envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

Why accept x-forwarded-* headers when Envoy as edge proxy ?

Open Kiblyn11 opened this issue 1 year ago • 5 comments

Title: Why accept x-forwarded-* headers when Envoy configured as edge proxy ?

Description: Reading X-Forwarded-For doc here, I found that when Envoy is configured as edge proxy, it accepts and append to X-Forwarded-For header. But why ? As it's on edge, it shouldn't have any reason to keep it coming from public client and internal components (example here with OAuth2Proxy) relying on this header are mislead to trust the X-Forwarded-For entries before Envoy append it's own IP address.

It seems Envoy should ignore incoming X-Forwarded-* headers which are reserved for proxies when use_remote_address = True as it's supposed to be on edge with no proxies upfront.

Kiblyn11 avatar Apr 19 '24 12:04 Kiblyn11

cc @alyssawilk @yanavlasov

adisuissa avatar Apr 19 '24 13:04 adisuissa

because there may be proxies in front of Envoy and they communicate end user IP via x-forwarded-for. Envoy treats x-forwarded for as an untrusted header: a correctly configured edge proxy won't for example treat a request which claims to be from a trusted IP in an untrusted x-forwarded-for header as a trusted request. oauth code should do the same

alyssawilk avatar Apr 23 '24 14:04 alyssawilk

Well, if Envoy is configured as Edge, it shouldn't have any proxy in front of it right ? I'm not sure to understand why Envoy is accepting this header if it's not trusted, it's forwarding internally an untrusted value ? Internal apps rely on X-Forwarded-X headers because it's standard and they are supposed to be trusty if your edge proxy forge it (and do not trust incoming headers), having to use extra app-specific header is a pain.

Kiblyn11 avatar Apr 24 '24 07:04 Kiblyn11

the internet is filled with HTTP proxies. the x-forwarded header is a internet standard way of those proxies informing the next hop that they terminated TCP and what the original client IP is.

alyssawilk avatar Apr 29 '24 14:04 alyssawilk

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar May 29 '24 16:05 github-actions[bot]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

github-actions[bot] avatar Jun 05 '24 20:06 github-actions[bot]