Documentation
¶
Index ¶
- Variables
- type XffConfig
- func (x *XffConfig) ClearSkipXffAppend()
- func (x *XffConfig) ClearXffTrustedCidrs()
- func (x *XffConfig) GetSkipXffAppend() *wrapperspb.BoolValue
- func (x *XffConfig) GetXffNumTrustedHops() uint32
- func (x *XffConfig) GetXffTrustedCidrs() *XffTrustedCidrs
- func (x *XffConfig) HasSkipXffAppend() bool
- func (x *XffConfig) HasXffTrustedCidrs() bool
- func (*XffConfig) ProtoMessage()
- func (x *XffConfig) ProtoReflect() protoreflect.Message
- func (x *XffConfig) Reset()
- func (x *XffConfig) SetSkipXffAppend(v *wrapperspb.BoolValue)
- func (x *XffConfig) SetXffNumTrustedHops(v uint32)
- func (x *XffConfig) SetXffTrustedCidrs(v *XffTrustedCidrs)
- func (x *XffConfig) String() string
- type XffConfig_builder
- type XffTrustedCidrs
- type XffTrustedCidrs_builder
Constants ¶
This section is empty.
Variables ¶
View Source
var File_envoy_extensions_http_original_ip_detection_xff_v3_xff_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type XffConfig ¶
type XffConfig struct {
// The number of additional ingress proxy hops from the right side of the
// :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
// determining the origin client's IP address. The default is zero if this option
// is not specified. See the documentation for
// :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.
//
// Only one of “xff_num_trusted_hops“ and “xff_trusted_cidrs“ can be set.
XffNumTrustedHops uint32 `protobuf:"varint,1,opt,name=xff_num_trusted_hops,json=xffNumTrustedHops,proto3" json:"xff_num_trusted_hops,omitempty"`
// The `CIDR <https://tools.ietf.org/html/rfc4632>`_ ranges to trust when
// evaluating the remote IP address to determine the original client's IP address.
// This is used instead of
// :ref:`use_remote_address <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address>`.
// When the remote IP address matches a trusted CIDR and the
// :ref:`config_http_conn_man_headers_x-forwarded-for` header was sent, each entry
// in the “x-forwarded-for“ header is evaluated from right to left and the first
// non-trusted address is used as the original client address. If all
// addresses in “x-forwarded-for“ are within the trusted list, the first (leftmost)
// entry is used.
//
// .. warning::
//
// Starting with Envoy v1.33.0, private IP address ranges are **not** automatically skipped
// when determining the original client address. We'll return the first address that is not
// in the “xff_trusted_cidrs“ list, even if it is a private IP address.
//
// If you want to skip private IP addresses, explicitly add them to the “xff_trusted_cidrs“
// list. For example:
//
// .. code-block:: yaml
//
// xff_trusted_cidrs:
// cidrs:
// - address_prefix: "10.0.0.0"
// prefix_len: 8
// - address_prefix: "172.16.0.0"
// prefix_len: 12
// - address_prefix: "192.168.0.0"
// prefix_len: 16
// - address_prefix: "127.0.0.0"
// prefix_len: 8
// - address_prefix: "fc00::"
// prefix_len: 7
// - address_prefix: "::1"
// prefix_len: 128
//
// See :ref:`internal_address_config
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
// for more information about the v1.33.0 behavior change.
//
// This is typically used when requests are proxied by a
// `CDN <https://en.wikipedia.org/wiki/Content_delivery_network>`_.
//
// Only one of “xff_num_trusted_hops“ and “xff_trusted_cidrs“ can be set.
XffTrustedCidrs *XffTrustedCidrs `protobuf:"bytes,2,opt,name=xff_trusted_cidrs,json=xffTrustedCidrs,proto3" json:"xff_trusted_cidrs,omitempty"`
// If set, Envoy will not append the remote address to the
// :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header.
//
// .. attention::
//
// For proper proxy behaviour it is not recommended to set this option.
// For backwards compatibility, if this option is unset it defaults to true.
//
// This only applies when :ref:`use_remote_address
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address>`
// is false, otherwise :ref:`skip_xff_append
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.skip_xff_append>`
// applies.
SkipXffAppend *wrapperspb.BoolValue `protobuf:"bytes,3,opt,name=skip_xff_append,json=skipXffAppend,proto3" json:"skip_xff_append,omitempty"`
// contains filtered or unexported fields
}
This extension allows for the original downstream remote IP to be detected by reading the :ref:`config_http_conn_man_headers_x-forwarded-for` header.
[#extension: envoy.http.original_ip_detection.xff]
func (*XffConfig) GetSkipXffAppend ¶
func (x *XffConfig) GetSkipXffAppend() *wrapperspb.BoolValue
func (*XffConfig) GetXffTrustedCidrs ¶
func (x *XffConfig) GetXffTrustedCidrs() *XffTrustedCidrs
func (*XffConfig) ProtoReflect ¶
func (x *XffConfig) ProtoReflect() protoreflect.Message
func (*XffConfig) SetSkipXffAppend ¶
func (x *XffConfig) SetSkipXffAppend(v *wrapperspb.BoolValue)
func (*XffConfig) SetXffTrustedCidrs ¶
func (x *XffConfig) SetXffTrustedCidrs(v *XffTrustedCidrs)
type XffConfig_builder ¶
type XffConfig_builder struct {
// The number of additional ingress proxy hops from the right side of the
// :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
// determining the origin client's IP address. The default is zero if this option
// is not specified. See the documentation for
// :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.
//
// Only one of “xff_num_trusted_hops“ and “xff_trusted_cidrs“ can be set.
XffNumTrustedHops uint32
// The `CIDR <https://tools.ietf.org/html/rfc4632>`_ ranges to trust when
// evaluating the remote IP address to determine the original client's IP address.
// This is used instead of
// :ref:`use_remote_address <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address>`.
// When the remote IP address matches a trusted CIDR and the
// :ref:`config_http_conn_man_headers_x-forwarded-for` header was sent, each entry
// in the “x-forwarded-for“ header is evaluated from right to left and the first
// non-trusted address is used as the original client address. If all
// addresses in “x-forwarded-for“ are within the trusted list, the first (leftmost)
// entry is used.
//
// .. warning::
//
// Starting with Envoy v1.33.0, private IP address ranges are **not** automatically skipped
// when determining the original client address. We'll return the first address that is not
// in the “xff_trusted_cidrs“ list, even if it is a private IP address.
//
// If you want to skip private IP addresses, explicitly add them to the “xff_trusted_cidrs“
// list. For example:
//
// .. code-block:: yaml
//
// xff_trusted_cidrs:
// cidrs:
// - address_prefix: "10.0.0.0"
// prefix_len: 8
// - address_prefix: "172.16.0.0"
// prefix_len: 12
// - address_prefix: "192.168.0.0"
// prefix_len: 16
// - address_prefix: "127.0.0.0"
// prefix_len: 8
// - address_prefix: "fc00::"
// prefix_len: 7
// - address_prefix: "::1"
// prefix_len: 128
//
// See :ref:`internal_address_config
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
// for more information about the v1.33.0 behavior change.
//
// This is typically used when requests are proxied by a
// `CDN <https://en.wikipedia.org/wiki/Content_delivery_network>`_.
//
// Only one of “xff_num_trusted_hops“ and “xff_trusted_cidrs“ can be set.
XffTrustedCidrs *XffTrustedCidrs
// If set, Envoy will not append the remote address to the
// :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header.
//
// .. attention::
//
// For proper proxy behaviour it is not recommended to set this option.
// For backwards compatibility, if this option is unset it defaults to true.
//
// This only applies when :ref:`use_remote_address
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address>`
// is false, otherwise :ref:`skip_xff_append
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.skip_xff_append>`
// applies.
SkipXffAppend *wrapperspb.BoolValue
// contains filtered or unexported fields
}
func (XffConfig_builder) Build ¶
func (b0 XffConfig_builder) Build() *XffConfig
type XffTrustedCidrs ¶
type XffTrustedCidrs struct {
// The list of `CIDRs <https://tools.ietf.org/html/rfc4632>`_ from which remote
// connections are considered trusted.
Cidrs []*v3.CidrRange `protobuf:"bytes,1,rep,name=cidrs,proto3" json:"cidrs,omitempty"`
// contains filtered or unexported fields
}
func (*XffTrustedCidrs) GetCidrs ¶
func (x *XffTrustedCidrs) GetCidrs() []*v3.CidrRange
func (*XffTrustedCidrs) ProtoMessage ¶
func (*XffTrustedCidrs) ProtoMessage()
func (*XffTrustedCidrs) ProtoReflect ¶
func (x *XffTrustedCidrs) ProtoReflect() protoreflect.Message
func (*XffTrustedCidrs) Reset ¶
func (x *XffTrustedCidrs) Reset()
func (*XffTrustedCidrs) SetCidrs ¶
func (x *XffTrustedCidrs) SetCidrs(v []*v3.CidrRange)
func (*XffTrustedCidrs) String ¶
func (x *XffTrustedCidrs) String() string
type XffTrustedCidrs_builder ¶
type XffTrustedCidrs_builder struct {
// The list of `CIDRs <https://tools.ietf.org/html/rfc4632>`_ from which remote
// connections are considered trusted.
Cidrs []*v3.CidrRange
// contains filtered or unexported fields
}
func (XffTrustedCidrs_builder) Build ¶
func (b0 XffTrustedCidrs_builder) Build() *XffTrustedCidrs
Source Files
¶
- xff.pb.go
Click to show internal directories.
Click to hide internal directories.