Comments (11)
kyessenov
commented on May 25, 2024
1
Are you saying that sidecar Envoy strips XFF? It seems that sidecar operates in the transparent mode, meaning the header is preserved https://lyft.github.io/envoy/docs/configuration/http_conn_man/headers.html#id9
from old_issues_repo.
rshriram
commented on May 25, 2024
1
Yes definitely! It's a very small addition. Can you edit the issue title
accordingly so that we can track this ?
On Thu, Jun 1, 2017 at 1:59 AM Christopher Lillthors < ***@***.***> wrote:
Tested without any difference. The istio proxy seems to be working in
"isolated mode" and will not trust any of the external XFF headers. Will
you be able to flip the "use_remote_address" flag in an upcoming release?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AH0qdy31LYzyIAZsfjTFx1omEiyVXT_2ks5r_lM3gaJpZM4NsTAL>
.
--
~shriram
from old_issues_repo.
rshriram
commented on May 25, 2024
It does strip XFF though, IIRC. But it's for a good reason. It makes little
sense to forward XFF headers, does it?
On Wed, May 31, 2017 at 7:07 PM Kuat ***@***.***> wrote:
Are you saying that sidecar Envoy strips XFF? It seems that sidecar
operates in the transparent mode, meaning the header is preserved
https://lyft.github.io/envoy/docs/configuration/http_conn_man/headers.html#id9
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#22 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AH0qdwSGhSFatFBtTknDQ1bOy1HLFDUfks5r_fKvgaJpZM4NsTAL>
.
--
~shriram
from old_issues_repo.
christopherL91
commented on May 25, 2024
The problem occurs on gke since google is setting the client ip in a X-Forwarded-For header which then needs to be passed down. For now I have an nginx container before istio that does ssl-termination and passes the XFF headers to istio, but the istio proxy is filtering them out before the request ends up in the server. I wasn't able to get istio go pick up the XFF headers on it's own. Maybe there's a config that needs to tweaked?
from old_issues_repo.
christopherL91
commented on May 25, 2024
btw, is it an acceptable solution to set a container before istio, or are you meant to terminate inside istio? I'm running istio-auth
from old_issues_repo.
rshriram
commented on May 25, 2024
If you want ssl termination, istio ingress supports it. You get full mutual
tls auth from ingress to all backend services. We don't have support for
mutual tls auth right now, from ingress to clients.
That aside, do you want the XFF header to be sent to your application
itself ?
On Wed, May 31, 2017 at 7:16 PM Christopher Lillthors < ***@***.***> wrote:
The problem occurs on gke since google is setting the client ip in a
X-Forwarded-For header which then needs to be passed down. For now I have
an nginx container before istio that does ssl-termination and passes the
XFF headers to istio, but the istio proxy is filtering them out before the
request ends up in the server. I wasn't able to get istio go pick up the
XFF headers on it's own. Maybe there's a config that needs to tweaked?
--
~shriram
from old_issues_repo.
christopherL91
commented on May 25, 2024
Yes I would like to have the XFF headers inside the application. How do you fix that?
from old_issues_repo.
rshriram
commented on May 25, 2024
I think this would require enabling the "use_remote_address" option in
Envoy to allow envoy to append to XFF instead of stripping it.
Just to eliminate some possibilities, would you mind trying with Istio
ingress controller for SSL termination instead of nginx?
--
~shriram
from old_issues_repo.
christopherL91
commented on May 25, 2024
Tested without any difference. The istio proxy seems to be working in "isolated mode" and will not trust any of the external XFF headers. Will you be able to flip the "use_remote_address" flag in an upcoming release?
from old_issues_repo.
ldemailly
commented on May 25, 2024
@christopherL91 does 0.1.6 work for you now ?
from old_issues_repo.
ldemailly
commented on May 25, 2024
closing assuming this is solved, please reopen if not
from old_issues_repo.
Related Issues (20)
- [BUG] Bookinfo tracing broken HOT 2
- BUG: Mirroring not working in Istio 0.8.0? HOT 2
- Istio 0.8.0 exposes Jaeger tracing page to the external world
- When multiple gateways are defined, only the first one is being used. HOT 5
- kubernetesenv adapter clusterDomain check HOT 1
- Istio sidecar-injector not ready after deploying istio release-0.8
- External services connectivity problem HOT 5
- How get client external ip to extrapolate geolocation HOT 2
- Deploying with rbac disabled causes pilot to never deploy HOT 1
- .0.8 latest can't pull the docker image HOT 21
- make tracing endpoint configuration straightforward HOT 2
- Traffic Management: ALL https requests work (even without a ServiceEntry) HOT 7
- High latency at scale HOT 1
- istio-pilot pod restart 60 times in nine days HOT 1
- Service Entry Not Working HOT 9
- Requests hang in fresh helm install on k8s v1.10.2-gke.3 HOT 5
- EgressRule not working for AMQP (RabbitMQ) HOT 4
- Unable to access the grafana dashboard. HOT 2
- Error: customresourcedefinitions.apiextensions.k8s.io "gateways.networking.istio.io" already exists HOT 1
- istio circuit breaker doesn't work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from old_issues_repo.