When request has XFF header, lazyload not process access log correctly.

Question

When request has XFF header, lazyload not process access log correctly.

Patrick0308 opened this issue 2 years ago · 1 comments

Bug description
when request has XFF(x-forward-for) headers , access log's downstream_remote_address will be not client's address. Please use downstream_direct_remote_address rather than downstream_remote_address. See document: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage

A request's inbound log which has a x-forward-for header :

{
	common_properties: {
		downstream_remote_address: {
			socket_address: {
				address: "10.121.31.97"
				port_value: 0
			}
		}
		downstream_local_address: {
			socket_address: {
				address: "172.22.235.222"
				port_value: 80
			}
		}
		tls_properties: {
			tls_version: TLSv1_2 tls_cipher_suite: {
				value: 49200
			}
			tls_sni_hostname: "outbound_.80_._.global-sidecar.mesh-operator.svc.cluster.local"
			local_certificate_properties: {
				subject_alt_name: {
					uri: "spiffe://cluster.local/ns/mesh-operator/sa/global-sidecar"
				}
			}
			peer_certificate_properties: {
				subject_alt_name: {
					uri: "spiffe://cluster.local/ns/core/sa/default"
				}
			}
		}
		start_time: {
			seconds: 1684293776 nanos: 524642000
		}
		time_to_last_rx_byte: {
			nanos: 1351667
		}
		time_to_first_upstream_tx_byte: {
			nanos: 1236279
		}
		time_to_last_upstream_tx_byte: {
			nanos: 1359406
		}
		time_to_first_upstream_rx_byte: {
			nanos: 19913803
		}
		time_to_last_upstream_rx_byte: {
			nanos: 20058379
		}
		time_to_first_downstream_tx_byte: {
			nanos: 19992116
		}
		time_to_last_downstream_tx_byte: {
			nanos: 20076023
		}
		upstream_remote_address: {
			socket_address: {
				address: "172.22.235.222"
				port_value: 80
			}
		}
		upstream_local_address: {
			socket_address: {
				address: "127.0.0.6"
				port_value: 46901
			}
		}
		upstream_cluster: "inbound|80||"
		route_name: "default"
		downstream_direct_remote_address: {
			socket_address: {
				address: "172.22.169.50"
				port_value: 48166
			}
		}
	}
	protocol_version: HTTP2 request: {
		request_method: POST scheme: "http"
		authority: "lb-doraemon-featureflag.skopos"
		path: "/lb.doraemon.featureflag.FeatureFlagService/AllFeatureFlags"
		user_agent: "grpc-go/1.45.0"
		referer: "https://inner-gw.longbridge.xyz/call"
		forwarded_for: "121.43.162.243, 10.121.31.97"
		request_id: "6eca82ea-b691-4e94-b91e-22959e7fefff"
		request_headers_bytes: 3214 request_body_bytes: 5
	}
	response: {
		response_code: {
			value: 200
		}
		response_headers_bytes: 1576 response_body_bytes: 15188 response_code_details: "via_upstream"
	}
}
log_entry: {
	common_properties: {
		downstream_remote_address: {
			socket_address: {
				address: "10.121.31.97"
				port_value: 0
			}
		}
		downstream_local_address: {
			socket_address: {
				address: "172.22.235.222"
				port_value: 80
			}
		}
		tls_properties: {
			tls_version: TLSv1_2 tls_cipher_suite: {
				value: 49200
			}
			tls_sni_hostname: "outbound_.80_._.global-sidecar.mesh-operator.svc.cluster.local"
			local_certificate_properties: {
				subject_alt_name: {
					uri: "spiffe://cluster.local/ns/mesh-operator/sa/global-sidecar"
				}
			}
			peer_certificate_properties: {
				subject_alt_name: {
					uri: "spiffe://cluster.local/ns/core/sa/default"
				}
			}
		}
		start_time: {
			seconds: 1684293776 nanos: 524642000
		}
		time_to_last_rx_byte: {
			nanos: 1351667
		}
		time_to_first_upstream_tx_byte: {
			nanos: 1236279
		}
		time_to_last_upstream_tx_byte: {
			nanos: 1359406
		}
		time_to_first_upstream_rx_byte: {
			nanos: 19913803
		}
		time_to_last_upstream_rx_byte: {
			nanos: 20058379
		}
		time_to_first_downstream_tx_byte: {
			nanos: 19992116
		}
		time_to_last_downstream_tx_byte: {
			nanos: 20076023
		}
		upstream_remote_address: {
			socket_address: {
				address: "172.22.235.222"
				port_value: 80
			}
		}
		upstream_local_address: {
			socket_address: {
				address: "127.0.0.6"
				port_value: 46901
			}
		}
		upstream_cluster: "inbound|80||"
		route_name: "default"
		downstream_direct_remote_address: {
			socket_address: {
				address: "172.22.169.50"
				port_value: 48166
			}
		}
	}
	protocol_version: HTTP2 request: {
		request_method: POST scheme: "http"
		authority: "lb-doraemon-featureflag.skopos"
		path: "/lb.doraemon.featureflag.FeatureFlagService/AllFeatureFlags"
		user_agent: "grpc-go/1.45.0"
		referer: "https://inner-gw.longbridge.xyz/call"
		forwarded_for: "121.43.162.243, 10.121.31.97"
		request_id: "6eca82ea-b691-4e94-b91e-22959e7fefff"
		request_headers_bytes: 3214 request_body_bytes: 5
	}
	response: {
		response_code: {
			value: 200
		}
		response_headers_bytes: 1576 response_body_bytes: 15188 response_code_details: "via_upstream"
	}
}

10.121.31.97 is a host ip rather than pod ip. 172.22.169.50 is client pod ip.

Affected sub-moudle (please put an X in all that apply)

[x] Configuration Lazy Loading
[ ] Http Plugin Management
[ ] Adaptive Ratelimit
[ ] Slime Boot

Steps to reproduce the bug

Answer 1 · 2023-05-17T06:29:11.000Z

we will verify and fix it soon