Geoip filter #24318
Geoip filter #24318
Conversation
Signed-off-by: Kateryna Nezdolii <[email protected]>
Signed-off-by: Kateryna Nezdolii <[email protected]>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
nezdolik
force-pushed
the
geoip
branch
3 times, most recently
from
1b13a11 to
c1cb979
Compare
nezdolik
force-pushed
the
geoip
branch
18 times, most recently
from
569c360 to
c162dd4
Compare
nezdolik
force-pushed
the
geoip
branch
3 times, most recently
from
ad8bf60 to
1e9846b
Compare
|
tsan ci failure seems to be unrelated, will merge main and check if it helps |
Signed-off-by: Kateryna Nezdolii <[email protected]>
|
@ravenblackx ci is fixed now. Think I have addressed all review comments, but please lmk if smth is missing. |
CODEOWNERS
Outdated
| @@ -291,6 +291,8 @@ extensions/filters/http/oauth2 @derekargueta @snowp | |||
| /*/extensions/load_balancing_policies/round_robin @wbpcode @UNOWNED | |||
| # Early header mutation | |||
| /*/extensions/http/early_header_mutation/header_mutation @wbpcode @UNOWNED | |||
| # IP Geolocation | |||
| /*/extensions/filters/http/geoip @nezdolik @mattklein123 | |||
There was a problem hiding this comment.
I guess. It's not really my field, but it would make sense since having reviewed some of it I now have the best context to review the rest of it.
Signed-off-by: Kateryna Nezdolii <[email protected]>
|
cc @sc0ttbeardsley i have started working on plugging the maxmind geoip provider for this filter in a separate change. If your company uses some other geolocation provider, you will need to submit a patch for it. |
|
@mattklein123 could you please take the final look? :) |
| GeolocationHeadersToAdd geo_headers_to_add = 3 [(validate.rules).message = {required: true}]; | ||
|
|
||
| // Geolocation provider specific configuration. | ||
| GeolocationProvider provider = 4 [(validate.rules).message = {required: true}]; |
There was a problem hiding this comment.
This should use TypedExtensionConfig I think?
There was a problem hiding this comment.
Yeap, did not know about that core message TypedExtensionConfig
| // If set to true, the `xff_num_trusted_hops` field will be used to determine | ||
| // trusted client address from `x-forwarded-for` header. | ||
| // Otherwise, the immediate downstream connection source address will be used. | ||
| bool use_xff = 1; | ||
|
|
||
| // The number of additional ingress proxy hops from the right side of the | ||
| // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when | ||
| // determining the origin client's IP address. The default is zero if this option | ||
| // is not specified. See the documentation for | ||
| // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. | ||
| uint32 xff_num_trusted_hops = 2; |
There was a problem hiding this comment.
I would refactor this into an XffConfig message, with the presence of the message indicating that XFF should be consulted, and the num_trusted_hops inside of it. This will be a bit clearer from an API perspective.
| // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g. VPN, public proxy etc) | ||
| // and header will be populated with the check result. |
There was a problem hiding this comment.
Can you specify the concrete values? Is it true/false? Something else? Same for all of the ones that aren't obviously strings.
| provider: | ||
| name: "envoy.geoip_providers.maxmind" |
There was a problem hiding this comment.
This doesn't actually exist. Is this going to be added in some future PR?
There was a problem hiding this comment.
That's correct. I have initially suggested to split this work into implementing filter itself and then implementing the provider.
Signed-off-by: Kateryna Nezdolii <[email protected]>
Signed-off-by: Kateryna Nezdolii <[email protected]>
|
/retest |
|
Retrying Azure Pipelines: |
|
not sure what is causing the docker fail - but ticket is here moby/moby#26634 - ive reported upstream also moby/buildkit#3801 |
|
@mattklein123 regarding release note, i think is better to wait until provider is implemented. |
This change introduces IP Geolocation filter. Implementation according to design doc.
Commit Message: IP Geolocation filter
Additional Description:
Risk Level: Low (new extension)
Testing: unit tests
Docs Changes: Done
Release Notes: tbd
Platform Specific Features: NA
Fixes moby/moby#23736