Mesh gateway envoy config should have use_remote_address set to true #4506

wjrbetts · 2022-06-27T09:02:12Z

What happened?

The mesh gateway envoy proxy has the default value of false for use_remote_address in the HTTP connection manager config.

The documentation makes it clear that this should be set to true when the downstream is untrusted:

and

This affects how headers such as x-forwarded-for and x-forwarded-proto are treated.

For example, despite the fact that the connection with the downstream is TLS, our mesh gateway redirects the client because the x-forwarded-proto is (incorrectly) set to http by the client and we have require_tls set to all.

The text was updated successfully, but these errors were encountered:

wjrbetts added kind/bug A bug triage/pending This issue will be looked at on the next triage meeting labels Jun 27, 2022

jakubdyszkiewicz added triage/accepted The issue was reviewed and is complete enough to start working on it and removed triage/pending This issue will be looked at on the next triage meeting labels Jun 27, 2022

lahabana mentioned this issue Jun 27, 2022

Add Via and any other proxy-related headers #3466

Open

jakubdyszkiewicz self-assigned this Jun 30, 2022

jakubdyszkiewicz mentioned this issue Jun 30, 2022

feat(kuma-cp): use remote address for Gateway #4530

Merged

4 tasks

jakubdyszkiewicz closed this as completed in #4530 Jul 1, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mesh gateway envoy config should have use_remote_address set to true #4506

Mesh gateway envoy config should have use_remote_address set to true #4506

wjrbetts commented Jun 27, 2022

Mesh gateway envoy config should have use_remote_address set to true #4506

Mesh gateway envoy config should have use_remote_address set to true #4506

Comments

wjrbetts commented Jun 27, 2022

What happened?