I’m trying to set the original source filter listener while configuring the Envoy
What happened?
I set the envoy.filters.http.original_src listener filter, with a Mark value while building the Main listener. However, the problem is that Envoy uses the original client IP for the auth requests forwarded to Pomerium as well. This results in the .pomerium/sign_in response failure from Pomerium.
What I need support in?
So, is there a way where this listener filter can be set only for the configured routes, and exempt the pomerium routes from this?
Changes done
- buildMainListener -
origSourceCfg := marshalAny(&envoy_filters_listener_orig_src_v3.OriginalSrc{
Mark: cfg.Options.EnvoyMark,
})
listenerFilters = append(listenerFilters, &envoy_config_listener_v3.ListenerFilter{
Name: “envoy.filters.http.original_src”,
ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
TypedConfig: origSourceCfg,
},
})
- Envoy forwards the auth sign in request to Pomerium over the HTTP_PORT, with the client-source ip
13:47:40.519214 IP .64707 > 127.0.0.1.26349: Flags [S], seq 4195850707, win 43690, options [mss 65495,sackOK,TS val 2901154527 ecr 0,nop,wscale 11], length 0
- Results in Error
“response-code”:503,“response-code-details”:“upstream_reset_before_response_started{connection_failure,delayed_connect_error:_110}”,
What’s your environment like?
- Pomerium version v-0.17
What’s your config.yaml?
Not related to config.yaml
What did you see in the logs?
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"xxxx.xxxx.yyyyyy.com","path":"/.pomerium/sign_in","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","forwarded-for":"101.51.78.32","request-id":"eced7a3d-ddd9-4343-8923-4c379e6af973","duration":9139.790087,"size":145,"response-code":503,"response-code-details":"upstream_reset_before_response_started{connection_failure,delayed_connect_error:_110}","time":"2022-12-17T08:48:57Z","message":"http-request"}