You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This feature toggle would be opt-in and marked for use only with trusted downstream traffic, as there are valid security concerns as listed in the proxy protocol spec:
Implementers should be very careful about not trying to automatically detect
whether they have to decode the header or not, but rather they must only rely
on a configuration parameter. Indeed, if the opportunity is left to a normal
client to use the protocol, he will be able to hide his activities or make them
appear as coming from someone else. However, accepting the header only from a
number of known sources should be safe.
typeProxyProtocolstruct {
state protoimpl.MessageStatesizeCache protoimpl.SizeCacheunknownFields protoimpl.UnknownFields// The list of rules to apply to requests.Rules []*ProxyProtocol_Rule`protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`// NEW FIELD: defaults to false. if true, attempt to detect proxy protocol if present, and allow// requests through if proxy protocol is not used on the connectionDetectProxyProtocolbool
}
Rather than duplicate functionality in our own proxy protocol filter, I thought it would be preferable to explore this as an upstream contribution. Thoughts?
Thanks and best
[optional Relevant Links:]
Gloo Edge issue with the original feature request from customer solo-io/gloo#5403 (I work on the Gloo Edge API gateway built on envoy)
The text was updated successfully, but these errors were encountered:
@rgs1@mattklein123 thank you for linking the PR for prior work to skip TLS with proxy protocol. It has proven a useful example as I have started the implementation.
My proposal here is slightly different than the original PR.
What I would like to do is add a new top level configuration to the proxy protocol filter that instructs the filter to attempt parsing as v1/v2 proxy protocol, and if both fail, pass along the original request as if it were not using proxy protocol.
The PR linked only instructs to skip on requests using TLS.
I was hoping to get thoughts on the proposal / api before finishing a PR.
Title: Add Feature Flag to auto-detect Proxy Protocol
Description:
The proposal here is to add a new feature toggle to the Proxy Protocol listener filter which attempts to parse the connection as proxy protocol (e.g. https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/listener/tls_inspector/tls_inspector.cc#L149 as example to peek at connection bytes) and upon failure, instead of erroring, will continue processing the connection without Proxy Protocol.
This feature toggle would be opt-in and marked for use only with trusted downstream traffic, as there are valid security concerns as listed in the proxy protocol spec:
The customer-provided use case:
solo-io/gloo#5403 (comment)
Proposed feature flag:
Rather than duplicate functionality in our own proxy protocol filter, I thought it would be preferable to explore this as an upstream contribution. Thoughts?
Thanks and best
[optional Relevant Links:]
Gloo Edge issue with the original feature request from customer solo-io/gloo#5403 (I work on the Gloo Edge API gateway built on envoy)
The text was updated successfully, but these errors were encountered: