有没有办法阻止 envoy 添加特定的 headers?
Is there a way to prevent envoy from adding specific headers?
根据此处的文档 https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto
Envoy代理将Header X-Forwarded-Proto添加到请求中,由于某种原因header值是错误的;它将它设置为 http 尽管传入请求方案是 https 这会导致我的应用程序代码出现一些问题,因为它取决于此 header.
的正确值
这是 envoy 中的错误吗?我可以阻止 envoy 这样做吗?
发生这种情况的原因很可能是因为您在 Envoy/Istio 前面有一个或多个代理。
你需要告诉Envoy你前面有多少个代理,这样它才能正确设置转发headers(比如X-Forwarded-Proto和X-Forwarded-For) .
在 Istio 1.4+ 中,您可以使用 Envoy 过滤器实现此目的:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xff-trust-hops
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: ANY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
use_remote_address: true
xff_num_trusted_hops: 1 # Change as needed
请注意,如果您在 Envoy 前面有多个代理,则必须将 xff_num_trusted_hops 变量更改为正确的数量。例如,如果您有 GCP 或 AWS 云负载平衡器,您可能必须将此值增加到 2。
在 Istio 1.8+ 中,您将能够通过 Istio operator 进行配置,例如:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
gatewayTopology:
numTrustedProxies: 1 # Change as needed
可获得更多信息 here。
正如我在评论中提到的那样,github issue 与此相关。
Is there a way to prevent envoy from adding specific headers?
有 istio dev @howardjohn comment 关于那个
We currently have two options:
There will not be a third; instead we will promote the alpha API.
所以第一个选项是 envoy 过滤器。
上述 github 问题有 2 个答案。
Answer 由@jh-sz
提供
In general, use_remote_address should be set to true when Envoy is deployed as an edge node (aka a front proxy), whereas it may need to be set to false when Envoy is used as an internal service node in a mesh deployment.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xff-trust-hops
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: ANY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
use_remote_address: true
xff_num_trusted_hops: 1
AND
Answer 由@vadimi
提供
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: my-app-filter
spec:
workloadLabels:
app: my-app
filters:
- listenerMatch:
portNumber: 5120
listenerType: SIDECAR_INBOUND
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():replace("x-forwarded-proto", "https")
end
function envoy_on_response(response_handle)
end
第二个选项是 Alpha api,此功能正在积极开发中,被认为是 pre-alpha。
Istio provides the ability to manage settings like X-Forwarded-For (XFF) and X-Forwarded-Client-Cert (XFCC), which are dependent on how the gateway workloads are deployed. This is currently an in-development feature. For more information on X-Forwarded-For, see the IETF’s RFC.
You might choose to deploy Istio ingress gateways in various network topologies (e.g. behind Cloud Load Balancers, a self-managed Load Balancer or directly expose the Istio ingress gateway to the Internet). As such, these topologies require different ingress gateway configurations for transporting correct client attributes like IP addresses and certificates to the workloads running in the cluster.
Configuration of XFF and XFCC headers is managed via MeshConfig during Istio installation or by adding a pod annotation. Note that the Meshconfig configuration is a global setting for all gateway workloads, while pod annotations override the global setting on a per-workload basis.
根据此处的文档 https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto
Envoy代理将Header X-Forwarded-Proto添加到请求中,由于某种原因header值是错误的;它将它设置为 http 尽管传入请求方案是 https 这会导致我的应用程序代码出现一些问题,因为它取决于此 header.
这是 envoy 中的错误吗?我可以阻止 envoy 这样做吗?
发生这种情况的原因很可能是因为您在 Envoy/Istio 前面有一个或多个代理。
你需要告诉Envoy你前面有多少个代理,这样它才能正确设置转发headers(比如X-Forwarded-Proto和X-Forwarded-For) .
在 Istio 1.4+ 中,您可以使用 Envoy 过滤器实现此目的:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xff-trust-hops
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: ANY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
use_remote_address: true
xff_num_trusted_hops: 1 # Change as needed
请注意,如果您在 Envoy 前面有多个代理,则必须将 xff_num_trusted_hops 变量更改为正确的数量。例如,如果您有 GCP 或 AWS 云负载平衡器,您可能必须将此值增加到 2。
在 Istio 1.8+ 中,您将能够通过 Istio operator 进行配置,例如:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
gatewayTopology:
numTrustedProxies: 1 # Change as needed
可获得更多信息 here。
正如我在评论中提到的那样,github issue 与此相关。
Is there a way to prevent envoy from adding specific headers?
有 istio dev @howardjohn comment 关于那个
We currently have two options:
There will not be a third; instead we will promote the alpha API.
所以第一个选项是 envoy 过滤器。
上述 github 问题有 2 个答案。
Answer 由@jh-sz
提供In general, use_remote_address should be set to true when Envoy is deployed as an edge node (aka a front proxy), whereas it may need to be set to false when Envoy is used as an internal service node in a mesh deployment.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: xff-trust-hops
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: ANY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
use_remote_address: true
xff_num_trusted_hops: 1
AND
Answer 由@vadimi
提供apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: my-app-filter
spec:
workloadLabels:
app: my-app
filters:
- listenerMatch:
portNumber: 5120
listenerType: SIDECAR_INBOUND
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():replace("x-forwarded-proto", "https")
end
function envoy_on_response(response_handle)
end
第二个选项是 Alpha api,此功能正在积极开发中,被认为是 pre-alpha。
Istio provides the ability to manage settings like X-Forwarded-For (XFF) and X-Forwarded-Client-Cert (XFCC), which are dependent on how the gateway workloads are deployed. This is currently an in-development feature. For more information on X-Forwarded-For, see the IETF’s RFC.
You might choose to deploy Istio ingress gateways in various network topologies (e.g. behind Cloud Load Balancers, a self-managed Load Balancer or directly expose the Istio ingress gateway to the Internet). As such, these topologies require different ingress gateway configurations for transporting correct client attributes like IP addresses and certificates to the workloads running in the cluster.
Configuration of XFF and XFCC headers is managed via MeshConfig during Istio installation or by adding a pod annotation. Note that the Meshconfig configuration is a global setting for all gateway workloads, while pod annotations override the global setting on a per-workload basis.