Open achetronic opened 2 weeks ago
cc @yaelharel @yanavlasov (rbac) @mpwarres (wasm)
Hi @nezdolik @mpwarres @yaelharel @yanavlasov any update on this? :)
The order is respected. The issue is that "original IP detection" logic is executed only once, early in decodeHeaders
before either of the filters runs. So changing the header has no impact on what RBAC reads as the original IP. You need to see a custom filter state or metadata to match instead in the RBAC.
Hi @kyessenov thank you for your explanation on this topic :)
Then there is no way to check a CIDR coming from a header in RBAC? I mean, as a workaround I did this but this only checks specific IPs, of course, and I would like to check entire CIDRs in RBAC
Is there a kind of plugin (instead of WASM or something) to be able to change this? a .so or something that I can do?
Title: http_filters is not respecting the order between WASM and RBAC
Description:
I have created a WASM plugin to override (or create) some custom header. This plugin is publicly accessible just in case you want to inspect all the work, or replicate something
The configuration inside http_filters, is done as follow
The mission is to configure Envoy to trust a custom header as follows to use RBAC based on a custom header which has been modified by the WASM plugin, respecting the previous order:
The problem is when I pass
x-fordarded-for
ANDx-real-client-ip
, RBAC is using the custom one as expected, but when I don't pass custom header, and onlyx-fordarded-for
, my plugin is creating the custom header with the expected value, but RBAC filter is ignoring it and using values fromx-fordarded-for
to evaluate RBAC, even when my plugin is performed first in the filter chain, or at least, it should 🥲Repro steps:
The whole config here: