l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops #32200

mhofstetter · 2024-04-26T08:44:28Z

Currently, when L7 policies (egress or ingress) are enforced for traffic
between Pods, Envoy might change x-forwarded-for related headers because the corresponding
Envoy listeners don't trust the downstream headers because XffNumTrustedHops
is set to 0.

e.g. x-forwarded-proto header:

Downstream x-forwarded-proto headers will only be trusted if xff_num_trusted_hops is non-zero. If xff_num_trusted_hops is zero, downstream x-forwarded-proto headers and :scheme headers will be set to http or https based on if the downstream connection is TLS or not.

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto

This might be problematic if L7 policies are used for egress traffic for Pods from
a non-Cilium ingress controller (e.g. nginx). If the Ingress Controller is terminating TLS
traffic and forwards the protocol via x-forwarded-proto=https, Cilium Envoy Proxy changes
this header to x-forwarded-proto=http (if no tls termination itself is used in the policy configuration).

This breaks applications that depend on the forwarded protocol.

Therefore, this commit introduces two new config flags proxy-xff-num-trusted-hops-ingress and
proxy-xff-num-trusted-hops-egresss that configures the property XffNumTrustedHops on the respective
L7 policy Envoy listeners.

For backwards compabitility and security reasons, the values still default to 0.

Note: It's also possible to configure these values via Helm (envoy.xffNumTrustedHopsL7PolicyIngress &
envoy.xffNumTrustedHopsL7PolicyEgress).

mhofstetter · 2024-04-26T11:48:29Z

/test

jrajahalme · 2024-04-29T08:22:22Z

/test

jrajahalme

LGTM

qmonnet

Some nits on the docs, looks good otherwise. Thanks!

Documentation/network/servicemesh/envoy-traffic-management.rst

Currently, when L7 policies (egress or ingress) are enforced for traffic between Pods, Envoy might change x-forwarded-for related headers because the corresponding Envoy listeners don't trust the downstream headers because `XffNumTrustedHops` is set to `0`. e.g. `x-forwarded-proto` header: > Downstream x-forwarded-proto headers will only be trusted if xff_num_trusted_hops is non-zero. If xff_num_trusted_hops is zero, downstream x-forwarded-proto headers and :scheme headers will be set to http or https based on if the downstream connection is TLS or not. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto This might be problematic if L7 policies are used for egress traffic for Pods from a non-Cilium ingress controller (e.g. nginx). If the Ingress Controller is terminating TLS traffic and forwards the protocol via `x-forwarded-proto=https`, Cilium Envoy Proxy changes this header to `x-forwarded-proto=http` (if no tls termination itself is used in the policy configuration). This breaks applications that depend on the forwarded protocol. Therefore, this commit introduces two new config flags `proxy-xff-num-trusted-hops-ingress` and `proxy-xff-num-trusted-hops-egresss` that configures the property `XffNumTrustedHops` on the respective L7 policy Envoy listeners. For backwards compabitility and security reasons, the values still default to `0`. Note: It's also possible to configure these values via Helm (`envoy.xffNumTrustedHopsL7PolicyIngress` & `envoy.xffNumTrustedHopsL7PolicyEgress`). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

mhofstetter · 2024-04-29T09:02:59Z

Some nits on the docs, looks good otherwise. Thanks!

Thanks @qmonnet 🚀 🙏 - I incorporated your feedback! PTAL.

qmonnet

Thank you!

qmonnet · 2024-04-29T09:09:39Z

/test

sayboras

LGTM ✔️

mhofstetter added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/misc This PR makes changes that have no direct user impact. area/servicemesh GH issues or PRs regarding servicemesh labels Apr 26, 2024

mhofstetter requested a review from jrajahalme April 26, 2024 08:46

mhofstetter marked this pull request as ready for review April 26, 2024 08:46

mhofstetter requested a review from a team as a code owner April 26, 2024 08:46

mhofstetter marked this pull request as draft April 26, 2024 15:17

mhofstetter force-pushed the pr/mhofstetter/proxy-xff-hops branch 2 times, most recently from 2e95a6d to a192f38 Compare April 26, 2024 15:33

mhofstetter changed the title ~~l7 policy: introduce flag proxy-xff-num-trusted-hops~~ l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops Apr 26, 2024

mhofstetter force-pushed the pr/mhofstetter/proxy-xff-hops branch from a192f38 to c78dd75 Compare April 26, 2024 15:40

mhofstetter added needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 26, 2024

maintainer-s-little-helper bot added this to Needs backport from main in 1.15.5 Apr 26, 2024

maintainer-s-little-helper bot added this to Needs backport from main in 1.14.11 Apr 26, 2024

jrajahalme approved these changes Apr 29, 2024

View reviewed changes

mhofstetter marked this pull request as ready for review April 29, 2024 08:30

mhofstetter requested review from a team as code owners April 29, 2024 08:30

mhofstetter requested review from squeed, sayboras and qmonnet April 29, 2024 08:30

mhofstetter added the backport/author The backport will be carried out by the author of the PR. label Apr 29, 2024

qmonnet requested changes Apr 29, 2024

View reviewed changes

Documentation/network/servicemesh/envoy-traffic-management.rst Outdated Show resolved Hide resolved

mhofstetter force-pushed the pr/mhofstetter/proxy-xff-hops branch from c78dd75 to d0d5c50 Compare April 29, 2024 09:01

mhofstetter requested a review from qmonnet April 29, 2024 09:03

qmonnet approved these changes Apr 29, 2024

View reviewed changes

sayboras approved these changes Apr 29, 2024

View reviewed changes

squeed approved these changes Apr 30, 2024

View reviewed changes

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 30, 2024

tklauser added this pull request to the merge queue Apr 30, 2024

Merged via the queue into cilium:main with commit 1bc2c75 Apr 30, 2024
64 checks passed

mhofstetter deleted the pr/mhofstetter/proxy-xff-hops branch April 30, 2024 11:42

mhofstetter mentioned this pull request Apr 30, 2024

[v1.15] Author backport of #32200 #32260

Merged

mhofstetter added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 30, 2024

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.15 in 1.15.5 Apr 30, 2024

mhofstetter mentioned this pull request Apr 30, 2024

[v1.14] Author backport of #32200 #32265

Merged

mhofstetter added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Apr 30, 2024

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.11 Apr 30, 2024

github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels May 1, 2024

maintainer-s-little-helper bot removed this from Backport pending to v1.14 in 1.14.11 May 1, 2024

maintainer-s-little-helper bot added this to Backport done to v1.14 in 1.14.11 May 1, 2024

aanm mentioned this pull request May 2, 2024

Prepare for release v1.14.11 aanm/cilium#643

Merged

github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels May 3, 2024

maintainer-s-little-helper bot moved this from Backport pending to v1.15 to Backport done to v1.15 in 1.15.5 May 3, 2024

maintainer-s-little-helper bot removed this from Backport done to v1.15 in 1.15.5 May 3, 2024

This was referenced May 10, 2024

Prepare for release v1.14.11 #32460

Merged

Prepare for release v1.15.5 #32470

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops #32200

l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops #32200

mhofstetter commented Apr 26, 2024 •

edited

mhofstetter commented Apr 26, 2024

jrajahalme commented Apr 29, 2024

jrajahalme left a comment

qmonnet left a comment

mhofstetter commented Apr 29, 2024

qmonnet left a comment

qmonnet commented Apr 29, 2024

sayboras left a comment

l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops #32200

l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops #32200

Conversation

mhofstetter commented Apr 26, 2024 • edited

mhofstetter commented Apr 26, 2024

jrajahalme commented Apr 29, 2024

jrajahalme left a comment

Choose a reason for hiding this comment

qmonnet left a comment

Choose a reason for hiding this comment

mhofstetter commented Apr 29, 2024

qmonnet left a comment

Choose a reason for hiding this comment

qmonnet commented Apr 29, 2024

sayboras left a comment

Choose a reason for hiding this comment

mhofstetter commented Apr 26, 2024 •

edited