I am trying to find a way to use an Authorization Policy to filter on the Cloudflare cf-connecting-ip. Since we proxy all our requests using Cloudflare we are not able to get the source ip directly so the from matchers in the Authorization Policy wont work.
I was able to do this pretty easily with a list checker but I understand that this is deprecated and will be removed soon.
Any ideas?
Looking at the Cloudflare documentation https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-, it looks like If there was no existing X-Forwarded-For header in the request sent to Cloudflare, X-Forwarded-For has an identical value to the CF-Connecting-IP header, any chance to use X-Forwarded-For in your case?
We just merged a PR (hopefully will be in 1.8) to support the X-Forwarded-For in the remoteIp field in Authz: https://github.com/istio/istio/pull/27906
Yeah I think that would address this particular case. Thank you.
@YangminZhu Is it possible for these lists to be provided via HTTP APIs like they were in the old list handlers?
Currently we don’t support the dynamic data source in Authz API. One workaround is to write a custom controller to automatically update the Authz API based on your data source, see https://github.com/istio/client-go