XFF original IP detection extension (proto)

extensions.http.original_ip_detection.xff.v3.XffConfig

[extensions.http.original_ip_detection.xff.v3.XffConfig proto]

This extension allows for the original downstream remote IP to be detected by reading the x-forwarded-for header.

This extension has the qualified name envoy.http.original_ip_detection.xff

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

{
  "xff_num_trusted_hops": ...,
  "xff_trusted_cidrs": {...},
  "skip_xff_append": {...}
}
xff_num_trusted_hops

(uint32) The number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust when determining the origin client’s IP address. The default is zero if this option is not specified. See the documentation for x-forwarded-for for more information.

Only one of xff_num_trusted_hops and xff_trusted_cidrs can be set.

xff_trusted_cidrs

(extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs) The CIDR ranges to trust when evaluating the remote IP address to determine the original client’s IP address. This is used instead of use_remote_address. When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent, each entry in the x-forwarded-for header is evaluated from right to left and the first public non-trusted address is used as the original client address. If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used.

This is typically used when requests are proxied by a CDN.

Only one of xff_num_trusted_hops and xff_trusted_cidrs can be set.

skip_xff_append

(BoolValue) If set, Envoy will not append the remote address to the x-forwarded-for HTTP header.

Attention

For proper proxy behaviour it is not recommended to set this option. For backwards compatibility, if this option is unset it defaults to true.

This only applies when use_remote_address is false, otherwise skip_xff_append applies.

extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs

[extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs proto]

{
  "cidrs": []
}
cidrs

(repeated config.core.v3.CidrRange) The list of CIDRs from which remote connections are considered trusted.