Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sync from master. #59

Merged
merged 209 commits into from
May 17, 2021
Merged
Changes from 1 commit
Commits
Show all changes
209 commits
Select commit Hold shift + click to select a range
5860602
grid: clean up return value (#15950)
alyssawilk Apr 14, 2021
69b97db
extended request options to support passing metadata match criteria (…
wbpcode Apr 14, 2021
d357fc0
docs: Fix emphasize lines in literalincludes (#15969)
phlax Apr 14, 2021
dffcf01
thrift proxy: add upstream_rq_time histograms to cluster metrics (#15…
williamsfu99 Apr 14, 2021
f782c81
wasm: support adding trailers when they don't already exist. (#15831)
PiotrSikora Apr 14, 2021
96573e2
test: more fast-timeouts. (#15959)
alyssawilk Apr 14, 2021
432cc06
docs : update wasm service example plugin config as a bootstrap exten…
NomadXD Apr 14, 2021
d6a9f31
docs: Cleanups for 1.18.0 release (#15983)
phlax Apr 15, 2021
e2eebec
test: making assert required (#15972)
alyssawilk Apr 15, 2021
5450a45
Win32 docs for `run-envoy.rst` section (#15813)
Apr 15, 2021
22351ae
build: Bump build image to 3d0491e2 (#15986)
phlax Apr 15, 2021
2d6cce3
docs: release note cleanup (#15993)
alyssawilk Apr 15, 2021
299ae28
build-tools: Bump build tools in repository_locations.bzl (#15992)
phlax Apr 15, 2021
17cbc22
tagging example config test as large (#15990)
alyssawilk Apr 15, 2021
2dd8c33
python: Integrate linting tools (#15922)
phlax Apr 15, 2021
12e35db
cve_scan: add some false positives. (#15944)
htuch Apr 15, 2021
6068166
build: workaround for sed issue with en_US.UTF-8 locale. (#15997)
PiotrSikora Apr 15, 2021
8ae87f2
tools: Remove rst_check code for now (#16000)
phlax Apr 15, 2021
e7c1142
http: Fixing empty metadata map handling (#230) (#253)
adisuissa Mar 25, 2021
e383908
Fix grpc-timeout integer overflow (#237)
asraa Mar 25, 2021
35783a5
ssl: fix crash when peer sends an SSL Alert with an unknown code (#239)
ggreenway Mar 25, 2021
ec09c3e
1.18.0 release
tonya11en Apr 15, 2021
c114697
Add release notes for v1.17.2, v1.16.3, v1.15.4, v1.14.7
tonya11en Apr 15, 2021
345ffe3
Fix formatting of security patches
tonya11en Apr 15, 2021
9614605
release: 1.18.1 (#16020)
alyssawilk Apr 15, 2021
d362e79
build: fix and bump to 1.18.2 (#16022)
mattklein123 Apr 16, 2021
2282590
release: kick off 1.19 (#16025)
mattklein123 Apr 16, 2021
ad4919d
upstream adding QUIC-to-TCP failover (#15894)
alyssawilk Apr 16, 2021
dbc8998
tools: default to clang-format-11 in check_format.py (#16024)
florincoras Apr 16, 2021
639ca8b
build(deps): bump sphinx from 3.5.3 to 3.5.4 in /docs (#15918)
dependabot[bot] Apr 16, 2021
d4e28ef
Fix ASAN error with uninitialized core_dump_enabled_ in test construc…
yanavlasov Apr 16, 2021
5e886ce
quiche: tracking down invalid readDisable (#15998)
alyssawilk Apr 16, 2021
2500a45
build(deps): bump flake8 from 3.9.0 to 3.9.1 in /tools/code_format (#…
dependabot[bot] Apr 16, 2021
fbfeb99
python: Add main test fixture and consolidate checker/runner mains (#…
phlax Apr 19, 2021
751be72
http: split strict_1xx_and_204_response_headers into two settings (#1…
tbarrella Apr 19, 2021
f5665d0
grid: Track HTTP/3 broken-ness in ConnectivityGrid. (#15933)
RyanTheOptimist Apr 19, 2021
75f6d1a
docs: Dmitri Dolguikh to manage Stable Releases in 2021 Q2. (#16055)
PiotrSikora Apr 19, 2021
04b34ca
kill_request: Use RELEASE_ASSERT instead of raise(SIGABRT) in kill_re…
qqustc Apr 19, 2021
e1935de
config: support determine terminal filter at runtime (#15803)
qinggniq Apr 19, 2021
bb45090
[delta xds]: remove cached nonces on reconnection (#16037)
stevenzzzz Apr 19, 2021
d95f080
tooling: Update pipcheck tool (#16033)
phlax Apr 19, 2021
df0f51d
owners: add @wrowe as a maintainer. (#16068)
htuch Apr 19, 2021
4962792
tls: remove legacy socket BIOs and runtime guard (#16023)
florincoras Apr 19, 2021
457238e
Enable header modifications with body in "buffered" mode (#15935)
gbrail Apr 20, 2021
a809844
docs: fix missing underscore in field name idle_timeout (#16070)
addozhang Apr 20, 2021
fe806d1
tracing: fix zipkin annotation timestamp serialization issue (#16073)
douglas-reid Apr 20, 2021
92dab8f
Reserve field ID for an upcoming patch (#16069)
yanavlasov Apr 20, 2021
6ca2210
dependabot: Aggregate updates (#16079)
phlax Apr 20, 2021
d4c16b5
overload: remove runtime override for http/2 goaway (#16041)
akonradi Apr 20, 2021
d841924
quiche: support downstream using SDS (#15821)
danzh2010 Apr 20, 2021
6b8a898
server: fix TAP validation mode (#15932)
Apr 20, 2021
24abcda
Minor cleanup. (#16082)
KBaichoo Apr 20, 2021
245d5fe
Buffer: Track number of allocated bytes across buffers. (#15859)
KBaichoo Apr 20, 2021
795a4f5
http: refactor out stream rate limiter to common (#14828)
nitgoy Apr 20, 2021
cc98169
grpc_json_transcoder: Switch tests to compare JSON objects (#16085)
nareddyt Apr 20, 2021
970b4d7
protos: Remove (more) redundant imports (#16086)
phlax Apr 21, 2021
a12869f
upgrade rules_go to v0.27.0 (#16065) (#16083)
QIvan Apr 21, 2021
0c37028
udp listener fuzzer (#15974)
DavidKorczynski Apr 21, 2021
9b27f96
Bring parity to the docker images on the install docs pages (#16038)
Apr 22, 2021
118f66e
xray: fix the default sampling rate for AWS X-Ray tracer (#15958)
suniltheta Apr 22, 2021
048f3b8
runtime: remove HCM stream error runtime override (#16040)
akonradi Apr 22, 2021
15d71b0
tooling: Add all pytests checker (#16031)
phlax Apr 22, 2021
c0c243e
Update QUICHE dependency (#16100)
DavidSchinazi Apr 23, 2021
ed9403a
Add a missing work to WASM filter doc (#16106)
peterj Apr 23, 2021
8a21436
fix (#16135)
asraa Apr 23, 2021
8e1e022
jwt_authn refactory: move threadlocal from JwksCache into JwksDataImp…
qiwzhang Apr 23, 2021
f43a78e
Revert "honour routes timeout if max stream duration is set with out …
snowp Apr 23, 2021
d50749c
dependabot: Resolve updates (#16094)
phlax Apr 23, 2021
58a1357
disable tls resumption (#16147)
danzh2010 Apr 23, 2021
7cd615c
api: Update xds_protocol doc to remove v2 and cleanup (#16097)
phlax Apr 24, 2021
0143bc2
Fix protoleak. (#16101)
KBaichoo Apr 26, 2021
1d234a8
python: Switch to exclusive list for flake8 (#16159)
phlax Apr 26, 2021
3e9b848
deprecating allow_500_after_100 (#16171)
alyssawilk Apr 26, 2021
6f6a78b
http: removing envoy.reloadable_features.unify_grpc_handling (#16173)
alyssawilk Apr 26, 2021
2026543
http3: turning up more tests (#16175)
alyssawilk Apr 26, 2021
286ff81
metric service: add support for sending tags as labels (#16125)
snowp Apr 26, 2021
f40e279
apple dns: fix crash on invalid dns name (#16028)
junr03 Apr 26, 2021
4622fee
docs: Update refs: v2 -> v3 (#16163)
phlax Apr 26, 2021
87d5eb7
dependabot: Resolve updates (#16169)
phlax Apr 27, 2021
25d9d30
Fix tests that link all extensions so that gcc can compile them (#16187)
yanavlasov Apr 27, 2021
d20dbc4
http: raise max_request_headers_kb limit to 8192 KiB (8MiB) from 96 K…
anirudhaps Apr 27, 2021
ca4ca98
grid: Add a new class for tracking alternate protocols for a connect…
RyanTheOptimist Apr 27, 2021
4a0dfd5
docs: Use intersphinx to map old versions and cleanup version history…
phlax Apr 27, 2021
72de1b2
Make the members of Upstream::HostDescriptionImpl private. (#16192)
RyanTheOptimist Apr 27, 2021
58e0804
DebugString() -> ShortDebugString() (#16172)
auni53 Apr 27, 2021
aba5650
update zk filter proxy (#16190)
JaredTan95 Apr 27, 2021
6c7777c
wasm: update proxy-wasm-cpp-host to use refactored code around runtim…
mathetake Apr 27, 2021
c8415d6
Build win32_scm_test with just core extensions (#16193)
yanavlasov Apr 27, 2021
d7a859b
configs: Validate dynamic xds config (#16145)
phlax Apr 27, 2021
152762a
http: removing envoy.reloadable_features.http_match_on_all_headers (#…
alyssawilk Apr 28, 2021
ec87fdd
h3 config examples (#15987)
alyssawilk Apr 28, 2021
c75ac18
wasm: use in_vm_context_created_ flag for http contexts. (#16202)
mathetake Apr 28, 2021
55e858a
Log actual admin port. (#16197)
Apr 28, 2021
f51e927
api: add NonForwardingAction route action type (#16144)
markdroth Apr 28, 2021
3d77e18
shellcheck: Enable and cleanup .github file (#16206)
phlax Apr 28, 2021
eed2946
tracing: bump cpp2sky v0.2.1 (#15782)
Shikugawa Apr 28, 2021
aa3d8a1
http: removing envoy.reloadable_features.http_set_copy_replace_all_he…
alyssawilk Apr 28, 2021
6d4b75f
owners: add @phlax as maintainer. (#16212)
htuch Apr 28, 2021
d86bd11
delta-xds: avoid sending resource names for wildcard requests on stre…
adisuissa Apr 28, 2021
73ebf87
http: removing envoy.reloadable features.always apply route header ru…
alyssawilk Apr 28, 2021
3756e5b
grid: Add a new class for tracking HTTP/3 status (#16067)
RyanTheOptimist Apr 28, 2021
eb18d71
docs: Improve style for inline literals and update contrib guidance (…
phlax Apr 28, 2021
29eb170
ext_proc: Support trailer callbacks (#16102)
gbrail Apr 29, 2021
ce1cb0e
http local_ratelimit: add request_headers_to_add option (#16178)
williamsfu99 Apr 29, 2021
3e96780
Listener: respect the connection balancer of the redirected listener …
lambdai Apr 29, 2021
265275e
server: fix fips_mode stat (#16140)
raakella Apr 29, 2021
8c71400
http: port stripping for CONNECT (#15975)
alyssawilk Apr 29, 2021
26a60c2
quiche: use max header size configured in HCM (#15912)
danzh2010 Apr 29, 2021
9e263d8
quiche: handle stream blockage during decodeHeaders and decodeTrailer…
danzh2010 Apr 29, 2021
82e33f6
runtime: refresh QUIC flags when a new runtime config is loaded. (#16…
RenjieTang Apr 29, 2021
8b9b877
test: Deflake tsan //test/integration:integration_test (#16238)
yanavlasov Apr 29, 2021
9ae397e
add %REQUEST_TX_DURATION% to the access log (#16207)
WeavingGao Apr 29, 2021
5e35ac6
tools: (mostly) enforcing flag alpha order (#16182)
alyssawilk Apr 29, 2021
ba2b536
python: Revert buggy gitpython version (#16156)
phlax Apr 30, 2021
89248b3
wasm: update V8 to v9.1.269.18. (#16220)
PiotrSikora Apr 30, 2021
96f8571
hcm config: Reject filterchains with unmet decode dependencies (#15462)
auni53 Apr 30, 2021
abe2f9b
Config proto for Secure Session Agent (S2A) transport socket extensio…
tavishvaidya Apr 30, 2021
3263859
Typo in test comment and release note (#16245)
Apr 30, 2021
2971bf4
Fix warning in the docs (#16242)
Apr 30, 2021
5886f03
Matcher: add a "not" matcher (#16149)
aguinet Apr 30, 2021
63307f5
wasm: Simplify example config and fix docs (#16142)
phlax Apr 30, 2021
dede3aa
protos: Move simple_http_cache config proto to api (#16230)
phlax May 2, 2021
3910848
docs: add fuzzing improvement report. (#16232)
DavidKorczynski May 2, 2021
722f12a
tls: update BoringSSL to c5ad6dcb (4491). (#16104)
PiotrSikora May 2, 2021
e22e4a1
docs: Remove api v2 (#16077)
phlax May 2, 2021
a058c6e
udp: add new key based hash policy (#15967)
davidkornel May 3, 2021
c86cfb5
Adding distroless image to Envoy CI pipeline (#16268)
oleksiyp May 3, 2021
6a2e112
http3: respecting header number limits (#15970)
alyssawilk May 3, 2021
fc6099e
dns_cache: Remove getCacheManager() (#16273)
RyanTheOptimist May 3, 2021
174e45c
protos: Update style guide to try and prevent redundant imports (#16231)
phlax May 3, 2021
6fdcb5c
thrift_proxy router: fix bug when charging upstream rq_time before (#…
williamsfu99 May 3, 2021
1ca5ca2
docs: Cleanup inline literals (#16280)
phlax May 3, 2021
fe62d97
quiche: make flow control configurable (#15865)
danzh2010 May 3, 2021
15cd9a6
bootstrap/runtime: remove support for v2 bootstrap runtime field. (#1…
htuch May 4, 2021
fcb415e
tools: allow generate_go_protobuf.py to skip syncing with go-control-…
jamesmulcahy May 4, 2021
b9d21f0
access_log: refactored SubstitutionFormatParser::parseCommand (#16121)
cpakulski May 4, 2021
38d1c19
[filter]: Add option to disable fault filter stats that trace downstr…
chaoqin-li1123 May 4, 2021
3e56842
http3: turn up the last upstream tests! (#16279)
alyssawilk May 4, 2021
510873d
quic: fix missing cast in assertions (#16301)
goaway May 4, 2021
3994805
docs: fix type_url for v3.TlsInspector (#16290)
ch-plattner May 4, 2021
595bfcf
alts: Fix TsiSocket doWrite on short writes (#15962)
yihuazhang May 4, 2021
2822463
dependabot: Aggregate updates (#16228)
phlax May 4, 2021
64739c5
udp: log when BPF is not attempted (#16304)
alyssawilk May 4, 2021
40f6662
wasm: fix support for non-cloneable Wasm runtimes. (#16263)
PiotrSikora May 4, 2021
e0b03fe
wasm: fix fail-close streams on VM failure. (#16112)
mathetake May 4, 2021
338b7b7
Win32 docs FAQ (#16176)
May 5, 2021
95bd93e
skywalking: skip gRPC cluster validation by default (#16203)
Shikugawa May 5, 2021
7dc20d4
skywalking: fix string_view UB while span reporting (#16264)
Shikugawa May 5, 2021
efa7c88
http::cache: Adds serving HEAD requests from cache. (#15910)
ekiziv May 5, 2021
0d429a0
remove backtrace (#16285)
danzh2010 May 5, 2021
d512923
api: Fix generated_api_shadow BUILD (#16330)
phlax May 5, 2021
691487d
quic: add support for client-side QUIC 0-RTT (#16260)
DavidSchinazi May 5, 2021
48969ea
listener: allow changing address (#16134)
tbarrella May 5, 2021
f06269d
protos: Readd v2 legacy protos in v3 (#16338)
phlax May 5, 2021
9f2bb17
Support starttls for client connections (#15443)
May 5, 2021
b7ce74e
ext_proc: Support clearing the route cache (#16288)
gbrail May 5, 2021
889769e
test: disabling flaky test (#16341)
alyssawilk May 5, 2021
9d84650
Cleanup: Remove WatermarkBuffer::setWatermarks(low,high). (#16307)
KBaichoo May 5, 2021
0cdd980
test: cleaning up unneeded helpers. (#16334)
alyssawilk May 6, 2021
185e483
http3: improving upstream TLS code (#16281)
alyssawilk May 6, 2021
e72cefd
Record control plane identifier of delta xDS responses in stats (#16256)
yanavlasov May 6, 2021
479b02b
quiche: support connection ID longer than 8 bytes with multiple worke…
danzh2010 May 6, 2021
4c078ed
grid: Use the alternate protocols cache in the grid (#16347)
RyanTheOptimist May 6, 2021
6c672b7
grpc: block stat collection in grpc bridge filter with runtime (#16284)
samrabelachew May 6, 2021
48321c9
Use /c/build/ as HOME consistent with envoy linux docker env (#16368)
wrowe May 7, 2021
e52d5b3
test: temporarily disable RebalancerTest (#16367)
lambdai May 7, 2021
8e7fae9
Listener: fix mixed full listener update and intelligent listener upd…
lambdai May 7, 2021
b91d63b
dependabot: Updates (#16331)
phlax May 7, 2021
01a7a6b
Fix hash inconsistency in srds update (#16295)
chaoqin-li1123 May 7, 2021
a5020ce
lightstep: allow file-less access token option (#16150)
kyessenov May 7, 2021
73ade9a
docs: unhiding HTTP/3 and adding docs (#15926)
alyssawilk May 7, 2021
8d934d1
wasm: implement getMonotonicTimeNanoseconds. (#16352)
mathetake May 7, 2021
46b646c
apple dns: fix interface issue with localhost lookup (#16369)
junr03 May 7, 2021
10c17a7
Fix small typo in http3 docs link (#16382)
howardjohn May 7, 2021
3b96106
windows: Remove various Win32 #ifdefs (#16348)
May 7, 2021
267bed4
logging: Remove unnecessary logging in IoSocketError (#16296)
May 7, 2021
85a8570
protodoc: Add redirects for v2 protos to current version and links to…
phlax May 7, 2021
45ec050
docs: Simplify api build (#16277)
phlax May 9, 2021
93f9d16
remove support for type url downgrade and upgrade conversion (#16372)
chaoqin-li1123 May 10, 2021
9375301
docs: record distroless images (#16359)
daixiang0 May 10, 2021
049bdb3
grid: Rename alternate_protocols_cache.{h,cc} to alternate_protocols_…
RyanTheOptimist May 11, 2021
5afbb4d
docs: Simplify api build (/cont) (#16417)
phlax May 11, 2021
5333b92
Implement handling of escaped slash characters in URL path
yanavlasov Apr 19, 2021
06c8d41
docs: follow up to #15926 (#16421)
alyssawilk May 12, 2021
c24cea7
dependabot: Updates (#16379)
phlax May 12, 2021
b57f187
Document that python3-pip is a build dependency. (#16409)
jpeach May 12, 2021
955f15d
bazel: unify msys (#16394)
daixiang0 May 12, 2021
db06665
docs: Update sphinx (#16413)
phlax May 12, 2021
38cec23
docs: Use repo role for repo links (#16455)
phlax May 12, 2021
55a23b2
bugfix: test fails to build on MacOS due to unused parameters (#16454)
goaway May 12, 2021
aaebda2
matching: disable hcm integration by default (#16387)
snowp May 12, 2021
f97112c
bazel: add --config=docker-asan and --config=remote-tsan. (#16451)
PiotrSikora May 12, 2021
ce071f6
Update rules_apple (#16404)
vladmos May 12, 2021
c784d89
server: avoid flushing while a flush is in progress (#16370)
snowp May 12, 2021
e7ddd61
docs: Fix bootstrap docs version link (#16457)
phlax May 12, 2021
bacffe4
remove trace drivers' dependency on HttpTracerImpl (#16244)
wbpcode May 12, 2021
80e1ca8
aws_request_signing_filter hash payload by default (#15846)
jstewmon May 12, 2021
3f57381
wasm: fix V8 build with --config={docker,remote}-msan. (#16452)
PiotrSikora May 12, 2021
0d3bf7f
test: Removing orphan type_util_test file (#16464)
adisuissa May 12, 2021
ff62ef1
dependabot: Updates (#16459)
phlax May 13, 2021
2443032
Revert "dependabot: Updates (#16459)" (#16483)
phlax May 13, 2021
874fb03
transport_sockets: removed well_known_names.h file (#16164)
daixiang0 May 14, 2021
8c59b6a
Workaround for CI gcc build error with long argument list (#16484)
yanavlasov May 14, 2021
55cfadd
dependabot: Updates (#16485)
phlax May 14, 2021
1f4ca4c
oauth: fix sds update (#16253)
Inode1 May 14, 2021
ae780e2
test: deflake upstream starttls integration test (#16436)
cpakulski May 14, 2021
6be425f
deps: update protobuf to 3.16.0 (#16390)
benjaminp May 16, 2021
beac1ec
HCM: add support for IP detection extensions (#14855)
May 16, 2021
41c1da4
docs: comment config extension (#16406)
daixiang0 May 17, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
HCM: add support for IP detection extensions (envoyproxy#14855)
This is a follow-up to:

envoyproxy#14432 (comment)

After that PR, it's no longer possible (unless you do a dynamic_cast)
to set the remote address from a filter. This is something that we
need to do because we have specialized logic for this (XFF doesn't
work for us).

So this adds an extension point which will allow us to push that logic
down to ConnectionManagerUtility::mutateRequestHeaders() where it
belongs.

Signed-off-by: Raul Gutierrez Segales <[email protected]>
Raúl Gutiérrez Segalés authored May 16, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit beac1ece7512e6e39b4f1c29490e247996a0f51c
3 changes: 3 additions & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
@@ -183,3 +183,6 @@ extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
/*/extensions/filters/common/ext_authz @esmet @gsagula @dio
/*/extensions/filters/http/ext_authz @esmet @gsagula @dio
/*/extensions/filters/network/ext_authz @esmet @gsagula @dio
# Original IP detection
/*/extensions/http/original_ip_detection/custom_header @rgs1 @alyssawilk @antoniovicente
/*/extensions/http/original_ip_detection/xff @rgs1 @alyssawilk @antoniovicente
2 changes: 2 additions & 0 deletions api/BUILD
Original file line number Diff line number Diff line change
@@ -245,6 +245,8 @@ proto_library(
"//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
"//envoy/extensions/health_checkers/redis/v3:pkg",
"//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
"//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
"//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
"//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
"//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
"//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ licenses(["notice"]) # Apache 2

api_proto_package(
deps = [
"//envoy/annotations:pkg",
"//envoy/config/accesslog/v3:pkg",
"//envoy/config/core/v3:pkg",
"//envoy/config/filter/network/http_connection_manager/v2:pkg",
Original file line number Diff line number Diff line change
@@ -19,6 +19,7 @@ import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";

import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/security.proto";
import "udpa/annotations/status.proto";
@@ -34,7 +35,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
// [#extension: envoy.filters.network.http_connection_manager]

// [#next-free-field: 46]
// [#next-free-field: 47]
message HttpConnectionManager {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@@ -495,7 +496,36 @@ message HttpConnectionManager {
// determining the origin client's IP address. The default is zero if this option
// is not specified. See the documentation for
// :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.
uint32 xff_num_trusted_hops = 19;
//
// .. note::
// This field is deprecated and instead :ref:`original_ip_detection_extensions
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
// should be used to configure the :ref:`xff extension <envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig>`
// to configure IP detection using the :ref:`config_http_conn_man_headers_x-forwarded-for` header. To replace
// this field use a config like the following:
//
// .. code-block:: yaml
//
// original_ip_detection_extensions:
// typed_config:
// "@type": type.googleapis.com/envoy.extensions.http.original_ip_detection.xff.v3.XffConfig
// xff_num_trusted_hops: 1
//
uint32 xff_num_trusted_hops = 19
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

// The configuration for the original IP detection extensions.
//
// When configured the extensions will be called along with the request headers
// and information about the downstream connection, such as the directly connected address.
// Each extension will then use these parameters to decide the request's effective remote address.
// If an extension fails to detect the original IP address and isn't configured to reject
// the request, the HCM will try the remaining extensions until one succeeds or rejects
// the request. If the request isn't rejected nor any extension succeeds, the HCM will
// fallback to using the remote address.
//
// [#extension-category: envoy.http.original_ip_detection]
repeated config.core.v3.TypedExtensionConfig original_ip_detection_extensions = 46;

// Configures what network addresses are considered internal for stats and header sanitation
// purposes. If unspecified, only RFC1918 IP addresses will be considered internal.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.

load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")

licenses(["notice"]) # Apache 2

api_proto_package(
deps = [
"//envoy/type/v3:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
],
)
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
syntax = "proto3";

package envoy.extensions.http.original_ip_detection.custom_header.v3;

import "envoy/type/v3/http_status.proto";

import "udpa/annotations/status.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.http.original_ip_detection.custom_header.v3";
option java_outer_classname = "CustomHeaderProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Custom header original IP detection extension]

// This extension allows for the original downstream remote IP to be detected
// by reading the value from a configured header name. If the value is successfully parsed
// as an IP, it'll be treated as the effective downstream remote address and seen as such
// by all filters. See :ref:`original_ip_detection_extensions
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
// for an overview of how extensions operate and what happens when an extension fails
// to detect the remote IP.
//
// [#extension: envoy.http.original_ip_detection.custom_header]
message CustomHeaderConfig {
// The header name containing the original downstream remote address, if present.
//
// Note: in the case of a multi-valued header, only the first value is tried and the rest are ignored.
string header_name = 1
[(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: true}];

// If set to true, the extension could decide that the detected address should be treated as
// trusted by the HCM. If the address is considered :ref:`trusted<config_http_conn_man_headers_x-forwarded-for_trusted_client_address>`,
// it might be used as input to determine if the request is internal (among other things).
bool allow_extension_to_set_address_as_trusted = 2;

// If this is set, the request will be rejected when detection fails using it as the HTTP response status.
//
// .. note::
// If this is set to < 400 or > 511, the default status 403 will be used instead.
type.v3.HttpStatus reject_with_status = 3;
}
9 changes: 9 additions & 0 deletions api/envoy/extensions/http/original_ip_detection/xff/v3/BUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.

load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")

licenses(["notice"]) # Apache 2

api_proto_package(
deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
)
25 changes: 25 additions & 0 deletions api/envoy/extensions/http/original_ip_detection/xff/v3/xff.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
syntax = "proto3";

package envoy.extensions.http.original_ip_detection.xff.v3;

import "udpa/annotations/status.proto";

option java_package = "io.envoyproxy.envoy.extensions.http.original_ip_detection.xff.v3";
option java_outer_classname = "XffProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: XFF original IP detection extension]

// This extension allows for the original downstream remote IP to be detected
// by reading the :ref:`config_http_conn_man_headers_x-forwarded-for` header.
//
// [#extension: envoy.http.original_ip_detection.xff]
message XffConfig {
// The number of additional ingress proxy hops from the right side of the
// :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
// determining the origin client's IP address. The default is zero if this option
// is not specified. See the documentation for
// :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.
uint32 xff_num_trusted_hops = 1;
}
2 changes: 2 additions & 0 deletions api/versioning/BUILD
Original file line number Diff line number Diff line change
@@ -128,6 +128,8 @@ proto_library(
"//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
"//envoy/extensions/health_checkers/redis/v3:pkg",
"//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
"//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
"//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
"//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
"//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
"//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
1 change: 1 addition & 0 deletions bazel/envoy_library.bzl
Original file line number Diff line number Diff line change
@@ -84,6 +84,7 @@ EXTENSION_CATEGORIES = [
"envoy.http.stateful_header_formatters",
"envoy.internal_redirect_predicates",
"envoy.io_socket",
"envoy.http.original_ip_detection",
"envoy.matching.common_inputs",
"envoy.matching.input_matchers",
"envoy.rate_limit_descriptors",
1 change: 1 addition & 0 deletions docs/root/api-v3/config/config.rst
Original file line number Diff line number Diff line change
@@ -27,3 +27,4 @@ Extensions
descriptors/descriptors
request_id/request_id
http/header_formatters
http/original_ip_detection
8 changes: 8 additions & 0 deletions docs/root/api-v3/config/http/original_ip_detection.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
Original IP Detection
=====================

.. toctree::
:glob:
:maxdepth: 2

../../extensions/http/original_ip_detection/*/v3/*
11 changes: 8 additions & 3 deletions docs/root/configuration/http/http_conn_man/headers.rst
Original file line number Diff line number Diff line change
@@ -189,7 +189,9 @@ Given an HTTP request that has traveled through a series of zero or more proxies
Envoy, the trusted client address is the earliest source IP address that is known to be
accurate. The source IP address of the immediate downstream node's connection to Envoy is
trusted. XFF *sometimes* can be trusted. Malicious clients can forge XFF, but the last
address in XFF can be trusted if it was put there by a trusted proxy.
address in XFF can be trusted if it was put there by a trusted proxy. Alternatively, Envoy
supports :ref:`extensions <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
for determining the *trusted client address* or original IP address.

Envoy's default rules for determining the trusted client address (*before* appending anything
to XFF) are:
@@ -200,8 +202,11 @@ to XFF) are:
node's connection to Envoy.

In an environment where there are one or more trusted proxies in front of an edge
Envoy instance, the *xff_num_trusted_hops* configuration option can be used to trust
additional addresses from XFF:
Envoy instance, the :ref:`XFF extension <envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig>`
can be configured via the :ref:`original_ip_detection_extensions field
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
to set the *xff_num_trusted_hops* option which controls the number of additional
addresses that are to be trusted:

* If *use_remote_address* is false and *xff_num_trusted_hops* is set to a value *N* that is
greater than zero, the trusted client address is the (N+1)th address from the right end
Original file line number Diff line number Diff line change
@@ -35,6 +35,7 @@ Below are the list of reasons the HttpConnectionManager or Router filter may sen
missing_path_rejected, The request was rejected due to a missing Path or :path header field.
no_healthy_upstream, The request was rejected by the router filter because there was no healthy upstream found.
overload, The request was rejected due to the Overload Manager reaching configured resource limits.
original_ip_detection_failed, The request was rejected because the original IP couldn't be detected.
path_normalization_failed, "The request was rejected because path normalization was configured on and failed, probably due to an invalid path."
request_headers_failed_strict_check, The request was rejected due to x-envoy-* headers failing strict header validation.
request_overall_timeout, The per-stream total request timeout was exceeded.
1 change: 1 addition & 0 deletions docs/root/configuration/http/http_conn_man/stats.rst
Original file line number Diff line number Diff line change
@@ -45,6 +45,7 @@ statistics:
downstream_rq_http2_total, Counter, Total HTTP/2 requests
downstream_rq_http3_total, Counter, Total HTTP/3 requests
downstream_rq_active, Gauge, Total active requests
downstream_rq_rejected_via_ip_detection, Counter, Total requests rejected because the original IP detection failed
downstream_rq_response_before_rq_complete, Counter, Total responses sent before the request was complete
downstream_rq_rx_reset, Counter, Total request resets received
downstream_rq_tx_reset, Counter, Total request resets sent
Original file line number Diff line number Diff line change
@@ -20,6 +20,14 @@ called the *downstream remote address*, for many reasons. Some examples include:
Envoy supports multiple methods for providing the downstream remote address to the upstream host.
These techniques vary in complexity and applicability.

Envoy also supports
:ref:`extensions <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
for detecting the original IP address. This might be useful if none of the techniques below is
applicable to your setup. Two available extensions are the :ref:`custom header
<envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>`
extension and the :ref:`xff <envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig>`
extension.

HTTP Headers
------------

5 changes: 5 additions & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
@@ -61,6 +61,9 @@ Removed Config or Runtime
New Features
------------

* http: added support for :ref:`original IP detection extensions<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`.
Two initial extensions were added, the :ref:`custom header <envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>` extension and the
:ref:`xff <envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig>` extension.
* http: added the ability to :ref:`unescape slash sequences<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action>` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action>` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>` runtime variable.
* http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options <envoy_v3_api_field_config.listener.v3.UdpListenerConfig.quic_options>` for downstream and the new http3_protocol_options in :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` for upstream HTTP/3.
* listener: added ability to change an existing listener's address.
@@ -69,3 +72,5 @@ New Features

Deprecated
----------

* http: :ref:`xff_num_trusted_hops <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.xff_num_trusted_hops>` is deprecated in favor of :ref:`original IP detection extensions<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`.
2 changes: 2 additions & 0 deletions generated_api_shadow/BUILD
Original file line number Diff line number Diff line change
@@ -245,6 +245,8 @@ proto_library(
"//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
"//envoy/extensions/health_checkers/redis/v3:pkg",
"//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
"//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
"//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
"//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
"//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
"//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
Loading