Gateways need to obtain the client's originating IP address to enhance security, optimize user experience, or meet compliance requirements in marketing, auditing, and anti-fraud scenarios. This topic describes how to configure the X-Forwarded-For (XFF) request header to enable ASM gateway to obtain the client's originating IP address.
This function requires ASM version 1.24.6.83 or later. Upgrade your ASM instance if needed.
Background
X-Forwarded-For (XFF) is an HTTP request header field. It records the client's originating IP address when a request passes through a proxy server, server load balancer, or Alibaba Cloud CDN.
X-Forwarded-For is a list of IP addresses, separated by dots. It is in the following format:
X-Forwarded-For: <client's originating IP>, <first proxy IP>, <second proxy IP>, ...Obtain client IP by configuring number of trusted proxies
When the call chain topology is fixed, you can enable the ASM gateway to obtain the client IP by configuring the trusted hop count (number of proxies in the chain minus 1) annotation for the gateway pod. The following figure shows an example:
Three fixed proxies are in the request chain. The trusted hop count is numTrustedProxies: 2. After the request passes through proxies, the IP list in the XFF request header is [1.1.1.1, 2.2.2.2, 3.3.3.3]. ASM gateway removes IP addresses from the end of this list, based on the configured trusted hop count. To obtain the client's originating IP address 1.1.1.1. You can configure the trusted hop count as follows:
Use the ASM kubeconfig to edit the ASM gateway configuration.
$ kubectl -n istio-system edit istiogateway <ASM gateway name>Add the following annotation to the gateway pod to set the trusted hop count.
WarningThis operation will cause a rolling restart of the gateway. Perform this operation during off-peak hours.
spec: podAnnotations: proxy.istio.io/config: | gatewayTopology: numTrustedProxies: <number of trusted proxies-1>After the modification, the configuration will work on the gateway pod.
The value of
numTrustedProxiesmust be less than the number of IP addresses in the XFF request header. If it is greater than or equal to it, the ASM gateway will use the last (rightmost) address in the IP list as the client's originating IP address.The XFF request header output in the ASM gateway access log includes the address appended by the ASM gateway. This appending action occurs after the
numTrustedProxiescalculation. In the example, the XFF request header content will include the IP address4.4.4.4. This is because after the gateway completes thenumTrustedProxiescalculation and obtains the client IP, it appends the IP of Proxy3 to the XFF request header. This does not affect the accuracy of the obtained client IP.
Obtain client IP by excluding known addresses
When the call chain topology is not fixed, configuring only the trusted hop count cannot ensure to obtain the client IP. You need to configure trusted known addresses to enable the ASM gateway to exclude them. Then you can obtain the correct client address. The following is an example:
In the figure above, the topology hop counts for Client1 and Client2 are not consistent. So you cannot obtain the client's originating IP address by configuring a fixed hop count. In this case, you need to add the IPs of Proxy1 through Proxy4 to the gateway's trusted address segments. Then the gateway can exclude these known addresses and obtain the correct client address. You can configure known addresses as follows:
Edit the ASM gateway configuration.
$ kubectl -n istio-system edit istiogateway <ASM gateway name>Add the following annotation to the gateway pod. This is to add known IP addresses to the trusted segments.
WarningThis operation will cause a rolling restart of the gateway. Perform this operation during off-peak hours.
Only CIDR format is supported here. Fixed IPs need to include the subnet mask bit count
/32.spec: podAnnotations: proxy.istio.io/config: | gatewayTopology: xffTrustedCidrs: - 2.2.2.2/32 - 3.3.3.3/32 - 4.4.4.4/32 - 5.5.5.5/32After the modification the configuration will work on the new gateway pod.