envoyproxy
Allow setting of trusted CIDR blocks for X-Forwarded-For
Description: Last week Envoy just released support for trusted CIDR blocks when processing X-Forwarded-For headers.
It would be really useful to have a default configuration mode called "cloudflare" which would automatically load the IP ranges from these two dynamically updated lists:
Cloudflare IPv4 CIDR blocks: https://www.cloudflare.com/ips-v4/ Cloudflare IPv6 CIDR blocks: https://www.cloudflare.com/ips-v6/
[optional Relevant Links:] https://github.com/envoyproxy/envoy/pull/31831 https://github.com/envoyproxy/envoy/releases/tag/v1.32.0
A knob for configuring CIDR can be added to the ClientTrafficPolicySpec.ClientIPDetection.XForwardedForSettings,
NumTrustedHops: 2
TrustedCIDRs:
- 173.245.48.0/20
- 103.21.244.0/22
Given that the IP lists are updated only once a year, I believe it’s reasonable to just manually update the CTP whenever Cloudflare makes changes. cc @envoyproxy/gateway-maintainers
@arkodg I would like to contribute to this, please assign if help wanted. Thanks!
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Can we keep this open until the code is actually released (1.3.0?) with documentation?
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
@rudrakhp are we tracking the regression associated with losing out on X-Envoy-Internal-Address anywhere ?