Bind listener to 0.0.0.0 or 127.0.0.1 #507
Comments
mattklein123
added
enhancement
|
Sorry for the delay. This feature is somewhat related to Right now we only expose "port" in the listener configuration. The simplest thing here assuming we want to just stay at top level is to add another parameter called "address." If address is specified it would be specified in Envoy "URL" notation such as "tcp://127.0.0.1:80" I think if one specifies "address" they don't need to specify "port." The URL notation would allow us to support UDP also with the same configuration. This is not a particularly complicated change, but it will require changing some plumbing in a few different places, unfortunately including the hot restart RPCs. @huggsboson in the short term, can you just use an iptables/firewall/etc. rule to block external access to the egress port? (This is what we do at Lyft). I can walk you through doing the change if you want, just unsure of priority. (This change is generally useful however). |
|
Thanks for the quick response. It's not super urgent as we haven't begun deploying out yet (or fully choosing). I looked through the code and you seemingly have most of the code in place to make this happen, so I may make a run at implementing it and throwing up a pull request. The iptables path is somewhat difficult for us to solve given that we're using containers/kube and some services may be using the well known ports that we'd be trying to block. So I'd rather just figure out how to get a patchset in for this, given the lack of urgency and difficulty. One question on configuration: I can either add a new address field (e.g. "address": "tcp://127.0.0.1:80") which would be mutually exclusive with port. Or I can add an optional interface field (e.g. "interface": "127.0.0.1", "port": 80) which would be additive and back compat with port. You have any preference? |
|
I prefer adding a mutually exclusive "address" field, since it will handle UDP, UDS, etc. also in the future. |
|
@huggsboson are you working on this? If not I think we need to implement this and @wattli is probably going to do it. Don't want to duplicate work if you have a patch in progress. |
|
I haven't started. Happy to see it implemented. |
|
@wattli some implementation notes:
If you need help please ask @kyessenov @lizan @htuch first, they should be able to give you tips. |
|
Thanks @mattklein123! @wattli let me know if you need any help. |
|
Thanks @lizan and @mattklein123 |
* Use the transition based build system for .wasm files. Signed-off-by: John Plevyak <jplevyak@gmail.com>
Description: this is a follow up to #498. This PR introduces `envoy_engine_callbacks`. They are similar in nature to envoy_http_callbacks. The difference being that they are not exposed all the way to consumer level in the library as it is not needed right now. However, one can see how by adding a type erased context pointer, and following the platform patterns for http callbacks we could thread this all the way up if need be. The immediate need for these callbacks is to detach the engine's native thread from the JVM on Android. Risk Level: med -- adds complexity to engine management. Testing: local testing on devices (Lyft and example app on iOS and Android). In conjunction with #498 this PR Fixes #492 #445 Signed-off-by: Jose Nino <jnino@lyft.com> Signed-off-by: JP Simard <jp@jpsim.com>
Description: this is a follow up to #498. This PR introduces `envoy_engine_callbacks`. They are similar in nature to envoy_http_callbacks. The difference being that they are not exposed all the way to consumer level in the library as it is not needed right now. However, one can see how by adding a type erased context pointer, and following the platform patterns for http callbacks we could thread this all the way up if need be. The immediate need for these callbacks is to detach the engine's native thread from the JVM on Android. Risk Level: med -- adds complexity to engine management. Testing: local testing on devices (Lyft and example app on iOS and Android). In conjunction with #498 this PR Fixes #492 #445 Signed-off-by: Jose Nino <jnino@lyft.com> Signed-off-by: JP Simard <jp@jpsim.com>
I noticed in the docs:
I would like to use envoy to terminate both incoming and outgoing Mutual Auth TLS (with service type specific certs). For this to work in a secure fashion I need egress ports to bind to 127.0.0.1 so that random folks on the network can't hit envoy and use it to impersonate the service using envoy. Is there any sense on how difficult it would be to add this functionality? I wouldn't mind contributing a patchset but I have no idea where to start.
The text was updated successfully, but these errors were encountered: