Header Based Policy Rule x-real-ip

#1

I created a Rule based on the documentation here: https://istio.io/docs/tasks/policy-enforcement/denial-and-list/#ip-based-whitelists-or-blacklists

I changed the source.ip of the listentry resource to request.headers[“x-real-ip”] as istio is operatng behind nginx-ingress. unfortunately this rule doesn’t work at all. already checked it with mixc. Are header based policies supported right now?

0 Likes

#2

Hi!
The reason it does not work is because is mismatched type. Using entryType: IP_ADDRESS assumes that the entry is an IP address value, while the header request.headers["x-real-ip"] is a string value.

Can you try using ip(request.headers["x-real-ip"] | "0.0.0.0") instead?

0 Likes

#3

This works. at least mixc does provide the correct output when i apply those resources to the istio-system namespace. anyway traffic is not blocked when accessing the service with curl although the ip is reported correctly regarding istio-proxy debug logs. the service is in another namespace though. if i put the rule listentry resources and so on into that namespace it doesn’t even work with mixc

0 Likes

#4

after pod restart of the target service it works thank you

0 Likes