search

slime-io / slime

An intelligent ServiceMesh manager based on Istio
https://slime-io.github.io/
Other
424 stars 78 forks source link

When request has XFF header, lazyload not process access log correctly. #367

Closed Patrick0308 closed 1 year ago

Patrick0308 commented 1 year ago

Bug description when request has XFF(x-forward-for) headers , access log's downstream_remote_address will be not client's address. Please use downstream_direct_remote_address rather than downstream_remote_address. See document: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage

A request's inbound log which has a x-forward-for header : 

{
    common_properties: {
        downstream_remote_address: {
            socket_address: {
                address: "10.121.31.97"
                port_value: 0
            }
        }
        downstream_local_address: {
            socket_address: {
                address: "172.22.235.222"
                port_value: 80
            }
        }
        tls_properties: {
            tls_version: TLSv1_2 tls_cipher_suite: {
                value: 49200
            }
            tls_sni_hostname: "outbound_.80_._.global-sidecar.mesh-operator.svc.cluster.local"
            local_certificate_properties: {
                subject_alt_name: {
                    uri: "spiffe://cluster.local/ns/mesh-operator/sa/global-sidecar"
                }
            }
            peer_certificate_properties: {
                subject_alt_name: {
                    uri: "spiffe://cluster.local/ns/core/sa/default"
                }
            }
        }
        start_time: {
            seconds: 1684293776 nanos: 524642000
        }
        time_to_last_rx_byte: {
            nanos: 1351667
        }
        time_to_first_upstream_tx_byte: {
            nanos: 1236279
        }
        time_to_last_upstream_tx_byte: {
            nanos: 1359406
        }
        time_to_first_upstream_rx_byte: {
            nanos: 19913803
        }
        time_to_last_upstream_rx_byte: {
            nanos: 20058379
        }
        time_to_first_downstream_tx_byte: {
            nanos: 19992116
        }
        time_to_last_downstream_tx_byte: {
            nanos: 20076023
        }
        upstream_remote_address: {
            socket_address: {
                address: "172.22.235.222"
                port_value: 80
            }
        }
        upstream_local_address: {
            socket_address: {
                address: "127.0.0.6"
                port_value: 46901
            }
        }
        upstream_cluster: "inbound|80||"
        route_name: "default"
        downstream_direct_remote_address: {
            socket_address: {
                address: "172.22.169.50"
                port_value: 48166
            }
        }
    }
    protocol_version: HTTP2 request: {
        request_method: POST scheme: "http"
        authority: "lb-doraemon-featureflag.skopos"
        path: "/lb.doraemon.featureflag.FeatureFlagService/AllFeatureFlags"
        user_agent: "grpc-go/1.45.0"
        referer: "https://inner-gw.longbridge.xyz/call"
        forwarded_for: "121.43.162.243, 10.121.31.97"
        request_id: "6eca82ea-b691-4e94-b91e-22959e7fefff"
        request_headers_bytes: 3214 request_body_bytes: 5
    }
    response: {
        response_code: {
            value: 200
        }
        response_headers_bytes: 1576 response_body_bytes: 15188 response_code_details: "via_upstream"
    }
}
log_entry: {
    common_properties: {
        downstream_remote_address: {
            socket_address: {
                address: "10.121.31.97"
                port_value: 0
            }
        }
        downstream_local_address: {
            socket_address: {
                address: "172.22.235.222"
                port_value: 80
            }
        }
        tls_properties: {
            tls_version: TLSv1_2 tls_cipher_suite: {
                value: 49200
            }
            tls_sni_hostname: "outbound_.80_._.global-sidecar.mesh-operator.svc.cluster.local"
            local_certificate_properties: {
                subject_alt_name: {
                    uri: "spiffe://cluster.local/ns/mesh-operator/sa/global-sidecar"
                }
            }
            peer_certificate_properties: {
                subject_alt_name: {
                    uri: "spiffe://cluster.local/ns/core/sa/default"
                }
            }
        }
        start_time: {
            seconds: 1684293776 nanos: 524642000
        }
        time_to_last_rx_byte: {
            nanos: 1351667
        }
        time_to_first_upstream_tx_byte: {
            nanos: 1236279
        }
        time_to_last_upstream_tx_byte: {
            nanos: 1359406
        }
        time_to_first_upstream_rx_byte: {
            nanos: 19913803
        }
        time_to_last_upstream_rx_byte: {
            nanos: 20058379
        }
        time_to_first_downstream_tx_byte: {
            nanos: 19992116
        }
        time_to_last_downstream_tx_byte: {
            nanos: 20076023
        }
        upstream_remote_address: {
            socket_address: {
                address: "172.22.235.222"
                port_value: 80
            }
        }
        upstream_local_address: {
            socket_address: {
                address: "127.0.0.6"
                port_value: 46901
            }
        }
        upstream_cluster: "inbound|80||"
        route_name: "default"
        downstream_direct_remote_address: {
            socket_address: {
                address: "172.22.169.50"
                port_value: 48166
            }
        }
    }
    protocol_version: HTTP2 request: {
        request_method: POST scheme: "http"
        authority: "lb-doraemon-featureflag.skopos"
        path: "/lb.doraemon.featureflag.FeatureFlagService/AllFeatureFlags"
        user_agent: "grpc-go/1.45.0"
        referer: "https://inner-gw.longbridge.xyz/call"
        forwarded_for: "121.43.162.243, 10.121.31.97"
        request_id: "6eca82ea-b691-4e94-b91e-22959e7fefff"
        request_headers_bytes: 3214 request_body_bytes: 5
    }
    response: {
        response_code: {
            value: 200
        }
        response_headers_bytes: 1576 response_body_bytes: 15188 response_code_details: "via_upstream"
    }
}

10.121.31.97 is a host ip rather than pod ip. 172.22.169.50 is client pod ip.

Affected sub-moudle (please put an X in all that apply)

[x] Configuration Lazy Loading [ ] Http Plugin Management [ ] Adaptive Ratelimit [ ] Slime Boot

Steps to reproduce the bug

MouceL commented 1 year ago

we will verify and fix it soon