I want to block certain IP list to access services. For that I am using below code but it's giving me upstream connect error or disconnect/reset before headers. reset reason: connection termination. Am I doing something wrong? Istio Policy is set up correctly. I checked with the given example code which was working fine but I want to block external IP.
yaml
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: blacklistip
spec:
compiledAdapter: listchecker
params:
# providerUrl: ordinarily black and white lists are maintained
# externally and fetched asynchronously using the providerUrl.
overrides: ["xx.xx.xx.xx"] # overrides provide a static list
blacklist: true
entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: clientip
spec:
compiledTemplate: listentry
params:
value: request.headers["x-forwarded-for"] | "unknown"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkip
spec:
match: source.labels["istio"] == "ingressgateway"
actions:
- handler: blacklistip
instances: [ clientip ]I checked istioingressgateway logs:
{"bytes_sent":"95","upstream_cluster":"outbound|3000||api.default.svc.cluster.local","downstream_remote_address":"xx.xx.xx.xx:59762","authority":"api.example.com","path":"/core/csrf","protocol":"HTTP/2","upstream_service_time":"-","upstream_local_address":"-","duration":"1","downstream_local_address":"10.2.0.14:443","upstream_transport_failure_reason":"-","route_name":"-","response_code":"503","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36","response_flags":"UC","start_time":"2020-01-15T16:32:21.634Z","method":"GET","request_id":"353149b6-0749-4a1a-9348-4016d20215de","upstream_host":"10.2.0.33:3000","x_forwarded_for":"xx.xx.xx.xx","requested_server_name":"api.example.com","bytes_received":"0","istio_policy_status":"-"}Istio proxy logs within the pod:
{"authority":"-","path":"-","protocol":"-","upstream_service_time":"-","upstream_local_address":"127.0.0.1:53894","duration":"0","downstream_local_address":"10.2.0.33:3000","upstream_transport_failure_reason":"-","route_name":"-","response_code":"0","user_agent":"-","response_flags":"-","start_time":"2020-01-15T17:21:25.220Z","method":"-","request_id":"-","upstream_host":"127.0.0.1:3000","x_forwarded_for":"-","requested_server_name":"outbound_.3000_._.api.default.svc.cluster.local","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"inbound|3000|https|api.default.svc.cluster.local","downstream_remote_address":"10.2.0.14:37126"}Istio Version: 1.4.2
mixer logs
2020-01-15T22:48:47.633162Z error evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers''
2020-01-15T22:48:47.633192Z error error creating instance: destination='listentry:whitelistip.default(listchecker)', error='evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers'''
2020-01-15T22:48:47.633204Z error api Check failed: performing check operation failed: 1 error occurred:
* evaluation failed at [sourceip.instance.default]'Value': 'lookup failed: 'request.headers''For x-forwarded-for to work the gateway need to forward that header to the istio-proxy sidecar running along with your application pod.
You need to do some configuration in gateway to forward that. Check this issue which refers to other issues with details on how to do it.
If you have option to use nginx ingress instead of istio ingress then You can use request.headers["x-real-ip"] which is set by nginx based on configuration