New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow wildcard port in route host/from #4460
Comments
I wonder if we can ignore the port number entirely (or perhaps ignore it unless specified explicitly). I believe Pomerium doesn't currently listen on multiple ports, so I'm not sure when you'd want it to make a distinction between different port numbers. |
@kenjenkins if the server is configured to listen at port However, if Pomerium is exposed directly to the internet, and is still running on port |
I agree @kenjenkins, providing an option to ignore the port in route matching would be a simple solution to the problem and would work perfectly. @wasaga The problem for me is that clients will arrive to Pomerium with both :443 and with :8443 in the host header, so it does not matter what I put in the To ignore the port, is the envoy setting |
I'm not sure why the GitHub action closed this issue. I do think it could be worthwhile to provide an option for this. I don't see an easy way to make this configurable per route, but I think it wouldn't be too hard to implement a global configuration option for setting Envoy's |
A change to support this will be in v26. The new behavior is that if a route does not have a port: - from: https://one.example.com
to: local.service A request on any incoming port will match that route, so there's no need to specify a list. That single route will by-default match - https://one.example.com
- https://one.example.com:8443
- https://one.example.com:18443 and any other port. |
@ssveta7ak, to verify:
|
Implemented. Checked on pomerium: 0.26.0-1715969560+adb5f781 |
This is similar to #1677 and the merged #4131 which allows you to use wildcards in the 'from' route property. Also related to: #659
Is your feature request related to a problem? Please describe.
I have devices accessing the proxy via various local networks, and also remotely from behind other proxies. Pomerium runs/listens on port 8443. If accessing the proxy externally, generally you access via port 443 - which is then forwarded to 8443 on the local network by another proxy. If a device needs to access the proxy on the same local network, then they will directly use 8443. In some occasional cases, ports need to be re-mapped between local networks, so the client may access on even other ports.
Currently, to support this you would need to create a route for each possible port to the same service, and copy over any additional route configuration (such as access policies, headers etc):
This duplication needs to be done for each route/service, and can get particularly erroneous if the routes have complicated access policies and request/response rewriting.
Describe the solution you'd like
It would be good if you could define multiple "from" addresses, or use wildcards and/or regexes that also cover the port number in the host address.
For example, a solution using multiple "from" addresses, requiring you to spell out each port but share access policies and request rewriting properties -
Or a solution using wildcard (not covered by current implementation in #4131)
Or a solution using regexes (not covered by specification of #659)
The text was updated successfully, but these errors were encountered: