-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
envoy: Never use x-forwarded-for header, add for Cilium Ingress #25674
Merged
jrajahalme
merged 2 commits into
cilium:main
from
jrajahalme:envoy-do-not-trust-x-forwarded-for
May 26, 2023
Merged
envoy: Never use x-forwarded-for header, add for Cilium Ingress #25674
jrajahalme
merged 2 commits into
cilium:main
from
jrajahalme:envoy-do-not-trust-x-forwarded-for
May 26, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrajahalme
added
kind/bug
This is a bug in the Cilium logic.
release-note/bug
This PR fixes an issue in a previous release of Cilium.
release-blocker/1.11
This issue will prevent the release of the next version of Cilium.
needs-backport/1.11
release-blocker/1.12
This issue will prevent the release of the next version of Cilium.
affects/v1.11
This issue affects v1.11 branch
affects/v1.12
This issue affects v1.12 branch
affects/v1.10
This issue affects v1.10 branch
release-blocker/1.13
This issue will prevent the release of the next version of Cilium.
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
affects/v1.13
This issue affects v1.13 branch
release-blocker/1.14
This issue will prevent the release of the next version of Cilium.
labels
May 25, 2023
jrajahalme
force-pushed
the
envoy-do-not-trust-x-forwarded-for
branch
from
May 25, 2023 13:50
17e1d5c
to
541509c
Compare
jrajahalme
changed the title
envoy: Never trust x-forwarded-for
envoy: Never use x-forwarded-for header
May 25, 2023
jrajahalme
force-pushed
the
envoy-do-not-trust-x-forwarded-for
branch
from
May 25, 2023 14:03
541509c
to
8e05023
Compare
/test |
jrajahalme
changed the title
envoy: Never use x-forwarded-for header
envoy: Never use x-forwarded-for header, add for Cilium Ingress
May 25, 2023
Envoy by default gets the source address from the `x-forwarded-for` header, if present. Always add an explicit `use_remote_address: true` for Envoy HTTP Connection Manager configuration to disable the default behavior. Also set the `skip_xff_append: true` option to retain the old behavior of not adding `x-forwarded-for` headers on cilium envoy proxy. Setting these options is not really needed for admin and metrics listeners, or most of the tests, but we add them there too in case anyone uses them as a source of inspiration for a real proxy configuration. This fixes incorrect hubble flow data when HTTP requests contain an `x-forwarded-for` header. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Fixes: cilium#25630 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Do not skip adding `x-forwarded-for` in Cilium Ingress. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Closed
2 tasks
sayboras
approved these changes
May 26, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM ✅
sayboras
added
the
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
label
May 28, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.12
in 1.12.10
May 28, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.11
in 1.11.18
May 28, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.11
in 1.11.18
May 28, 2023
sayboras
added
backport-done/1.11
The backport for Cilium 1.11.x for this PR is done.
and removed
backport-pending/1.11
labels
Jun 1, 2023
maintainer-s-little-helper
bot
moved this from Backport pending to v1.11
to Backport done to v1.11
in 1.11.18
Jun 1, 2023
sayboras
added
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
and removed
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
labels
Jun 2, 2023
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport done to v1.13
in 1.13.3
Jun 2, 2023
This was referenced Jun 9, 2023
julianwiedmann
added
backport-done/1.12
The backport for Cilium 1.12.x for this PR is done.
and removed
backport-pending/1.12
labels
Jul 31, 2023
maintainer-s-little-helper
bot
moved this from Backport pending to v1.12
to Backport done to v1.12
in 1.12.10
Jul 31, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
affects/v1.10
This issue affects v1.10 branch
affects/v1.11
This issue affects v1.11 branch
affects/v1.12
This issue affects v1.12 branch
affects/v1.13
This issue affects v1.13 branch
backport-done/1.11
The backport for Cilium 1.11.x for this PR is done.
backport-done/1.12
The backport for Cilium 1.12.x for this PR is done.
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
kind/bug
This is a bug in the Cilium logic.
release-note/bug
This PR fixes an issue in a previous release of Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Envoy by default gets the source address from the x-forwarded-for header, if present. Always add an explicit
use_remote_address: true
for Envoy HTTP Connection Manager configuration to disable the default behavior.Also add
skip_xff_append: true
config to keep the existing behavior of not addingx-forwarded-for
headers, except for Cilium Ingress, where we now useskip_xff_append: false
to explicitly append the source IP tox-forwarded-for
header so that Hubble flow records have a trace for the original source of the traffic traversing Cilium Ingress.Fixes: #25630