Page MenuHomePhabricator
Create Task
Maniphest T354853

Service mesh envoy does not treat incoming connections as local
Open, MediumPublic
Actions

Description

For T353460 we tried to explicitly disable a configured retry (at the mw-api-int-async-ro listener) by sending x-envoy-max-retries: 0. Unfortunately this does not have any effect as envoy does not consider the connection to be local/trusted unless x-forwarded-for is set to only one RFC1918 or RFC4193 address.

This behavior can be changed by setting use_remote_address: true:

If set to true, the connection manager will use the real remote address of the client connection when determining internal versus external origin and manipulating various headers. If set to false or absent, the connection manager will use the x-forwarded-for HTTP header.

I would think that we can safely set use_remote_address: true for all mesh listeners that we generate automatically but there might ofc. be implications that I'm missing.
In this context it might also make sense to change the listen address for all generated listeners to 127.0.0.1 instead of 0.0.0.0 to avoid making them accessible by accident (currently that would need an additional networkpolicy).

Related Objects

Event Timeline

JMeybohm created this task.Jan 11 2024, 12:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2024, 12:50 PM
JMeybohm added a subscriber: pfischer.Jan 11 2024, 12:50 PM
JMeybohm updated the task description. (Show Details)Jan 11 2024, 12:53 PM
EBernhardson subscribed.Jan 11 2024, 4:08 PM
bking subscribed.Jan 17 2024, 6:58 PM
dcausse mentioned this in T388855: Search Update Pipeline requests to Action API are logged as coming from 127.0.0.1.Mar 14 2025, 9:22 AM
dcausse subscribed.
Gehel merged a task: T388855: Search Update Pipeline requests to Action API are logged as coming from 127.0.0.1.May 23 2025, 9:00 AM
Gehel added subscribers: Gehel, bd808.
Scott_French triaged this task as Medium priority.Feb 26 2026, 5:43 PM
Scott_French edited projects, added ServiceOps new, ServiceOps-SharedInfra; removed serviceops-deprecated.
Scott_French moved this task from Inbox to Backlog on the ServiceOps new board.Feb 26 2026, 5:51 PM
Scott_French added subscribers: RLazarus, Scott_French.

From a quick spot check in puppet and deployment-charts, it doesn't look like we've subsequently done this widely, though there are limited use cases in which use_remote_address: true is set.

It still sounds like this makes sense to do, though I'm not quite sure whether some of the recent changes around internal_address_config for compatibility with newer envoy versions might change this story.

@JMeybohm or @RLazarus - If either of you happen to know off hand, that would be appreciated. Thanks!

RLazarus added a comment.Feb 26 2026, 6:01 PM

Not offhand, but your reading sounds believable to me. I'd also be interested in whether the change to X-Forwarded-For (Envoy wouldn't append the remote address to it anymore) would cause any problems for anyone depending on that, but I wouldn't imagine so.

JMeybohm mentioned this in T422928: HTML Pipeline - Performance improvements.Apr 16 2026, 7:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits