preserving the client IP address

[tmsnan]

Description:

Currently, the gateway supports two methods for obtaining the client IP address (proxy protocol in the four-layer and x-forwarded-for in the seven-layer). But, I think some additional details need to be added.

1. proxy protocol
   The Proxy protocol to enable Layer 4 listeners to retrieve client IP addresses. But currently gateway only supports http listener, we need to expand to support non-http/https scenarios.
   feat: proxy protocol in ClientTrafficPolicy #2203

2. x-forwarded-for
   x-forwarded-for is a layer-7 protocol method for saving client IP addresses. The current gateway also utilizes it for current limiting based on the source IP. But, source IP-based rate limiting in the gateway only supports direct connections to the gateway. To accommodate scenarios involving indirect connections to the gateway and obtain the correct client IP address, it may be necessary to introduce the xff_num_trusted_hops field. In multi-hop scenarios, it is important to note that the XFF header may be susceptible to forgery.
   

[optional Relevant Links:]

#946
https://github.com/envoyproxy/gateway/blob/0add22b8c58111606243e688611c63b96784cb75/api/v1alpha1/clienttrafficpolicy_types.go#L55C1-L58C15
#1328

[robd003]

Is there a way to restrict X-Forwarded-For to only allow it from trusted CIDR blocks?

[tmsnan]

@robd003, do you want to restrict based on remote IP? rbac is being implemented.#2250.

You can use the remote_ip field. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#config-rbac-v3-principal

[robd003]

@tmsnan I'm not trying to block end-user IPs from accessing the proxy.

This is more about trusting only certain CIDR blocks to give valid X-Forwarded-For headers. It's very easy for someone to spoof this data, but if you limit to trusting the X-Forwarded-For to only certain CIDR blocks then you can be certain that end user IPs are correct and not forged.

[robd003]

Basically I'd like to limit X-Forwarded-For headers so that they're only accepted from CloudFlare.

https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

[zirain]

sounds like a WAF?

[robd003]

@zirain It's more than that. CloudFlare is a CDN that will cache, has POPs close to your users (so much less latency) and will filter DDoS traffic.

[tmsnan]

This is more about trusting only certain CIDR blocks to give valid X-Forwarded-For headers. It's very easy for someone to spoof this data, but if you limit to trusting the X-Forwarded-For to only certain CIDR blocks then you can be certain that end user IPs are correct and not forged.

😄Get it. It seems you want to add the trusted CIDR IP to X-Forwarded-For. Currently, envoy does not support this. You can raise this issue in envoy.

[robd003]

envoyproxy/envoy#31296

[robd003]

This is more about trusting only certain CIDR blocks to give valid X-Forwarded-For headers. It's very easy for someone to spoof this data, but if you limit to trusting the X-Forwarded-For to only certain CIDR blocks then you can be certain that end user IPs are correct and not forged.

😄Get it. It seems you want to add the trusted CIDR IP to X-Forwarded-For. Currently, envoy does not support this. You can raise this issue in envoy.

Specifically I ONLY want to pass along X-Forwarded-For headers if the remote client IP matches one of the CIDR blocks in an ACL. Of there is no match, then strip the X-Forwarded-For header from the request and just pass the source IP for the connection in as X-Forwarded-For

[zirain]

IMO, you can implement that with a custom filter(e.g. WASM ), and then path the listener with EnvoyPatch.

[robd003]

@zirain Can you point me in the direction of some good example code for this? I'm relatively new to the Envoy universe.

[zirain]

here is something for you:

https://github.com/proxy-wasm/proxy-wasm-cpp-host

https://github.com/istio-ecosystem/wasm-extensions

[lambdai]

@zirain X-forwarded-for processor is part of HCM. It mutate the remote address (for a HTTP stream) before any HTTP filter.
I don't think wasm filter or any http filter could rollback what XFF has done.