Supporting Original source filter

I’m trying to set the original source filter listener while configuring the Envoy

What happened?

I set the envoy.filters.http.original_src listener filter, with a Mark value while building the Main listener. However, the problem is that Envoy uses the original client IP for the auth requests forwarded to Pomerium as well. This results in the .pomerium/sign_in response failure from Pomerium.

What I need support in?

So, is there a way where this listener filter can be set only for the configured routes, and exempt the pomerium routes from this?

Changes done

  1. buildMainListener -

origSourceCfg := marshalAny(&envoy_filters_listener_orig_src_v3.OriginalSrc{
Mark: cfg.Options.EnvoyMark,
})

listenerFilters = append(listenerFilters, &envoy_config_listener_v3.ListenerFilter{
Name: “envoy.filters.http.original_src”,
ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
TypedConfig: origSourceCfg,
},
})

  1. Envoy forwards the auth sign in request to Pomerium over the HTTP_PORT, with the client-source ip

13:47:40.519214 IP .64707 > 127.0.0.1.26349: Flags [S], seq 4195850707, win 43690, options [mss 65495,sackOK,TS val 2901154527 ecr 0,nop,wscale 11], length 0

  1. Results in Error

“response-code”:503,“response-code-details”:“upstream_reset_before_response_started{connection_failure,delayed_connect_error:_110}”,

What’s your environment like?

  • Pomerium version v-0.17

What’s your config.yaml?

Not related to config.yaml

What did you see in the logs?

{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"xxxx.xxxx.yyyyyy.com","path":"/.pomerium/sign_in","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","forwarded-for":"101.51.78.32","request-id":"eced7a3d-ddd9-4343-8923-4c379e6af973","duration":9139.790087,"size":145,"response-code":503,"response-code-details":"upstream_reset_before_response_started{connection_failure,delayed_connect_error:_110}","time":"2022-12-17T08:48:57Z","message":"http-request"}

There is a http filter - envoy.filters.http.original_src, which serves the same purpose but per HTTP connection manager… Probably, this is the closest i can get. So, wanted to know if there’s a similar one for Routes. OR to disable it for the pomerium-routes.