Open luvk1412 opened 1 week ago
is this because the upstream is expecting a single value in XFF or unable to parse the XFF ?
upstream doesn't want trusted values in XFF, basically the values which are of our infra, @arkodg. Upstreams can parse, but the logic that right most has to be ignored has to be added in all upstreams.
EG by default sets use-remote-address to
true
currently at https://github.com/envoyproxy/gateway/blob/14f687fb4fd18b98de654d22119f4e4bd10a71e2/internal/xds/translator/listener.go#L242 while in envoy this isfalse
by default. My understanding is that as eg is supposed to be the first L7 layer for downstream traffic, hence this has been set totrue
.However in our use case eg is not the first L7 layer, rather its aws ALB due to which ALB private ip gets appended to xff header which we don't want. Hence we want this to be
false
or an option to setskip_xff_append
totrue
. So it would be nice to have an api to set above two fields.For anyone else facing the same issue for now you can use below
jsonPatch
inEnvoyPatchPolicy
: