. Is there any sense on how difficult it would be to add this functionality? I wouldn't mind contributing a patchset but I have no idea where to start.

[mattklein123]

Sorry for the delay. This feature is somewhat related to
#492 (comment) in terms of how the configuration should work.

Right now we only expose "port" in the listener configuration. The simplest thing here assuming we want to just stay at top level is to add another parameter called "address." If address is specified it would be specified in Envoy "URL" notation such as "tcp://127.0.0.1:80" I think if one specifies "address" they don't need to specify "port." The URL notation would allow us to support UDP also with the same configuration.

This is not a particularly complicated change, but it will require changing some plumbing in a few different places, unfortunately including the hot restart RPCs.

@huggsboson in the short term, can you just use an iptables/firewall/etc. rule to block external access to the egress port? (This is what we do at Lyft). I can walk you through doing the change if you want, just unsure of priority. (This change is generally useful however).

[huggsboson]

Thanks for the quick response. It's not super urgent as we haven't begun deploying out yet (or fully choosing). I looked through the code and you seemingly have most of the code in place to make this happen, so I may make a run at implementing it and throwing up a pull request.

The iptables path is somewhat difficult for us to solve given that we're using containers/kube and some services may be using the well known ports that we'd be trying to block. So I'd rather just figure out how to get a patchset in for this, given the lack of urgency and difficulty.

One question on configuration: I can either add a new address field (e.g. "address": "tcp://127.0.0.1:80") which would be mutually exclusive with port. Or I can add an optional interface field (e.g. "interface": "127.0.0.1", "port": 80) which would be additive and back compat with port. You have any preference?

[mattklein123]

I prefer adding a mutually exclusive "address" field, since it will handle UDP, UDS, etc. also in the future.

[mattklein123]

@huggsboson are you working on this? If not I think we need to implement this and @wattli is probably going to do it. Don't want to duplicate work if you have a patch in progress.

[huggsboson]

I haven't started. Happy to see it implemented.

[mattklein123]

@wattli some implementation notes:

• Switch listener "port" config to "address": https://github.com/lyft/envoy/blob/master/source/server/configuration_impl.cc#L116 Such that it takes an address of the form: "tcp://0.0.0.0:80", "tcp://127.0.0.1:80", etc. This will allow us to support UDP, UDS, IPv6, etc. later easily. You will need to update schema also. There are address parsing functions already in https://github.com/lyft/envoy/blob/master/source/common/network/utility.h.
• Make https://github.com/lyft/envoy/blob/master/source/common/network/listen_socket_impl.h#L34 take an Address instead of a port. Everything else will basically "just work."
• You are going to need to update the hot restart code to handle asking the old process for an address instead of a port. This is the only somewhat complicated part of this change. Change the request socket RPC here: https://github.com/lyft/envoy/blob/master/source/exe/hot_restart.h#L122 to take a "URL" format address (e.g., "tcp://0.0.0.0:80"). Just make the RPC carry a fixed char array of 256 bytes or something, then plumb it through everywhere. You will need to update hot restart RPC version here: https://github.com/lyft/envoy/blob/master/source/exe/hot_restart.cc#L17

If you need help please ask @kyessenov @lizan @htuch first, they should be able to give you tips.

[lizan]

Thanks @mattklein123! @wattli let me know if you need any help.

[wattli]

Thanks @lizan and @mattklein123