gateway
gateway copied to clipboard
envoyproxy
feat: add support to enable IP Transparency for TCP via Original Source listener filter
Description:
With current EG, in order to enable IP Transparency for TCP (not HTTP), Proxy Protocol is the only way, it requires upstream host should support Proxy Protocol too.
I propose to support another option that Envoy has already implemented to enable IP Transparency for TCP:
Original Source listener filter. It doesn't require upstream host should support Proxy Protocol, but require appropriate network routing rules.
[optional Relevant Links:]
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/original_src_filter
+1, this is enabled in Istio gateway, so we have 2 options to do IP whitelisting
- XFF
- source IP
@arkodg can we consider this?
sure this makes sense, we enable this by default if listener protocol is TCP ?
sure this makes sense, we enable this by default if listener protocol is
TCP?
That should be an opt-in feature for TCP listener, because Envoy requires user to setup appropriate route rules to make Original Source listener filter to work correctly ^1.
@arkodg nvm, seems like RBAC remote_ip on Envoy doesn't required this plugin. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-principal
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had activity in the last 30 days.