Support for disabling xff header append

[luvk1412]

EG by default sets use-remote-address to true currently at https://github.com/envoyproxy/gateway/blob/14f687fb4fd18b98de654d22119f4e4bd10a71e2/internal/xds/translator/listener.go#L242 while in envoy this is false by default. My understanding is that as eg is supposed to be the first L7 layer for downstream traffic, hence this has been set to true.

However in our use case eg is not the first L7 layer, rather its aws ALB due to which ALB private ip gets appended to xff header which we don't want. Hence we want this to be false or an option to set skip_xff_append to true. So it would be nice to have an api to set above two fields.

For anyone else facing the same issue for now you can use below jsonPatch in EnvoyPatchPolicy:

  jsonPatches:
    - type: "type.googleapis.com/envoy.config.listener.v3.Listener"
      # The listener name is of the form <GatewayNamespace>/<GatewayName>/<GatewayListenerName>
      name: staging/eg-staging/http
      operation:
        op: add
        path: "/default_filter_chain/filters/0/typed_config/skip_xff_append"
        value: true

[arkodg]

is this because the upstream is expecting a single value in XFF or unable to parse the XFF ?

[luvk1412]

upstream doesn't want trusted values in XFF, basically the values which are of our infra, @arkodg. Upstreams can parse, but the logic that right most has to be ignored has to be added in all upstreams.