Regression in remote IP detection when using detection extensions
Raul Gutierrez Segales
Hi all,
tl;dr: The latest Envoy release contains a regression related to how IP detection works when xff_num_trusted_hops > 0 and use_remote_address is true. To avoid it, do not use the new original_ip_detection_extensions field. Instead, keep using the xff_num_trusted_hops deprecated field until the next release or the corresponding fix becomes available.
After support for IP detection extensions was added [0], the xff_num_trusted_hops [1] field was deprecated in favor of the equivalent extension. Using the XFF extension [2] along with the use_remote_address option [3] will break detection because the detection code still relies on the deprecated field as opposed to using the field in the extension itself. More specifically, the configured value in the extension for xff_num_trusted_hops – when it’s greater than zero – is ignored when used in conjunction with use_remote_address. This means that you will end up with the remote address as the final address as opposed to it being extracted from the x-forwarded-for header. To fix this we will retire the deprecation around the xff_num_trusted_hops field, as well as preventing it and use_remote_address from being used with extensions given that this yields undefined behavior.
We’d like to thank Kateryna Nezdolii for reporting the issue and helping us debug it.
Thanks,
The Envoy Team
[0] https://github.com/envoyproxy/envoy/pull/14855
[1] https://github.com/envoyproxy/envoy/blob/537cf1a8482fbdd74100e708547086ff443e6250/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#L520