Adds X-Forwarded-For settings page (#1488)

* first pass at updating these settings

* updates reference file entries

* updates redirects file

* fixes breaking changes

* runs prettier

* fixes cspell issue

* update XFF settings description and examples

* update access log fields reference link

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>

Author: ZPain8464

content/docs/reference/access-log-fields.mdx

@@ -98,8 +98,8 @@ The table below lists all available access log fields:
 | :-- | :-- | :-- |
 | `authority` | The HTTP request `:authority` or `Host` header value. Can be a domain name or IP address and may contain a port number (for example, `www.example.com`) | Yes |
 | `duration` | The amount of time the request takes to complete in seconds | Yes |
-| `forwarded-for` | This is the value of the [`X-Forwarded-For`](/docs/reference/x-forwarded-for-http-header) header (as sent to the upstream service) | Yes |
-| `ip` | The user's IP address. Note that this depends on setting the [`xff_num_trusted_hops`](/docs/reference/the-number-of-trusted-hops) option appropriately. | No |
+| `forwarded-for` | The value of the `X-Forwarded-For` header, as sent to the upstream service (see also [X-Forwarded-For Settings](/docs/reference/x-forwarded-for-settings)) | Yes |
+| `ip` | The user's IP address. Note that this depends on setting the [`xff_num_trusted_hops`](/docs/reference/x-forwarded-for-settings#xff-number-of-trusted-hops) option appropriately. | No |
 | `method` | The HTTP request method, such as `GET`, `POST`, or `PUT` | Yes |
 | `path` | The HTTP request path (for example, `/some/path`) | Yes |
 | `referer` | The HTTP request referer, or the address of the web page from which the resource has been requested | Yes |

content/docs/reference/reference.json

@@ -725,20 +725,26 @@
   },
   "x-forwarded-for-http-header": {
     "id": "x-forwarded-for-http-header",
-    "title": "X-Forwarded-For HTTP Header",
-    "path": "/x-forwarded-for-http-header",
-    "description": "Indicates which IP addresses a request has flowed through between the client and upstream service.",
+    "title": "Skip XFF Append",
+    "path": "/x-forwarded-for-settings#skip-xff-append",
+    "description": "Do not append client IP address to X-Forwarded-For header.",
     "services": [],
     "type": "bool"
   },
   "the-number-of-trusted-hops": {
     "id": "the-number-of-trusted-hops",
-    "title": "The number of trusted hops",
-    "path": "the-number-of-trusted-hops",
+    "title": "XFF Number of Trusted Hops",
+    "path": "/x-forwarded-for-settings#xff-number-of-trusted-hops",
     "description": "The number of trusted reverse proxies in front of pomerium.",
     "services": [],
     "type": "uint32"
   },
+  "x-forwarded-for-settings": {
+    "id": "x-forwarded-for-settings",
+    "title": "X-Forwarded-For Settings",
+    "path": "/x-forwarded-for-settings",
+    "description": "Describes X-Forwarded-For settings and behavior."
+  },
   "codec-type": {
     "id": "codec-type",
     "title": "Codec Type",

content/docs/reference/the-number-of-trusted-hops.mdx

@@ -0,0 +1,190 @@
+---
+id: x-forwarded-for-settings
+title: X-Forwarded-For Settings
+description: This page documents X-Forwarded-HTTP header settings.
+keywords:
+  - reference
+  - X-Forwarded-For settings
+  - x-forwarded-for-http-header
+  - x forwarded for http header
+  - the number of trusted hops
+  - xff_num_trusted_hops
+  - xff num trusted hops
+pagination_prev: null
+pagination_next: null
+toc_max_heading_level: 2
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# X-Forwarded-For Settings
+
+The `X-Forwarded-For` (XFF) HTTP header lists the IP addresses a request has passed through on its way from the end user (client) to a backend service.
+
+(This is most relevant for deployments where there is another L7 proxy or load balancer in front of Pomerium, or in between Pomerium and upstream services.)
+
+The following settings affect the way Pomerium sets or consumes the XFF header.
+
+## Skip XFF Append
+
+By default, when Pomerium receives a request, it appends the IP address of the direct downstream client to the XFF header before proxying the request to the upstream service.
+
+However, if you set the **Skip XFF Append** (`skip_xff_append`) option to `true`, Pomerium will not modify an incoming XFF header. Instead, Pomerium will pass this incoming header to the upstream service unchanged.
+
+### How to configure
+
+<Tabs>
+<TabItem value="Core" label="Core">
+
+| **Config file keys** | **Environment variables** | **Type**  | **Default** |
+| :------------------- | :------------------------ | :-------- | :---------- |
+| `skip_xff_append`    | `SKIP_XFF_APPEND`         | `boolean` | `false`     |
+
+### Examples
+
+```yaml
+skip_xff_append: true
+```
+
+```bash
+SKIP_XFF_APPEND=true
+```
+
+</TabItem>
+<TabItem value="Enterprise" label="Enterprise">
+
+Configure **X-Forward-For HTTP Header** with the toggle button in the Console. The button has three states:
+
+- **Unset** ("-") uses the value in your configuration file
+- **Checkmark** sets `skip_xff_append` to `true`
+- **Empty** sets `skip_xff_append` to `false`
+
+![Configure x-forward-for-http-headers in the console](./img/headers/x-forwarded-for-http-header.png)
+
+</TabItem>
+<TabItem value="Kubernetes" label="Kubernetes">
+
+Kubernetes does not support `skip_xff_append`
+
+</TabItem>
+</Tabs>
+
+### Skip XFF Append examples
+
+Assume you have a load balancer in front of Pomerium, and it connects to Pomerium from IP address `10.1.2.3`. Say that the load balancer is configured to populate the `X-Forwarded-For` header, so that if a client connects to the load balancer from IP address `192.0.5.1`, then the load balancer will set `X-Forwarded-For: 192.0.5.1` on the request to Pomerium.
+
+With `skip_xff_append` set to `false` (the default behavior), Pomerium will then append the IP address of the load balancer on the request made to the upstream service:
+
+```plain title="Request Details"
+X-Forwarded-For: 192.0.5.1,10.1.2.3
+```
+
+With `skip_xff_append` set to `true`, Pomerium will not append the IP address of the load balancer on the request made to the upstream service:
+
+```plain title="Request Details"
+X-Forwarded-For: 192.0.5.1
+```
+
+## XFF Number of Trusted Hops
+
+The **XFF Number of Trusted Hops** (`xff_num_trusted_hops`) setting instructs Pomerium whether to trust an incoming request's XFF header.
+
+When unset or set to `0`, Pomerium will not trust the incoming XFF header. Pomerium will consider the client IP address to be the IP address of the direct downstream client.
+
+This affects the client IP address logged in the access logs (if configured; see [Access log fields](/docs/reference/access-log-fields#access-log-fields-and-defaults)). The client IP address is also sent to the upstream service in the [`x-envoy-external-address` header](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-envoy-external-address).
+
+:::info X-Forwarded-Proto header
+
+This setting also affects whether Pomerium trusts the [`X-Forwarded-Proto` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto). This header indicates the originating protocol (either HTTP or HTTPS) of the downstream client request. Pomerium will only trust the downstream `X-Forwarded-Proto` header if you set `xff_num_trusted_hops` to a _non-zero_ value.
+
+When set to `0`, Pomerium will set the `X-Forwarded-Proto` header to either `http` or `https` depending on whether the downstream connection is secured over TLS.
+
+:::
+
+### How to configure
+
+<Tabs>
+<TabItem value="Core" label="Core">
+
+| **Config file keys**   | **Environment variables** | **Type** | **Usage**    |
+| :--------------------- | :------------------------ | :------- | :----------- |
+| `xff_num_trusted_hops` | `XFF_NUM_TRUSTED_HOPS`    | `uint32` | **optional** |
+
+### Examples
+
+```yaml
+xff_num_trusted_hops: 2
+```
+
+```bash
+XFF_NUM_TRUSTED_HOPS=2
+```
+
+</TabItem>
+<TabItem value="Enterprise" label="Enterprise">
+
+`xff_num_trusted_hops` is a bootstrap configuration setting and is not configurable in the Console.
+
+</TabItem>
+<TabItem value="Kubernetes" label="Kubernetes">
+
+Kubernetes does not support `xff_num_trusted_hops`
+
+</TabItem>
+</Tabs>
+
+### XFF Number of Trusted Hops examples
+
+As in the previous example, assume you have a load balancer in front of Pomerium, which connects to Pomerium from IP address `10.1.2.3`, and is configured to populate the `X-Forwarded-For` header.
+
+With `xff_num_trusted_hops` set to `0`, Pomerium's access log will show the load balancer IP address (`10.1.2.3`) as the client IP address for all incoming requests.
+
+```yaml {title="config.yaml"}
+xff_num_trusted_hops: 0
+access_log_fields: [forwarded-for, ip, method, path]
+```
+
+Example access log entry:
+
+```json
+{
+  "level": "info",
+  "service": "envoy",
+  "forwarded-for": "192.0.5.1,10.1.2.3",
+  "ip": "10.1.2.3",
+  "method": "GET",
+  "path": "/",
+  "time": "2024-07-08T16:42:48-07:00",
+  "message": "http-request"
+}
+```
+
+With the `xff_num_trusted_hops` option set to `1`, Pomerium will trust the client IP address populated by the load balancer:
+
+```yaml {title="config.yaml"}
+xff_num_trusted_hops: 1
+access_log_fields: [forwarded-for, ip, method, path]
+```
+
+Example access log entry:
+
+```json
+{
+  "level": "info",
+  "service": "envoy",
+  "forwarded-for": "192.0.5.1,10.1.2.3",
+  // highlight-next-line
+  "ip": "192.0.5.1",
+  "method": "GET",
+  "path": "/",
+  "time": "2024-07-08T16:42:48-07:00",
+  "message": "http-request"
+}
+```
+
+:::info Additional Resource
+
+See the [**Envoy docs**](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html?highlight=skip_xff_append#x-forwarded-for) for more information about the `X-Forwarded-For` header.
+
+:::

content/docs/reference/x-forwarded-for-http-header.mdx

@@ -457,6 +457,10 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co
 # Pass Identity Headers
 /docs/reference/routes/pass-identity-headers /docs/reference/routes/pass-identity-headers-per-route
 
+# X-Forwarded-For Settings
+/docs/reference/x-forwarded-for-http-header /docs/reference/x-forwarded-for-settings#skip-xff-append
+/docs/reference/the-number-of-trusted-hops /docs/reference/x-forwarded-for-settings#xff-number-of-trusted-hops
+
 # Topics links - now concepts
 /docs/topics/auth-logs /docs/capabilities/audit-logs
 /docs/topics/single-sign-out.html /docs/capabilities/single-sign-out