search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
25.07k stars 4.82k forks source link

problem of current edge request and internal request determination #36971

Open wbpcode opened 2 weeks ago

wbpcode commented 2 weeks ago

Title: problem of exist edge request and internal request determination

Description:

This is a feature has almost same lifetime with the Envoy self. But I think there are some problem in this feature:

  1. A request will be determined as edge request only when the use_remote_address is enabled. But today, the original_ip_detection_extensions may be used as alternative of use_remote_address.
  2. If there are multiple hop proxies and use_remote_address is used, the requests will always be treated as external requests except in the first hop.
  3. If use_remote_address is used in a inner proxy, some requests may be determined as edge request incorrectly.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

wbpcode commented 2 weeks ago

I think may be an explicit flag to tell if the envoy is front envoy or not would be better. And use the internal_address_config as the unique approach to determine whether a request is trust request. (The allow_trusted_address_checks flag just make things more complex and hybrid the original ip dectection and trust ip detection. Considering the #36643, I didn't see the value of that.)

wbpcode commented 2 weeks ago

I know it may be impossible or very hard to change this, because this feature has very very long history. But anyway, I record its problems here for discussion or reference.

wbpcode commented 2 weeks ago

cc @mattklein123

KBaichoo commented 2 weeks ago

cc @alyssawilk