Closed Patrick0308 closed 1 year ago
Bug description when request has XFF(x-forward-for) headers , access log's downstream_remote_address will be not client's address. Please use downstream_direct_remote_address rather than downstream_remote_address. See document: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage
A request's inbound log which has a x-forward-for header :
{ common_properties: { downstream_remote_address: { socket_address: { address: "10.121.31.97" port_value: 0 } } downstream_local_address: { socket_address: { address: "172.22.235.222" port_value: 80 } } tls_properties: { tls_version: TLSv1_2 tls_cipher_suite: { value: 49200 } tls_sni_hostname: "outbound_.80_._.global-sidecar.mesh-operator.svc.cluster.local" local_certificate_properties: { subject_alt_name: { uri: "spiffe://cluster.local/ns/mesh-operator/sa/global-sidecar" } } peer_certificate_properties: { subject_alt_name: { uri: "spiffe://cluster.local/ns/core/sa/default" } } } start_time: { seconds: 1684293776 nanos: 524642000 } time_to_last_rx_byte: { nanos: 1351667 } time_to_first_upstream_tx_byte: { nanos: 1236279 } time_to_last_upstream_tx_byte: { nanos: 1359406 } time_to_first_upstream_rx_byte: { nanos: 19913803 } time_to_last_upstream_rx_byte: { nanos: 20058379 } time_to_first_downstream_tx_byte: { nanos: 19992116 } time_to_last_downstream_tx_byte: { nanos: 20076023 } upstream_remote_address: { socket_address: { address: "172.22.235.222" port_value: 80 } } upstream_local_address: { socket_address: { address: "127.0.0.6" port_value: 46901 } } upstream_cluster: "inbound|80||" route_name: "default" downstream_direct_remote_address: { socket_address: { address: "172.22.169.50" port_value: 48166 } } } protocol_version: HTTP2 request: { request_method: POST scheme: "http" authority: "lb-doraemon-featureflag.skopos" path: "/lb.doraemon.featureflag.FeatureFlagService/AllFeatureFlags" user_agent: "grpc-go/1.45.0" referer: "https://inner-gw.longbridge.xyz/call" forwarded_for: "121.43.162.243, 10.121.31.97" request_id: "6eca82ea-b691-4e94-b91e-22959e7fefff" request_headers_bytes: 3214 request_body_bytes: 5 } response: { response_code: { value: 200 } response_headers_bytes: 1576 response_body_bytes: 15188 response_code_details: "via_upstream" } } log_entry: { common_properties: { downstream_remote_address: { socket_address: { address: "10.121.31.97" port_value: 0 } } downstream_local_address: { socket_address: { address: "172.22.235.222" port_value: 80 } } tls_properties: { tls_version: TLSv1_2 tls_cipher_suite: { value: 49200 } tls_sni_hostname: "outbound_.80_._.global-sidecar.mesh-operator.svc.cluster.local" local_certificate_properties: { subject_alt_name: { uri: "spiffe://cluster.local/ns/mesh-operator/sa/global-sidecar" } } peer_certificate_properties: { subject_alt_name: { uri: "spiffe://cluster.local/ns/core/sa/default" } } } start_time: { seconds: 1684293776 nanos: 524642000 } time_to_last_rx_byte: { nanos: 1351667 } time_to_first_upstream_tx_byte: { nanos: 1236279 } time_to_last_upstream_tx_byte: { nanos: 1359406 } time_to_first_upstream_rx_byte: { nanos: 19913803 } time_to_last_upstream_rx_byte: { nanos: 20058379 } time_to_first_downstream_tx_byte: { nanos: 19992116 } time_to_last_downstream_tx_byte: { nanos: 20076023 } upstream_remote_address: { socket_address: { address: "172.22.235.222" port_value: 80 } } upstream_local_address: { socket_address: { address: "127.0.0.6" port_value: 46901 } } upstream_cluster: "inbound|80||" route_name: "default" downstream_direct_remote_address: { socket_address: { address: "172.22.169.50" port_value: 48166 } } } protocol_version: HTTP2 request: { request_method: POST scheme: "http" authority: "lb-doraemon-featureflag.skopos" path: "/lb.doraemon.featureflag.FeatureFlagService/AllFeatureFlags" user_agent: "grpc-go/1.45.0" referer: "https://inner-gw.longbridge.xyz/call" forwarded_for: "121.43.162.243, 10.121.31.97" request_id: "6eca82ea-b691-4e94-b91e-22959e7fefff" request_headers_bytes: 3214 request_body_bytes: 5 } response: { response_code: { value: 200 } response_headers_bytes: 1576 response_body_bytes: 15188 response_code_details: "via_upstream" } }
10.121.31.97 is a host ip rather than pod ip. 172.22.169.50 is client pod ip.
Affected sub-moudle (please put an X in all that apply)
[x] Configuration Lazy Loading [ ] Http Plugin Management [ ] Adaptive Ratelimit [ ] Slime Boot
Steps to reproduce the bug
we will verify and fix it soon
Bug description when request has XFF(x-forward-for) headers , access log's downstream_remote_address will be not client's address. Please use downstream_direct_remote_address rather than downstream_remote_address. See document: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage
A request's inbound log which has a x-forward-for header :
10.121.31.97 is a host ip rather than pod ip. 172.22.169.50 is client pod ip.
Affected sub-moudle (please put an X in all that apply)
[x] Configuration Lazy Loading [ ] Http Plugin Management [ ] Adaptive Ratelimit [ ] Slime Boot
Steps to reproduce the bug