remote_address

[eguzki]

remote_address is the action name exposed by Envoy filter envoy.filters.http.ratelimit. The description of remote_address

The following descriptor entry is appended to the descriptor and is populated using the trusted address from [x-forwarded-for](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for):

("remote_address", "<trusted address from x-forwarded-for>")

This seems pretty fundamental feature to rate limit by IP.

The ask here is to create a WellKnownAttribute ™️ that reproduces the same behavior.

Related info

• Envoy trusted client address computation based on X-Forwarded-For header https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
• Nice article explaining “Real” IP address computation by Envoy https://www.zhaohuabing.com/post/2024-05-17-client-ip-en/
• Set numTrustedProxies using Istio https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/#configuring-x-forwarded-for-headers
• Configure Client IP Detection using EnvoyGateway https://gateway.envoyproxy.io/latest/tasks/traffic/client-traffic-policy/#configure-client-ip-detection

[roivaz]

About XFF and rate limiting on an edge gateway using it, caution is required, as the header can be easily forged. See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for for more information on how the header is treated by envoy depending on user's configuration.

Specifically talking about istio, the user needs to specify the number of trusted hops in front of the gateway in order for istio to make the required configurations so the remote address is properly guessed from the header. See https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/#configuring-x-forwarded-for-headers. Might be something worth documenting somewhere within kudrant/limitador?

[eguzki]

@roivaz thanks for the heads up.

I have done some tests about how Envoy behaves. I will write details on the PR implementing this feature, but TL;DR is that the implementation in the Kuadrant's Wasm module will delegate the computation of the trusted client address to Envoy and use that for the rate limiting well known attribute remote_address (or whatever it is named in the end). That means that in an environment where there are one or more trusted proxies in front of the gateway where the kuadrant module lives, the xff_num_trusted_hops Envoy's HTTP connection manager attribute will play the expected role. The way xff_num_trusted_hops is being specified depends on the envoy's control plane.

• For Istio the IstioOperator
• For Istio's Sail operator, after a quick search, I could not find a way to configure the number of trusted proxies.
• For EnvoyGateway, the Configure Client IP Detection policy does the job

[roivaz]

@eguzki for sail operator you can basically use any configuration option that the Istio helm charts expose. The field spec.values.meshConfig.defaultConfig.gatewayTopology.numTrustedProxies in the sail custom resource should do it.
On the other hand, all these options configure numTrustedProxies for all Gateways, but there's a way to configure it on a per-gateway basis, by adding the following annotation:

proxy.istio.io/config: '{"gatewayTopology":{"numTrustedProxies":0}}'