Ability to disable Envoy adding server headers to responses #4906
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| ## Enable configuring Server header transformation | ||
|
|
||
| Envoy's treatment of the Server header on responses can now be configured in the Contour config file or ContourConfiguration CRD. | ||
| When configured as `overwrite`, Envoy overwrites any Server header with "envoy". | ||
| When configured as `append_if_absent`, if a Server header is present, Envoy will pass it through, otherwise, it will set it to "envoy". | ||
| When configured as `pass_through`, Envoy passes through the value of the Server header and does not append a header if none is present. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -348,6 +348,7 @@ func (s *Server) doServe() error { | |
| DefaultHTTPVersions: parseDefaultHTTPVersions(contourConfiguration.Envoy.DefaultHTTPVersions), | ||
| AllowChunkedLength: !*contourConfiguration.Envoy.Listener.DisableAllowChunkedLength, | ||
| MergeSlashes: !*contourConfiguration.Envoy.Listener.DisableMergeSlashes, | ||
| ServerHeaderTransformation: contourConfiguration.Envoy.Listener.ServerHeaderTransformation, | ||
| XffNumTrustedHops: *contourConfiguration.Envoy.Network.XffNumTrustedHops, | ||
| ConnectionBalancer: contourConfiguration.Envoy.Listener.ConnectionBalancer, | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -378,6 +378,16 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha | |
| } | ||
| } | ||
|
|
||
| var serverHeaderTransformation contour_api_v1alpha1.ServerHeaderTransformationType | ||
| switch ctx.Config.ServerHeaderTransformation { | ||
| case config.OverwriteServerHeader: | ||
| serverHeaderTransformation = contour_api_v1alpha1.OverwriteServerHeader | ||
| case config.AppendIfAbsentServerHeader: | ||
| serverHeaderTransformation = contour_api_v1alpha1.AppendIfAbsentServerHeader | ||
| case config.PassThroughServerHeader: | ||
| serverHeaderTransformation = contour_api_v1alpha1.PassThroughServerHeader | ||
| } | ||
|
|
||
| policy := &contour_api_v1alpha1.PolicyConfig{ | ||
| RequestHeadersPolicy: &contour_api_v1alpha1.HeadersPolicy{ | ||
| Set: ctx.Config.Policy.RequestHeadersPolicy.Set, | ||
|
|
@@ -439,10 +449,11 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha | |
| }, | ||
| Envoy: &contour_api_v1alpha1.EnvoyConfig{ | ||
| Listener: &contour_api_v1alpha1.EnvoyListenerConfig{ | ||
| UseProxyProto: &ctx.useProxyProto, | ||
| DisableAllowChunkedLength: &ctx.Config.DisableAllowChunkedLength, | ||
| DisableMergeSlashes: &ctx.Config.DisableMergeSlashes, | ||
| ServerHeaderTransformation: serverHeaderTransformation, | ||
| ConnectionBalancer: ctx.Config.Listener.ConnectionBalancer, | ||
| TLS: &contour_api_v1alpha1.EnvoyTLS{ | ||
| MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion, | ||
| CipherSuites: cipherSuites, | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -406,9 +406,10 @@ func TestConvertServeContext(t *testing.T) { | |
| Namespace: "projectcontour", | ||
| }, | ||
| Listener: &contour_api_v1alpha1.EnvoyListenerConfig{ | ||
| UseProxyProto: ref.To(false), | ||
| DisableAllowChunkedLength: ref.To(false), | ||
| DisableMergeSlashes: ref.To(false), | ||
| ServerHeaderTransformation: contour_api_v1alpha1.OverwriteServerHeader, | ||
| TLS: &contour_api_v1alpha1.EnvoyTLS{ | ||
| MinimumProtocolVersion: "", | ||
| }, | ||
|
|
@@ -688,6 +689,16 @@ func TestConvertServeContext(t *testing.T) { | |
| return cfg | ||
| }, | ||
| }, | ||
| "server header transformation": { | ||
| getServeContext: func(ctx *serveContext) *serveContext { | ||
| ctx.Config.ServerHeaderTransformation = config.AppendIfAbsentServerHeader | ||
| return ctx | ||
| }, | ||
| getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec { | ||
| cfg.Envoy.Listener.ServerHeaderTransformation = contour_api_v1alpha1.AppendIfAbsentServerHeader | ||
| return cfg | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| for name, tc := range cases { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -181,6 +181,18 @@ spec: | |
| slashes from request URL paths. \n Contour's default is | ||
| false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the Server | ||
| header on the response path When configured as overwrite, | ||
| overwrites any Server header with the contents of server_name. | ||
| When configured as append_if_absent, If no Server header | ||
| is present, append Server server_name If a Server header | ||
| is present, pass it through. When configured as pass_through, | ||
| pPass through the value of the server header, and do not | ||
| append a header if none is present. \n Values: `overwrite` | ||
| (default), `append_if_absent`, `pass_through` \n Other values | ||
| will produce an error. Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS listener | ||
| values. | ||
|
|
@@ -3184,6 +3196,19 @@ spec: | |
| duplicate slashes from request URL paths. \n Contour's | ||
| default is false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the | ||
| Server header on the response path When configured as | ||
| overwrite, overwrites any Server header with the contents | ||
| of server_name. When configured as append_if_absent, | ||
| If no Server header is present, append Server server_name | ||
| If a Server header is present, pass it through. When | ||
| configured as pass_through, pPass through the value | ||
| of the server header, and do not append a header if | ||
| none is present. \n Values: `overwrite` (default), `append_if_absent`, | ||
| `pass_through` \n Other values will produce an error. | ||
| Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS | ||
| listener values. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -394,6 +394,18 @@ spec: | |
| slashes from request URL paths. \n Contour's default is | ||
| false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the Server | ||
| header on the response path When configured as overwrite, | ||
| overwrites any Server header with the contents of server_name. | ||
| When configured as append_if_absent, If no Server header | ||
| is present, append Server server_name If a Server header | ||
| is present, pass it through. When configured as pass_through, | ||
| pPass through the value of the server header, and do not | ||
| append a header if none is present. \n Values: `overwrite` | ||
| (default), `append_if_absent`, `pass_through` \n Other values | ||
| will produce an error. Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS listener | ||
| values. | ||
|
|
@@ -3397,6 +3409,19 @@ spec: | |
| duplicate slashes from request URL paths. \n Contour's | ||
| default is false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the | ||
| Server header on the response path When configured as | ||
| overwrite, overwrites any Server header with the contents | ||
| of server_name. When configured as append_if_absent, | ||
| If no Server header is present, append Server server_name | ||
| If a Server header is present, pass it through. When | ||
| configured as pass_through, pPass through the value | ||
| of the server header, and do not append a header if | ||
| none is present. \n Values: `overwrite` (default), `append_if_absent`, | ||
| `pass_through` \n Other values will produce an error. | ||
| Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS | ||
| listener values. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -195,6 +195,18 @@ spec: | |
| slashes from request URL paths. \n Contour's default is | ||
| false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the Server | ||
| header on the response path When configured as overwrite, | ||
| overwrites any Server header with the contents of server_name. | ||
| When configured as append_if_absent, If no Server header | ||
| is present, append Server server_name If a Server header | ||
| is present, pass it through. When configured as pass_through, | ||
| pPass through the value of the server header, and do not | ||
| append a header if none is present. \n Values: `overwrite` | ||
| (default), `append_if_absent`, `pass_through` \n Other values | ||
| will produce an error. Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS listener | ||
| values. | ||
|
|
@@ -3198,6 +3210,19 @@ spec: | |
| duplicate slashes from request URL paths. \n Contour's | ||
| default is false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the | ||
| Server header on the response path When configured as | ||
| overwrite, overwrites any Server header with the contents | ||
| of server_name. When configured as append_if_absent, | ||
| If no Server header is present, append Server server_name | ||
| If a Server header is present, pass it through. When | ||
| configured as pass_through, pPass through the value | ||
| of the server header, and do not append a header if | ||
| none is present. \n Values: `overwrite` (default), `append_if_absent`, | ||
| `pass_through` \n Other values will produce an error. | ||
| Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS | ||
| listener values. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -400,6 +400,18 @@ spec: | |
| slashes from request URL paths. \n Contour's default is | ||
| false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the Server | ||
| header on the response path When configured as overwrite, | ||
| overwrites any Server header with the contents of server_name. | ||
| When configured as append_if_absent, If no Server header | ||
| is present, append Server server_name If a Server header | ||
| is present, pass it through. When configured as pass_through, | ||
| pPass through the value of the server header, and do not | ||
| append a header if none is present. \n Values: `overwrite` | ||
| (default), `append_if_absent`, `pass_through` \n Other values | ||
| will produce an error. Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS listener | ||
| values. | ||
|
|
@@ -3403,6 +3415,19 @@ spec: | |
| duplicate slashes from request URL paths. \n Contour's | ||
| default is false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the | ||
| Server header on the response path When configured as | ||
| overwrite, overwrites any Server header with the contents | ||
| of server_name. When configured as append_if_absent, | ||
| If no Server header is present, append Server server_name | ||
| If a Server header is present, pass it through. When | ||
| configured as pass_through, pPass through the value | ||
| of the server header, and do not append a header if | ||
| none is present. \n Values: `overwrite` (default), `append_if_absent`, | ||
| `pass_through` \n Other values will produce an error. | ||
| Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS | ||
| listener values. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -394,6 +394,18 @@ spec: | |
| slashes from request URL paths. \n Contour's default is | ||
| false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the Server | ||
| header on the response path When configured as overwrite, | ||
| overwrites any Server header with the contents of server_name. | ||
| When configured as append_if_absent, If no Server header | ||
| is present, append Server server_name If a Server header | ||
| is present, pass it through. When configured as pass_through, | ||
| pPass through the value of the server header, and do not | ||
| append a header if none is present. \n Values: `overwrite` | ||
| (default), `append_if_absent`, `pass_through` \n Other values | ||
| will produce an error. Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS listener | ||
| values. | ||
|
|
@@ -3397,6 +3409,19 @@ spec: | |
| duplicate slashes from request URL paths. \n Contour's | ||
| default is false." | ||
| type: boolean | ||
| serverHeaderTransformation: | ||
| description: "Defines the action to be applied to the | ||
| Server header on the response path When configured as | ||
| overwrite, overwrites any Server header with the contents | ||
| of server_name. When configured as append_if_absent, | ||
| If no Server header is present, append Server server_name | ||
| If a Server header is present, pass it through. When | ||
| configured as pass_through, pPass through the value | ||
| of the server header, and do not append a header if | ||
| none is present. \n Values: `overwrite` (default), `append_if_absent`, | ||
| `pass_through` \n Other values will produce an error. | ||
| Contour's default is overwrite." | ||
| type: string | ||
| tls: | ||
| description: TLS holds various configurable Envoy TLS | ||
| listener values. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -74,10 +74,11 @@ func Defaults() contour_api_v1alpha1.ContourConfigurationSpec { | |
| }, | ||
| Envoy: &contour_api_v1alpha1.EnvoyConfig{ | ||
| Listener: &contour_api_v1alpha1.EnvoyListenerConfig{ | ||
| UseProxyProto: ref.To(false), | ||
| DisableAllowChunkedLength: ref.To(false), | ||
| DisableMergeSlashes: ref.To(false), | ||
| ServerHeaderTransformation: contour_api_v1alpha1.OverwriteServerHeader, | ||
| ConnectionBalancer: "", | ||
| TLS: &contour_api_v1alpha1.EnvoyTLS{ | ||
| MinimumProtocolVersion: "1.2", | ||
| CipherSuites: contour_api_v1alpha1.DefaultTLSCiphers, | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in this section probably replace
server_namewithenvoy? since we don't make it configurable (i think this was copied from the envoy docs)