Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to disable Envoy adding server headers to responses #4906

Merged
merged 17 commits into from
Jan 23, 2023
Merged
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
Original file line number Diff line number Diff line change
@@ -16,6 +16,7 @@ package v1alpha1
import (
contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1"

http "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

@@ -336,6 +337,13 @@ type EnvoyListenerConfig struct {
// +optional
DisableMergeSlashes *bool `json:"disableMergeSlashes,omitempty"`

// DisableServerHeaderTransformation signifies Envoy will not modify the Server header.
// It has 3 possible values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT
//
// Contour's default is OVERWRITE.
// +optional
DisableServerHeaderTransformation *http.HttpConnectionManager_ServerHeaderTransformation `json:"disableServerHeaderTransformation,omitempty"`
vishal-chdhry marked this conversation as resolved.
Show resolved Hide resolved
vishal-chdhry marked this conversation as resolved.
Show resolved Hide resolved

// ConnectionBalancer. If the value is exact, the listener will use the exact connection balancer
// See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/listener.proto#envoy-api-msg-listener-connectionbalanceconfig
// for more information.
6 changes: 6 additions & 0 deletions apis/projectcontour/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions cmd/contour/serve.go
Original file line number Diff line number Diff line change
@@ -348,6 +348,7 @@ func (s *Server) doServe() error {
DefaultHTTPVersions: parseDefaultHTTPVersions(contourConfiguration.Envoy.DefaultHTTPVersions),
AllowChunkedLength: !*contourConfiguration.Envoy.Listener.DisableAllowChunkedLength,
MergeSlashes: !*contourConfiguration.Envoy.Listener.DisableMergeSlashes,
ServerHeaderTransformation: *contourConfiguration.Envoy.Listener.DisableServerHeaderTransformation,
XffNumTrustedHops: *contourConfiguration.Envoy.Network.XffNumTrustedHops,
ConnectionBalancer: contourConfiguration.Envoy.Listener.ConnectionBalancer,
}
9 changes: 5 additions & 4 deletions cmd/contour/servecontext.go
Original file line number Diff line number Diff line change
@@ -439,10 +439,11 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
},
Envoy: &contour_api_v1alpha1.EnvoyConfig{
Listener: &contour_api_v1alpha1.EnvoyListenerConfig{
UseProxyProto: &ctx.useProxyProto,
DisableAllowChunkedLength: &ctx.Config.DisableAllowChunkedLength,
DisableMergeSlashes: &ctx.Config.DisableMergeSlashes,
ConnectionBalancer: ctx.Config.Listener.ConnectionBalancer,
UseProxyProto: &ctx.useProxyProto,
DisableAllowChunkedLength: &ctx.Config.DisableAllowChunkedLength,
DisableMergeSlashes: &ctx.Config.DisableMergeSlashes,
DisableServerHeaderTransformation: &ctx.Config.DisableServerHeaderTransformation,
ConnectionBalancer: ctx.Config.Listener.ConnectionBalancer,
TLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
CipherSuites: cipherSuites,
14 changes: 14 additions & 0 deletions examples/contour/01-crds.yaml
Original file line number Diff line number Diff line change
@@ -181,6 +181,13 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n Contour's
default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3177,6 +3184,13 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n
Contour's default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS
listener values.
14 changes: 14 additions & 0 deletions examples/render/contour-deployment.yaml
Original file line number Diff line number Diff line change
@@ -394,6 +394,13 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n Contour's
default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3390,6 +3397,13 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n
Contour's default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS
listener values.
14 changes: 14 additions & 0 deletions examples/render/contour-gateway-provisioner.yaml
Original file line number Diff line number Diff line change
@@ -195,6 +195,13 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n Contour's
default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3191,6 +3198,13 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n
Contour's default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS
listener values.
14 changes: 14 additions & 0 deletions examples/render/contour-gateway.yaml
Original file line number Diff line number Diff line change
@@ -400,6 +400,13 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n Contour's
default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3396,6 +3403,13 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n
Contour's default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS
listener values.
14 changes: 14 additions & 0 deletions examples/render/contour.yaml
Original file line number Diff line number Diff line change
@@ -394,6 +394,13 @@ spec:
slashes from request URL paths. \n Contour's default is
false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n Contour's
default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3390,6 +3397,13 @@ spec:
duplicate slashes from request URL paths. \n Contour's
default is false."
type: boolean
disableServerHeaderTransformation:
description: "DisableServerHeaderTransformation signifies
Envoy will not modify the Server header. It has 3 possible
values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT \n
Contour's default is OVERWRITE."
format: int32
type: integer
tls:
description: TLS holds various configurable Envoy TLS
listener values.
9 changes: 5 additions & 4 deletions internal/contourconfig/contourconfiguration.go
Original file line number Diff line number Diff line change
@@ -74,10 +74,11 @@ func Defaults() contour_api_v1alpha1.ContourConfigurationSpec {
},
Envoy: &contour_api_v1alpha1.EnvoyConfig{
Listener: &contour_api_v1alpha1.EnvoyListenerConfig{
UseProxyProto: ref.To(false),
DisableAllowChunkedLength: ref.To(false),
DisableMergeSlashes: ref.To(false),
ConnectionBalancer: "",
UseProxyProto: ref.To(false),
DisableAllowChunkedLength: ref.To(false),
DisableMergeSlashes: ref.To(false),
DisableServerHeaderTransformation: ref.To(false),
vishal-chdhry marked this conversation as resolved.
Show resolved Hide resolved
ConnectionBalancer: "",
TLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: "1.2",
CipherSuites: contour_api_v1alpha1.DefaultTLSCiphers,
11 changes: 9 additions & 2 deletions internal/envoy/v3/listener.go
Original file line number Diff line number Diff line change
@@ -161,6 +161,7 @@ type httpConnectionManagerBuilder struct {
codec HTTPVersionType // Note the zero value is AUTO, which is the default we want.
allowChunkedLength bool
mergeSlashes bool
serverHeaderTransformation http.HttpConnectionManager_ServerHeaderTransformation
forwardClientCertificate *dag.ClientCertificateDetails
numTrustedHops uint32
}
@@ -241,6 +242,11 @@ func (b *httpConnectionManagerBuilder) MergeSlashes(enabled bool) *httpConnectio
return b
}

func (b *httpConnectionManagerBuilder) ServerHeaderTransformation(value http.HttpConnectionManager_ServerHeaderTransformation) *httpConnectionManagerBuilder {
b.serverHeaderTransformation = value
return b
}

func (b *httpConnectionManagerBuilder) ForwardClientCertificate(details *dag.ClientCertificateDetails) *httpConnectionManagerBuilder {
b.forwardClientCertificate = details
return b
@@ -453,8 +459,9 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_listener_v3.Filter {
},

// issue #1487 pass through X-Request-Id if provided.
PreserveExternalRequestId: true,
MergeSlashes: b.mergeSlashes,
PreserveExternalRequestId: true,
MergeSlashes: b.mergeSlashes,
ServerHeaderTransformation: b.serverHeaderTransformation,

RequestTimeout: envoy.Timeout(b.requestTimeout),
StreamIdleTimeout: envoy.Timeout(b.streamIdleTimeout),
6 changes: 6 additions & 0 deletions internal/xdscache/v3/listener.go
Original file line number Diff line number Diff line change
@@ -125,6 +125,9 @@ type ListenerConfig struct {
// MergeSlashes toggles Envoy's non-standard merge_slashes path transformation option for all listeners.
MergeSlashes bool

// ServerHeaderTransformation signifies we will not modify the Server header.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update godoc to reflect enum nature

Copy link
Member

@skriss skriss Jan 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// ServerHeaderTransformation signifies we will not modify the Server header.
// ServerHeaderTransformation defines the action to be applied to the Server header on the response path.

ServerHeaderTransformation http.HttpConnectionManager_ServerHeaderTransformation

// XffNumTrustedHops sets the number of additional ingress proxy hops from the
// right side of the x-forwarded-for HTTP header to trust.
XffNumTrustedHops uint32
@@ -389,6 +392,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
ConnectionShutdownGracePeriod(cfg.Timeouts.ConnectionShutdownGracePeriod).
AllowChunkedLength(cfg.AllowChunkedLength).
MergeSlashes(cfg.MergeSlashes).
ServerHeaderTransformation(cfg.ServerHeaderTransformation).
NumTrustedHops(cfg.XffNumTrustedHops).
AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
Get()
@@ -449,6 +453,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
ConnectionShutdownGracePeriod(cfg.Timeouts.ConnectionShutdownGracePeriod).
AllowChunkedLength(cfg.AllowChunkedLength).
MergeSlashes(cfg.MergeSlashes).
ServerHeaderTransformation(cfg.ServerHeaderTransformation).
NumTrustedHops(cfg.XffNumTrustedHops).
AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
ForwardClientCertificate(forwardClientCertificate).
@@ -515,6 +520,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
ConnectionShutdownGracePeriod(cfg.Timeouts.ConnectionShutdownGracePeriod).
AllowChunkedLength(cfg.AllowChunkedLength).
MergeSlashes(cfg.MergeSlashes).
ServerHeaderTransformation(cfg.ServerHeaderTransformation).
NumTrustedHops(cfg.XffNumTrustedHops).
AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
ForwardClientCertificate(forwardClientCertificate).
21 changes: 13 additions & 8 deletions pkg/config/parameters.go
Original file line number Diff line number Diff line change
@@ -22,6 +22,7 @@ import (
"strings"
"time"

http "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1"
"gopkg.in/yaml.v3"
"k8s.io/apimachinery/pkg/util/validation"
@@ -489,6 +490,9 @@ type Parameters struct {
// which strips duplicate slashes from request URL paths.
DisableMergeSlashes bool `yaml:"disableMergeSlashes,omitempty"`

// DisableServerHeaderTransformation signifies Envoy will not modify the Server header.
DisableServerHeaderTransformation http.HttpConnectionManager_ServerHeaderTransformation `yaml:"disableServerHeaderTransformation,omitempty"`
vishal-chdhry marked this conversation as resolved.
Show resolved Hide resolved
vishal-chdhry marked this conversation as resolved.
Show resolved Hide resolved

// EnableExternalNameService allows processing of ExternalNameServices
// Defaults to disabled for security reasons.
// TODO(youngnick): put a link to the issue and CVE here.
@@ -694,14 +698,15 @@ func Defaults() Parameters {
Server: ServerParameters{
XDSServerType: ContourServerType,
},
IngressStatusAddress: "",
AccessLogFormat: DEFAULT_ACCESS_LOG_TYPE,
AccessLogFields: DefaultFields,
AccessLogLevel: LogLevelInfo,
TLS: TLSParameters{},
DisablePermitInsecure: false,
DisableAllowChunkedLength: false,
DisableMergeSlashes: false,
IngressStatusAddress: "",
AccessLogFormat: DEFAULT_ACCESS_LOG_TYPE,
AccessLogFields: DefaultFields,
AccessLogLevel: LogLevelInfo,
TLS: TLSParameters{},
DisablePermitInsecure: false,
DisableAllowChunkedLength: false,
DisableMergeSlashes: false,
DisableServerHeaderTransformation: http.HttpConnectionManager_OVERWRITE,
Timeouts: TimeoutParameters{
// This is chosen as a rough default to stop idle connections wasting resources,
// without stopping slow connections from being terminated too quickly.
15 changes: 15 additions & 0 deletions site/content/docs/main/config/api-reference.html
Original file line number Diff line number Diff line change
@@ -5928,6 +5928,21 @@ <h3 id="projectcontour.io/v1alpha1.EnvoyListenerConfig">EnvoyListenerConfig
</tr>
<tr>
<td style="white-space:nowrap">
<code>disableServerHeaderTransformation</code>
<br>
<em>
github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3.HttpConnectionManager_ServerHeaderTransformation
</em>
</td>
<td>
<em>(Optional)</em>
<p>DisableServerHeaderTransformation signifies Envoy will not modify the Server header.
It has 3 possible values: OVERWRITE, PASS_THROUGH, APPEND_IF_ABSENT</p>
<p>Contour&rsquo;s default is OVERWRITE.</p>
</td>
</tr>
<tr>
<td style="white-space:nowrap">
<code>connectionBalancer</code>
<br>
<em>