Code Monkey home page Code Monkey logo

Comments (6)

adisuissa avatar adisuissa commented on July 20, 2024 1

cc @yangminzhu @yanavlasov who are RBAC code-owners may be able to provide more information

from envoy.

adisuissa avatar adisuissa commented on July 20, 2024

Sorry for the inconvenience. Not sure what's the cause.
I see there's a difference between remote_ip and direct_remote_ip (https://www.envoyproxy.io/docs/envoy/v1.30.1/api-v3/config/rbac/v3/rbac.proto.html), specifically that remote_ip takes the x-forwarded-for value into account.
Can you try to change the Envoy config to direct_remote_ip and see if it works?

from envoy.

bartwitkowski avatar bartwitkowski commented on July 20, 2024

Thanks @adisuissa for looking into my issue.
My understanding is, that IP address taken from X-Forwarded-For should be placed in remoteIP (visible in logs) if the remote_ip CIDR is configured in Envoy.

On your request I set the a.b.c.d/29 in direct_remote_ip. But the behavior is the same.
Logs:

[2024-04-19 19:21:02.423][14][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:114] checking request: requestedServerName: grafana.example.com, sourceIP: 10.1.0.27:33530, directRemoteIP: 10.1.0.27:33530, remoteIP: 10.1.0.27:33530,localAddress: 10.1.0.27:8443, ssl: uriSanPeerCertificate: , dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'grafana.example.com'
':path', '/'
':method', 'GET'
':scheme', 'https'
'x-forwarded-proto', 'https'
'x-forwarded-port', '443'
'x-forwarded-for', 'a.b.c.d:59248,10.1.0.27'
'x-original-url', '/'
'x-appgw-trace-id', '6b54dda4d985b8197c725e9c4aa9a0fa'
'x-original-host', 'grafana.example.com'
'user-agent', 'curl/7.68.0'
'accept', '*/*'
'x-envoy-external-address', '10.1.0.27'
'x-request-id', 'cc551f25-1f26-4998-ae89-a0d4873aa531'
, dynamicMetadata:
[2024-04-19 19:21:02.423][14][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:158] enforced denied, matched policy none

config:

   "dynamic_route_configs": [
    {
     "version_info": "18",
     "route_config": {
      "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration",
      "name": "https/grafana.example.com",
      "virtual_hosts": [
       {
        "name": "grafana.example.com",
        "domains": [
         "grafana.example.com"
        ],
        "routes": [
         {
          "match": {
           "prefix": "/"
          },
          "route": {
           "cluster": "monitoring/prometheus-grafana/80/da39a3ee5e"
          },
          "metadata": {
           "filter_metadata": {
            "envoy.access_loggers.file": {
             "io.projectcontour.name": "grafana",
             "io.projectcontour.namespace": "monitoring",
             "io.projectcontour.kind": "HTTPProxy"
            }
           }
          }
         }
        ],
        "typed_per_filter_config": {
         "envoy.filters.http.rbac": {
          "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute",
          "rbac": {
           "rules": {
            "policies": {
             "ip-rules": {
              "permissions": [
               {
                "any": true
               }
              ],
              "principals": [
               {
                "direct_remote_ip": {
                 "address_prefix": "a.b.c.d",
                 "prefix_len": 29
                }
               }
              ]
             }
            }
           }
          }
         }
        }
       }
      ],

from envoy.

bartwitkowski avatar bartwitkowski commented on July 20, 2024

Anyone?
We have quite simple Contour/Envoy configuration, so the IP filtering with XFF should just work out of the box.
I don't believe, that no one is using this feature in Envoy :-).

from envoy.

github-actions avatar github-actions commented on July 20, 2024

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

from envoy.

github-actions avatar github-actions commented on July 20, 2024

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

from envoy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.