Open zhaohuabing opened 1 month ago
cc @alyssawilk
are you setting use remote address in both cases? AFIK if you set num hops =2 through either method it should be using exactly the same code
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
@alyssawilk
The inconsistency seems to come from the below code. Even though they call the same function, but the input parameters are different xff_num_trustedhops vs xff_num_trusted_hops -1:
It seems that there is an inconsistency between the two approaches of getting remote IP from the XFF header.
The same request:
With this configuration
The remoteIP is the
10.0.0.4:0
, the third rightmost IP, as the following log shows:But with this configuration:
The remoteIP is the
10.0.2.1
, the second rightmost IP, as the following log shows:According to the Envoy docs, the correct
xxfNumTrustedHops
should be 2 here.The inconsistency seems comes from:
https://github.com/envoyproxy/envoy/blob/b65de1f56850326e1c6b74aa72cb1c9777441065/source/extensions/http/original_ip_detection/xff/xff.cc#L21
https://github.com/envoyproxy/envoy/blob/b65de1f56850326e1c6b74aa72cb1c9777441065/source/common/http/conn_manager_utility.cc#L128