Skip to content

Commit

Permalink
add support for Envoy's server header transformation for responses (#…
Browse files Browse the repository at this point in the history 
…4906)

Adds support for configuring Envoy's server
header transformation, which customizes how
Envoy treats the Server header on responses.
The Server header can now be passed through
as-is or only set to "envoy" if no other value
is present, in addition to the default behavior
of always setting the Server header to "envoy".

Closes #4359.

Signed-off-by: Vishal Choudhary <[email protected]>
Signed-off-by: Vishal Choudhary <[email protected]>
Signed-off-by: Steve Kriss <[email protected]>
Co-authored-by: Steve Kriss <[email protected]>
  • Loading branch information
@vishal-chdhry @skriss
vishal-chdhry and skriss authored Jan 23, 2023
1 parent bf8ffcc commit cf769c1
Show file tree
Hide file tree
Showing 21 changed files with 474 additions and 27 deletions.
27 changes: 27 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,18 @@ type EnvoyListenerConfig struct {
// +optional
DisableMergeSlashes *bool `json:"disableMergeSlashes,omitempty"`

// Defines the action to be applied to the Server header on the response path.
// When configured as overwrite, overwrites any Server header with "envoy".
// When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to "envoy".
// When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present.
//
// Values: `overwrite` (default), `append_if_absent`, `pass_through`
//
// Other values will produce an error.
// Contour's default is overwrite.
// +optional
ServerHeaderTransformation ServerHeaderTransformationType `json:"serverHeaderTransformation,omitempty"`

// ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
// See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
// for more information.
Expand Down Expand Up @@ -532,6 +544,21 @@ const (
AllClusterDNSFamily ClusterDNSFamilyType = "all"
)

// ServerHeaderTransformation defines the action to be applied to the Server header on the response path
type ServerHeaderTransformationType string

const (
// Overwrite any Server header with "envoy".
// This is the default value.
OverwriteServerHeader ServerHeaderTransformationType = "overwrite"
// If no Server header is present, set it to "envoy".
// If a Server header is present, pass it through.
AppendIfAbsentServerHeader ServerHeaderTransformationType = "append_if_absent"
// Pass through the value of the Server header, and do not append a header
// if none is present.
PassThroughServerHeader ServerHeaderTransformationType = "pass_through"
)

// ClusterParameters holds various configurable cluster values.
type ClusterParameters struct {
// DNSLookupFamily defines how external names are looked up
Expand Down
6 changes: 6 additions & 0 deletions changelogs/unreleased/4906-Vishal-Chdhry-minor.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
## Enable configuring Server header transformation

Envoy's treatment of the Server header on responses can now be configured in the Contour config file or ContourConfiguration CRD.
When configured as `overwrite`, Envoy overwrites any Server header with "envoy".
When configured as `append_if_absent`, ⁣if a Server header is present, Envoy will pass it through, otherwise, it will set it to "envoy".
When configured as `pass_through`, Envoy passes through the value of the Server header and does not append a header if none is present.
1 change: 1 addition & 0 deletions cmd/contour/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,7 @@ func (s *Server) doServe() error {
DefaultHTTPVersions: parseDefaultHTTPVersions(contourConfiguration.Envoy.DefaultHTTPVersions),
AllowChunkedLength: !*contourConfiguration.Envoy.Listener.DisableAllowChunkedLength,
MergeSlashes: !*contourConfiguration.Envoy.Listener.DisableMergeSlashes,
ServerHeaderTransformation: contourConfiguration.Envoy.Listener.ServerHeaderTransformation,
XffNumTrustedHops: *contourConfiguration.Envoy.Network.XffNumTrustedHops,
ConnectionBalancer: contourConfiguration.Envoy.Listener.ConnectionBalancer,
}
Expand Down
19 changes: 15 additions & 4 deletions cmd/contour/servecontext.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,16 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
}
}

var serverHeaderTransformation contour_api_v1alpha1.ServerHeaderTransformationType
switch ctx.Config.ServerHeaderTransformation {
case config.OverwriteServerHeader:
serverHeaderTransformation = contour_api_v1alpha1.OverwriteServerHeader
case config.AppendIfAbsentServerHeader:
serverHeaderTransformation = contour_api_v1alpha1.AppendIfAbsentServerHeader
case config.PassThroughServerHeader:
serverHeaderTransformation = contour_api_v1alpha1.PassThroughServerHeader
}

policy := &contour_api_v1alpha1.PolicyConfig{
RequestHeadersPolicy: &contour_api_v1alpha1.HeadersPolicy{
Set: ctx.Config.Policy.RequestHeadersPolicy.Set,
Expand Down Expand Up @@ -439,10 +449,11 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
},
Envoy: &contour_api_v1alpha1.EnvoyConfig{
Listener: &contour_api_v1alpha1.EnvoyListenerConfig{
UseProxyProto: &ctx.useProxyProto,
DisableAllowChunkedLength: &ctx.Config.DisableAllowChunkedLength,
DisableMergeSlashes: &ctx.Config.DisableMergeSlashes,
ConnectionBalancer: ctx.Config.Listener.ConnectionBalancer,
UseProxyProto: &ctx.useProxyProto,
DisableAllowChunkedLength: &ctx.Config.DisableAllowChunkedLength,
DisableMergeSlashes: &ctx.Config.DisableMergeSlashes,
ServerHeaderTransformation: serverHeaderTransformation,
ConnectionBalancer: ctx.Config.Listener.ConnectionBalancer,
TLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
CipherSuites: cipherSuites,
Expand Down
17 changes: 14 additions & 3 deletions cmd/contour/servecontext_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,9 +406,10 @@ func TestConvertServeContext(t *testing.T) {
Namespace: "projectcontour",
},
Listener: &contour_api_v1alpha1.EnvoyListenerConfig{
UseProxyProto: ref.To(false),
DisableAllowChunkedLength: ref.To(false),
DisableMergeSlashes: ref.To(false),
UseProxyProto: ref.To(false),
DisableAllowChunkedLength: ref.To(false),
DisableMergeSlashes: ref.To(false),
ServerHeaderTransformation: contour_api_v1alpha1.OverwriteServerHeader,
TLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: "",
},
Expand Down Expand Up @@ -688,6 +689,16 @@ func TestConvertServeContext(t *testing.T) {
return cfg
},
},
"server header transformation": {
getServeContext: func(ctx *serveContext) *serveContext {
ctx.Config.ServerHeaderTransformation = config.AppendIfAbsentServerHeader
return ctx
},
getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec {
cfg.Envoy.Listener.ServerHeaderTransformation = contour_api_v1alpha1.AppendIfAbsentServerHeader
return cfg
},
},
}

for name, tc := range cases {
Expand Down
24 changes: 24 additions & 0 deletions examples/contour/01-crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,18 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the Server
header on the response path. When configured as overwrite,
overwrites any Server header with \"envoy\". When configured
as append_if_absent, if a Server header is present, pass
it through, otherwise set it to \"envoy\". When configured
as pass_through, pass through the value of the Server header,
and do not append a header if none is present. \n Values:
`overwrite` (default), `append_if_absent`, `pass_through`
\n Other values will produce an error. Contour's default
is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS listener
values.
Expand Down Expand Up @@ -3184,6 +3196,18 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the
Server header on the response path. When configured
as overwrite, overwrites any Server header with \"envoy\".
When configured as append_if_absent, if a Server header
is present, pass it through, otherwise set it to \"envoy\".
When configured as pass_through, pass through the value
of the Server header, and do not append a header if
none is present. \n Values: `overwrite` (default), `append_if_absent`,
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS
listener values.
Expand Down
24 changes: 24 additions & 0 deletions examples/render/contour-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,18 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the Server
header on the response path. When configured as overwrite,
overwrites any Server header with \"envoy\". When configured
as append_if_absent, if a Server header is present, pass
it through, otherwise set it to \"envoy\". When configured
as pass_through, pass through the value of the Server header,
and do not append a header if none is present. \n Values:
`overwrite` (default), `append_if_absent`, `pass_through`
\n Other values will produce an error. Contour's default
is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS listener
values.
Expand Down Expand Up @@ -3397,6 +3409,18 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the
Server header on the response path. When configured
as overwrite, overwrites any Server header with \"envoy\".
When configured as append_if_absent, if a Server header
is present, pass it through, otherwise set it to \"envoy\".
When configured as pass_through, pass through the value
of the Server header, and do not append a header if
none is present. \n Values: `overwrite` (default), `append_if_absent`,
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS
listener values.
Expand Down
24 changes: 24 additions & 0 deletions examples/render/contour-gateway-provisioner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,18 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the Server
header on the response path. When configured as overwrite,
overwrites any Server header with \"envoy\". When configured
as append_if_absent, if a Server header is present, pass
it through, otherwise set it to \"envoy\". When configured
as pass_through, pass through the value of the Server header,
and do not append a header if none is present. \n Values:
`overwrite` (default), `append_if_absent`, `pass_through`
\n Other values will produce an error. Contour's default
is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS listener
values.
Expand Down Expand Up @@ -3198,6 +3210,18 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the
Server header on the response path. When configured
as overwrite, overwrites any Server header with \"envoy\".
When configured as append_if_absent, if a Server header
is present, pass it through, otherwise set it to \"envoy\".
When configured as pass_through, pass through the value
of the Server header, and do not append a header if
none is present. \n Values: `overwrite` (default), `append_if_absent`,
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS
listener values.
Expand Down
24 changes: 24 additions & 0 deletions examples/render/contour-gateway.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -400,6 +400,18 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the Server
header on the response path. When configured as overwrite,
overwrites any Server header with \"envoy\". When configured
as append_if_absent, if a Server header is present, pass
it through, otherwise set it to \"envoy\". When configured
as pass_through, pass through the value of the Server header,
and do not append a header if none is present. \n Values:
`overwrite` (default), `append_if_absent`, `pass_through`
\n Other values will produce an error. Contour's default
is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS listener
values.
Expand Down Expand Up @@ -3403,6 +3415,18 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the
Server header on the response path. When configured
as overwrite, overwrites any Server header with \"envoy\".
When configured as append_if_absent, if a Server header
is present, pass it through, otherwise set it to \"envoy\".
When configured as pass_through, pass through the value
of the Server header, and do not append a header if
none is present. \n Values: `overwrite` (default), `append_if_absent`,
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS
listener values.
Expand Down
24 changes: 24 additions & 0 deletions examples/render/contour.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,18 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the Server
header on the response path. When configured as overwrite,
overwrites any Server header with \"envoy\". When configured
as append_if_absent, if a Server header is present, pass
it through, otherwise set it to \"envoy\". When configured
as pass_through, pass through the value of the Server header,
and do not append a header if none is present. \n Values:
`overwrite` (default), `append_if_absent`, `pass_through`
\n Other values will produce an error. Contour's default
is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS listener
values.
Expand Down Expand Up @@ -3397,6 +3409,18 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
serverHeaderTransformation:
description: "Defines the action to be applied to the
Server header on the response path. When configured
as overwrite, overwrites any Server header with \"envoy\".
When configured as append_if_absent, if a Server header
is present, pass it through, otherwise set it to \"envoy\".
When configured as pass_through, pass through the value
of the Server header, and do not append a header if
none is present. \n Values: `overwrite` (default), `append_if_absent`,
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
tls:
description: TLS holds various configurable Envoy TLS
listener values.
Expand Down
9 changes: 5 additions & 4 deletions internal/contourconfig/contourconfiguration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,10 +74,11 @@ func Defaults() contour_api_v1alpha1.ContourConfigurationSpec {
},
Envoy: &contour_api_v1alpha1.EnvoyConfig{
Listener: &contour_api_v1alpha1.EnvoyListenerConfig{
UseProxyProto: ref.To(false),
DisableAllowChunkedLength: ref.To(false),
DisableMergeSlashes: ref.To(false),
ConnectionBalancer: "",
UseProxyProto: ref.To(false),
DisableAllowChunkedLength: ref.To(false),
DisableMergeSlashes: ref.To(false),
ServerHeaderTransformation: contour_api_v1alpha1.OverwriteServerHeader,
ConnectionBalancer: "",
TLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: "1.2",
CipherSuites: contour_api_v1alpha1.DefaultTLSCiphers,
Expand Down
Loading

0 comments on commit cf769c1

Please sign in to comment.