.. _envoy_v3_api_file_envoy/extensions/http/original_ip_detection/xff/v3/xff.proto: XFF original IP detection extension (proto) =========================================== .. _envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig: extensions.http.original_ip_detection.xff.v3.XffConfig ------------------------------------------------------ :repo:`[extensions.http.original_ip_detection.xff.v3.XffConfig proto] ` This extension allows for the original downstream remote IP to be detected by reading the :ref:`config_http_conn_man_headers_x-forwarded-for` header. .. _extension_envoy.http.original_ip_detection.xff: This extension has the qualified name ``envoy.http.original_ip_detection.xff`` .. note:: This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted. .. tip:: This extension extends and can be used with the following extension category: - :ref:`envoy.http.original_ip_detection ` This extension must be configured with one of the following type URLs: - :ref:`type.googleapis.com/envoy.extensions.http.original_ip_detection.xff.v3.XffConfig ` .. code-block:: json :force: { "xff_num_trusted_hops": ..., "xff_trusted_cidrs": {...}, "skip_xff_append": {...} } .. _envoy_v3_api_field_extensions.http.original_ip_detection.xff.v3.XffConfig.xff_num_trusted_hops: xff_num_trusted_hops (`uint32 `_) The number of additional ingress proxy hops from the right side of the :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when determining the origin client's IP address. The default is zero if this option is not specified. See the documentation for :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. Only one of ``xff_num_trusted_hops`` and ``xff_trusted_cidrs`` can be set. .. _envoy_v3_api_field_extensions.http.original_ip_detection.xff.v3.XffConfig.xff_trusted_cidrs: xff_trusted_cidrs (:ref:`extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs `) The `CIDR `_ ranges to trust when evaluating the remote IP address to determine the original client's IP address. This is used instead of :ref:`use_remote_address `. When the remote IP address matches a trusted CIDR and the :ref:`config_http_conn_man_headers_x-forwarded-for` header was sent, each entry in the ``x-forwarded-for`` header is evaluated from right to left and the first public non-trusted address is used as the original client address. If all addresses in ``x-forwarded-for`` are within the trusted list, the first (leftmost) entry is used. This is typically used when requests are proxied by a `CDN `_. Only one of ``xff_num_trusted_hops`` and ``xff_trusted_cidrs`` can be set. .. _envoy_v3_api_field_extensions.http.original_ip_detection.xff.v3.XffConfig.skip_xff_append: skip_xff_append (`BoolValue `_) If set, Envoy will not append the remote address to the :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. .. attention:: For proper proxy behaviour it is not recommended to set this option. For backwards compatibility, if this option is unset it defaults to true. This only applies when :ref:`use_remote_address ` is false, otherwise :ref:`skip_xff_append ` applies. .. _envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs: extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs ------------------------------------------------------------ :repo:`[extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs proto] ` .. code-block:: json :force: { "cidrs": [] } .. _envoy_v3_api_field_extensions.http.original_ip_detection.xff.v3.XffTrustedCidrs.cidrs: cidrs (**repeated** :ref:`config.core.v3.CidrRange `) The list of `CIDRs `_ from which remote connections are considered trusted.