"%UPSTREAM_REMOTE_ADDRESS%" does not seem to work.

[BenderScript]

As far as I can tell "%UPSTREAM_REMOTE_ADDRESS%" is not working as presented in the manual pages.

%UPSTREAM_REMOTE_ADDRESS%
Remote address of the upstream host. If the address is an IP address it includes both address and port.

I tried envoy proxy in the following configuration modes:

• TPROXY
• Forward Proxy
• Reverse Proxy
• Original Destination

but the upstream IP:port is never added to the HTTP request:

The setup for the specific data below is very simple:

client ---> Envoy ----> Server

These are the HTTP headers the server sees. It has two X-Request-Downstream because while trying everything I added the custom headers in more than one hierarchy level.

http: 2019/09/03 08:27:49 Server is ready to handle requests at :5000

HTTP Headers Received:
======================
X-Request-Downstream                    : 172.17.0.2:4999
X-Request-Downstream                    : 172.17.0.2:4999
Accept                                  : */*
X-Forwarded-Proto                       : http
X-Envoy-Expected-Rq-Timeout-Ms          : 15000
Content-Length                          : 0
User-Agent                              : curl/7.54.0
X-Request-Id                            : ea938c03-72d5-4c32-a2c2-5a414f9e7928

Dockerfile for Envoy Proxy 1.11

FROM envoyproxy/envoy:v1.11.1

EXPOSE 4999
EXPOSE 19000
EXPOSE 8443

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get -qq update && \
    apt-get -qq install  \
                apt-utils \
                iputils-ping \
                curl \
                < /dev/null > /dev/null

ADD ./service-envoy.yaml /etc/service-envoy.yaml
ADD ./start_envoy.sh /usr/local/bin/start_envoy.sh
WORKDIR /usr/local/bin
RUN chmod u+x start_envoy.sh
ENTRYPOINT ./start_envoy.sh

Envoy config file

node:
  id: "id_identity"
  cluster: "cluster_identity"
static_resources:
  listeners:
    - name: listener_0
      transparent: true
      address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 4999
      filter_chains:
        - filters:
            - name: envoy.http_connection_manager
              config:
                idle_timeout: 1s
                codec_type: auto
                access_log:
                  - name: envoy.file_access_log
                    config:
                      path: "/tmp/envoy-access-4999.log"
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  request_headers_to_add:
                    - header:
                        key: "x-request-upstream"
                        value: "%UPSTREAM_REMOTE_ADDRESS%"
                      append: true
                    - header:
                        key: "x-request-downstream"
                        value: "%DOWNSTREAM_LOCAL_ADDRESS%"
                      append: true
                  virtual_hosts:
                    - name: local_service
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: cluster1
                      request_headers_to_add:
                        - header:
                            key: "x-request-upstream"
                            value: "%UPSTREAM_REMOTE_ADDRESS%"
                          append: true
                        - header:
                            key: "x-request-downstream"
                            value: "%DOWNSTREAM_LOCAL_ADDRESS%"
                          append: true
                http_filters:
                  - name: envoy.router
                    typed_config: {}
      listener_filters:
        - name: envoy.listener.original_dst
          typed_config: {}

  clusters:
    - name: cluster1
      connect_timeout: 0.25s
      type: STRICT_DNS
      lb_policy: round_robin
      hosts:
        - socket_address:
            address: "host.docker.internal"
            port_value: 5000
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 19000

Raw Logs

[2019-09-03 15:55:56.091][19][debug][filter] [source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[2019-09-03 15:55:56.091][19][debug][main] [source/server/connection_handler_impl.cc:280] [C2] new connection
[2019-09-03 15:55:56.092][19][debug][http] [source/common/http/conn_manager_impl.cc:246] [C2] new stream
[2019-09-03 15:55:56.092][19][debug][http] [source/common/http/conn_manager_impl.cc:619] [C2][S8324268355205076786] request headers complete (end_stream=true):
':authority', '127.0.0.1:4999'
':path', '/'
':method', 'GET'
'user-agent', 'curl/7.54.0'
'accept', '*/*'

[2019-09-03 15:55:56.092][19][debug][http] [source/common/http/conn_manager_impl.cc:1111] [C2][S8324268355205076786] request end stream
[2019-09-03 15:55:56.092][19][debug][router] [source/common/router/router.cc:401] [C2][S8324268355205076786] cluster 'cluster1' match for URL '/'
[2019-09-03 15:55:56.092][19][debug][router] [source/common/router/router.cc:514] [C2][S8324268355205076786] router decoding headers:
':authority', '127.0.0.1:4999'
':path', '/'
':method', 'GET'
':scheme', 'http'
'user-agent', 'curl/7.54.0'
'accept', '*/*'
'x-forwarded-proto', 'http'
'x-request-id', 'fea25370-3ef1-4139-9ffc-917b8a105f51'
'x-envoy-expected-rq-timeout-ms', '15000'
'x-request-downstream', '172.17.0.2:4999'
'x-request-downstream', '172.17.0.2:4999'

[2019-09-03 15:55:56.092][19][debug][pool] [source/common/http/http1/conn_pool.cc:88] creating a new connection
[2019-09-03 15:55:56.092][19][debug][client] [source/common/http/codec_client.cc:26] [C3] connecting
[2019-09-03 15:55:56.092][19][debug][connection] [source/common/network/connection_impl.cc:704] [C3] connecting to 192.168.65.2:5000
[2019-09-03 15:55:56.092][19][debug][connection] [source/common/network/connection_impl.cc:713] [C3] connection in progress
[2019-09-03 15:55:56.092][19][debug][pool] [source/common/http/conn_pool_base.cc:20] queueing request due to no available connections
[2019-09-03 15:55:56.093][19][debug][connection] [source/common/network/connection_impl.cc:552] [C3] connected
[2019-09-03 15:55:56.093][19][debug][client] [source/common/http/codec_client.cc:64] [C3] connected
[2019-09-03 15:55:56.093][19][debug][pool] [source/common/http/http1/conn_pool.cc:241] [C3] attaching to next request
[2019-09-03 15:55:56.093][19][debug][router] [source/common/router/router.cc:1503] [C2][S8324268355205076786] pool ready
[2019-09-03 15:55:56.094][19][debug][router] [source/common/router/router.cc:994] [C2][S8324268355205076786] upstream headers complete: end_stream=false
[2019-09-03 15:55:56.094][19][debug][http] [source/common/http/conn_manager_impl.cc:1378] [C2][S8324268355205076786] encoding headers via codec (end_stream=false):
':status', '200'
'content-type', 'text/plain; charset=utf-8'
'x-content-type-options', 'nosniff'
'x-request-id', 'fea25370-3ef1-4139-9ffc-917b8a105f51'
'date', 'Tue, 03 Sep 2019 15:55:55 GMT'
'content-length', '14'
'x-envoy-upstream-service-time', '1'
'server', 'envoy'

[2019-09-03 15:55:56.094][19][debug][client] [source/common/http/codec_client.cc:95] [C3] response complete
[2019-09-03 15:55:56.094][19][debug][pool] [source/common/http/http1/conn_pool.cc:198] [C3] response complete
[2019-09-03 15:55:56.094][19][debug][pool] [source/common/http/http1/conn_pool.cc:236] [C3] moving to ready
[2019-09-03 15:55:56.096][19][debug][connection] [source/common/network/connection_impl.cc:520] [C2] remote close
[2019-09-03 15:55:56.096][19][debug][connection] [source/common/network/connection_impl.cc:190] [C2] closing socket: 0
[2019-09-03 15:55:56.096][19][debug][main] [source/server/connection_handler_impl.cc:80] [C2] adding to cleanup list
[2019-09-03 15:55:58.517][9][debug][main] [source/server/server.cc:170] flushing stats

[zuercher]

I believe what's happening is that request_headers_to_add are processed before the upstream host is actually chosen, so %UPSTREAM_REMOTE_ADDRESS% is empty and the header is elided. I checked that it works correctly in response headers (which are processed after the upstream responds). I will update the docs to note this (and there are probably expressions that don't produce output for requests).

I think in the original destination case, the %DOWNSTREAM_LOCAL_ADDRESS% may be what you want?

[BenderScript]

thanks, is there any other way to add the original http client source IP:port to a header? I would like to pass that information to an external authz server. Adding as a response is too late.

What so you mean by "upstream host is actually chosen"? This is just an HTTP client (browser/app) that connects to Envoy directly (no IPtables redirect, no TPROXY). It is unexpected that the source IP:port is not available.

[zuercher]

Your HTTP client is the downstream host. The upstream host is a member of a cluster to which Envoy forwards the request. The various request_headers_to_add configurations are all applied before an upstream host is selected, so the %UPSTREAM_REMOTE_ADDRESS% expression has no value.

Similarly, the ext_authz filter runs before the router filter and so any request_headers_to_add configurations will not have been applied when that filter generates its authorization request.

All that said, it looks like ext_authz sends an AttributeContext.Peer for the source and destination (this is the client's and Envoy server's connection information).

[BenderScript]

thanks, apologize to press this but I want to get this straight for our deployment.

Under %DOWNSTREAM_LOCAL_ADDRESS% is says

"If the original connection was redirected by iptables REDIRECT, this represents the original destination address restored by the..."

So, what you are saying is that both upstream_remote_address and downstream_local_adress will give me destination IPs and ports, only the point of view is different. The latter will be the destination IP:port in the original IP packet. The former will be the destination IP:port of the member of the cluster. Does it look right?

So, there is no custom header to add the source IP:port of the IP packet. Correct?

[BenderScript]

BTW, I changed our code and can verify (as you pointed out) that the source IP:port are in the GRPC message sent to the ext-authz server

func (a *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) {

	httpRequest := req.Attributes.Request.Http
	socketAddress := req.Attributes.Source.Address.GetSocketAddress()
	fmt.Printf("Source IP:port %s:%d\n", socketAddress.GetAddress(), socketAddress.GetPortValue())

	marshaler := jsonpb.Marshaler{}
	jsonString, _ := marshaler.MarshalToString(httpRequest)

...<snip>...

[zuercher]

I think you've got it all correct. Not having %DOWNSTREAM_REMOTE_ADDRESS% seems like an oversight. It wouldn't be difficult to add.

[BenderScript]

thanks, this was extremely useful. My C++ days are way behind me or I would certainly pitch in to get %DOWNSTREAM_REMOTE_ADDRESS%. Nowadays everything I do seems to be in Golang.