Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support to enable IP Transparency for TCP via Original Source listener filter #3359

Open
aoledk opened this issue May 9, 2024 · 4 comments
Open

feat: add support to enable IP Transparency for TCP via Original Source listener filter #3359

aoledk opened this issue May 9, 2024 · 4 comments
Labels
triage

Comments

@aoledk
Copy link
Contributor

aoledk commented May 9, 2024

Description:

With current EG, in order to enable IP Transparency for TCP (not HTTP), Proxy Protocol is the only way, it requires upstream host should support Proxy Protocol too.

I propose to support another option that Envoy has already implemented to enable IP Transparency for TCP: Original Source listener filter. It doesn't require upstream host should support Proxy Protocol, but require appropriate network routing rules.

[optional Relevant Links:]

https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency
https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/original_src_filter
@aoledk aoledk added the triage label May 9, 2024
@zufardhiyaulhaq
Copy link
Contributor

+1, this is enabled in Istio gateway, so we have 2 options to do IP whitelisting

  1. XFF
  2. source IP

@arkodg can we consider this?

@arkodg
Copy link
Contributor

arkodg commented May 20, 2024

sure this makes sense, we enable this by default if listener protocol is TCP ?

@aoledk
Copy link
Contributor Author

aoledk commented May 22, 2024

sure this makes sense, we enable this by default if listener protocol is TCP ?

That should be an opt-in feature for TCP listener, because Envoy requires user to setup appropriate route rules to make Original Source listener filter to work correctly 1.

Footnotes

  1. https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/original_src_filter#extra-setup

@zufardhiyaulhaq
Copy link
Contributor

@arkodg nvm, seems like RBAC remote_ip on Envoy doesn't required this plugin.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-principal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aoledk @arkodg @zufardhiyaulhaq