Envoy default settings aren't what is expected for an edge proxy

[sorrison]

Description:

I've started using envoy gateway (1.4.1) as an edge proxy with untrusted clients and I noticed that X-Forwarded-For is showing multiple entries which I wasn't expecting, I expected that the X-Forwarded -For header received from a downstream client would be ignored.

I tried to set

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: client-policy
  namespace: infra
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: public
  clientIPDetection:
    xForwardedFor:
      numTrustedHops: 0

But that didn't change the behaviour.

When I look at the config I see

"use_remote_address": false, which I think this is meant to be true by default?

I also see

         "original_ip_detection_extensions": [
          {
           "name": "envoy.extensions.http.original_ip_detection.xff",
           "typed_config": {
            "@type": "type.googleapis.com/envoy.extensions.http.original_ip_detection.xff.v3.XffConfig",
            "skip_xff_append": false
           }

Am I doing something wrong here or is this not quite right?

[optional Relevant Links:] https://github.com/envoyproxy/gateway/issues/1048 https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy