You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
277 lines
14 KiB
277 lines
14 KiB
7 years ago
|
.. _config_http_conn_man_headers:
|
||
|
|
||
|
HTTP header manipulation
|
||
|
========================
|
||
|
|
||
|
The HTTP connection manager manipulates several HTTP headers both during decoding (when the request
|
||
|
is being received) as well as during encoding (when the response is being sent).
|
||
|
|
||
|
.. contents::
|
||
|
:local:
|
||
|
|
||
|
.. _config_http_conn_man_headers_user-agent:
|
||
|
|
||
|
user-agent
|
||
|
----------
|
||
|
|
||
|
The *user-agent* header may be set by the connection manager during decoding if the
|
||
|
:ref:`add_user_agent <config_http_conn_man_add_user_agent>` option is enabled. The header is only
|
||
|
modified if it is not already set. If the connection manager does set the header, the value is
|
||
|
determined by the :option:`--service-cluster` command line option.
|
||
|
|
||
|
.. _config_http_conn_man_headers_server:
|
||
|
|
||
|
server
|
||
|
------
|
||
|
|
||
|
The *server* header will be set during encoding to the value in the :ref:`server_name
|
||
|
<config_http_conn_man_server_name>` option.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-client-trace-id:
|
||
|
|
||
|
x-client-trace-id
|
||
|
-----------------
|
||
|
|
||
|
If an external client sets this header, Envoy will join the provided trace ID with the internally
|
||
|
generated :ref:`config_http_conn_man_headers_x-request-id`. x-client-trace-id needs to be globally
|
||
|
unique and generating a uuid4 is recommended. If this header is set, it has similar effect to
|
||
|
:ref:`config_http_conn_man_headers_x-envoy-force-trace`. See the :ref:`tracing.client_enabled
|
||
|
<config_http_conn_man_runtime_client_enabled>` runtime configuration setting.
|
||
|
|
||
|
.. _config_http_conn_man_headers_downstream-service-cluster:
|
||
|
|
||
|
x-envoy-downstream-service-cluster
|
||
|
----------------------------------
|
||
|
|
||
|
Internal services often want to know which service is calling them. This header is cleaned from
|
||
|
external requests, but for internal requests will contain the service cluster of the caller. Note
|
||
|
that in the current implementation, this should be considered a hint as it is set by the caller and
|
||
|
could be easily spoofed by any internal entity. In the future Envoy will support a mutual
|
||
|
authentication TLS mesh which will make this header fully secure. Like *user-agent*, the value
|
||
|
is determined by the :option:`--service-cluster` command line option. In order to enable this
|
||
|
feature you need to set the :ref:`user_agent <config_http_conn_man_add_user_agent>` option to true.
|
||
|
|
||
|
.. _config_http_conn_man_headers_downstream-service-node:
|
||
|
|
||
|
x-envoy-downstream-service-node
|
||
|
-------------------------------
|
||
|
|
||
|
Internal services may want to know the downstream node request comes from. This header
|
||
|
is quite similar to :ref:`config_http_conn_man_headers_downstream-service-cluster`, except the value is taken from
|
||
|
the :option:`--service-node` option.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-envoy-external-address:
|
||
|
|
||
|
x-envoy-external-address
|
||
|
------------------------
|
||
|
|
||
|
It is a common case where a service wants to perform analytics based on the client IP address. Per
|
||
|
the lengthy discussion on :ref:`XFF <config_http_conn_man_headers_x-forwarded-for>`, this can get
|
||
|
quite complicated. A proper implementation involves forwarding XFF, and then choosing the first non
|
||
|
RFC1918 address *from the right*. Since this is such a common occurrence, Envoy simplifies this by
|
||
|
setting *x-envoy-external-address* during decoding if and only if the request ingresses externally
|
||
|
(i.e., it's from an external client). *x-envoy-external-address* is not set or overwritten for
|
||
|
internal requests. This header can be safely forwarded between internal services for analytics
|
||
|
purposes without having to deal with the complexities of XFF.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-envoy-force-trace:
|
||
|
|
||
|
x-envoy-force-trace
|
||
|
-------------------
|
||
|
|
||
|
If an internal request sets this header, Envoy will modify the generated
|
||
|
:ref:`config_http_conn_man_headers_x-request-id` such that it forces traces to be collected.
|
||
|
This also forces :ref:`config_http_conn_man_headers_x-request-id` to be returned in the response
|
||
|
headers. If this request ID is then propagated to other hosts, traces will also be collected on
|
||
|
those hosts which will provide a consistent trace for an entire request flow. See the
|
||
|
:ref:`tracing.global_enabled <config_http_conn_man_runtime_global_enabled>` and
|
||
|
:ref:`tracing.random_sampling <config_http_conn_man_runtime_random_sampling>` runtime
|
||
|
configuration settings.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-envoy-internal:
|
||
|
|
||
|
x-envoy-internal
|
||
|
----------------
|
||
|
|
||
|
It is a common case where a service wants to know whether a request is internal origin or not. Envoy
|
||
|
uses :ref:`XFF <config_http_conn_man_headers_x-forwarded-for>` to determine this and then will set
|
||
|
the header value to *true*.
|
||
|
|
||
|
This is a convenience to avoid having to parse and understand XFF.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-forwarded-client-cert:
|
||
|
|
||
|
x-forwarded-client-cert
|
||
|
-----------------------
|
||
|
|
||
|
*x-forwarded-clinet-cert* (XFCC) is a proxy header which indicates certificate information of part
|
||
|
or all of the clients or proxies that a request has flowed through, on its way from the client to the
|
||
|
server. A proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
|
||
|
|
||
|
The XFCC header value is a comma (",") separated string. Each substring is an XFCC element, which
|
||
|
holds information added by a single proxy. A proxy can append the current client certificate
|
||
|
information as an XFCC element, to the end of the request's XFCC header after a comma.
|
||
|
|
||
|
Each XFCC element is a semicolon ";" separated string. Each substring is a key-value pair, grouped
|
||
|
together by an equals ("=") sign. The keys are case-insensitive, the values are case-sensitive. If
|
||
|
",", ";" or "=" appear in a value, the value should be double-quoted. Double-quotes in the value
|
||
|
should be replaced by backslash-double-quote (\").
|
||
|
|
||
|
The following keys are supported:
|
||
|
|
||
|
1. ``By`` The Subject Alternative Name (SAN) of the current proxy's certificate.
|
||
|
2. ``Hash`` The SHA 256 diguest of the current client certificate.
|
||
|
3. ``SAN`` The SAN field (URI type) of the current client certificate.
|
||
|
4. ``Subject`` The Subject field of the current client certificate. The value is always double-quoted.
|
||
|
|
||
|
Some examples of the XFCC header are:
|
||
|
|
||
|
1. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";SAN=http://testclient.lyft.com``
|
||
|
2. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;SAN=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;SAN=http://frontend.lyft.com``
|
||
|
|
||
|
How Envoy processes XFCC is specified by the
|
||
|
:ref:`forward_client_cert<config_http_conn_man_forward_client_cert>` and the
|
||
|
:ref:`set_current_client_cert_details<config_http_conn_man_set_current_client_cert_details>` HTTP
|
||
|
connection manager options. If *forward_client_cert* is unset, the XFCC header will be sanitized by
|
||
|
default.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-forwarded-for:
|
||
|
|
||
|
x-forwarded-for
|
||
|
---------------
|
||
|
|
||
|
*x-forwarded-for* (XFF) is a standard proxy header which indicates the IP addresses that a request has
|
||
|
flowed through on its way from the client to the server. A compliant proxy will *append* the IP
|
||
|
address of the nearest client to the XFF list before proxying the request. Some examples of XFF are:
|
||
|
|
||
|
1. ``x-forwarded-for: 50.0.0.1`` (single client)
|
||
|
2. ``x-forwarded-for: 50.0.0.1, 40.0.0.1`` (external proxy hop)
|
||
|
3. ``x-forwarded-for: 50.0.0.1, 10.0.0.1`` (internal proxy hop)
|
||
|
|
||
|
Envoy will only append to XFF if the :ref:`use_remote_address
|
||
|
<config_http_conn_man_use_remote_address>` HTTP connection manager option is set to true. This means
|
||
|
that if *use_remote_address* is false, the connection manager operates in a transparent mode where
|
||
|
it does not modify XFF. This is needed for certain types of mesh deployments depending on whether
|
||
|
the Envoy in question is an edge node or an internal service node.
|
||
|
|
||
|
Envoy uses the final XFF contents to determine whether a request originated externally or
|
||
|
internally. This influences whether the :ref:`config_http_conn_man_headers_x-envoy-internal` header
|
||
|
is set.
|
||
|
|
||
|
A few very important notes about XFF:
|
||
|
|
||
|
1. Since IP addresses are appended to XFF, only the last address (furthest to the right) can be
|
||
|
trusted. More specifically, the first external (non RFC1918) address from *the right* is the only
|
||
|
trustable addresses. Anything to the left of that can be spoofed. To make this easier to deal
|
||
|
with for analytics, etc., front Envoy will also set the
|
||
|
:ref:`config_http_conn_man_headers_x-envoy-external-address` header.
|
||
|
2. XFF is what Envoy uses to determine whether a request is internal origin or external origin. It
|
||
|
does this by checking to see if XFF contains a *single* IP address which is an RFC1918 address.
|
||
|
|
||
|
* **NOTE**: If an internal service proxies an external request to another internal service, and
|
||
|
includes the original XFF header, Envoy will append to it on egress if
|
||
|
:ref:`use_remote_address <config_http_conn_man_use_remote_address>` is set. This will cause
|
||
|
the other side to think the request is external. Generally, this is what is intended if XFF is
|
||
|
being forwarded. If it is not intended, do not forward XFF, and forward
|
||
|
:ref:`config_http_conn_man_headers_x-envoy-internal` instead.
|
||
|
* **NOTE**: If an internal service call is forwarded to another internal service (preserving XFF),
|
||
|
Envoy will not consider it internal. This is a known "bug" due to the simplification of how
|
||
|
XFF is parsed to determine if a request is internal. In this scenario, do not forward XFF and
|
||
|
allow Envoy to generate a new one with a single internal origin IP.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-forwarded-proto:
|
||
|
|
||
|
x-forwarded-proto
|
||
|
-----------------
|
||
|
|
||
|
It is a common case where a service wants to know what the originating protocol (HTTP or HTTPS) was
|
||
|
of the connection terminated by front/edge Envoy. *x-forwarded-proto* contains this information. It
|
||
|
will be set to either *http* or *https*.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-request-id:
|
||
|
|
||
|
x-request-id
|
||
|
------------
|
||
|
|
||
|
The *x-request-id* header is used by Envoy to uniquely identify a request as well as perform stable
|
||
|
access logging and tracing. Envoy will generate an *x-request-id* header for all external origin
|
||
|
requests (the header is sanitized). It will also generate an *x-request-id* header for internal
|
||
|
requests that do not already have one. This means that *x-request-id* can and should be propagated
|
||
|
between client applications in order to have stable IDs across the entire mesh. Due to the out of
|
||
|
process architecture of Envoy, the header can not be automatically forwarded by Envoy itself. This
|
||
|
is one of the few areas where a thin client library is needed to perform this duty. How that is done
|
||
|
is out of scope for this documentation. If *x-request-id* is propagated across all hosts, the
|
||
|
following features are available:
|
||
|
|
||
|
* Stable :ref:`access logging <config_access_log>` via the
|
||
|
:ref:`runtime filter<config_http_con_manager_access_log_filters_runtime>`.
|
||
|
* Stable tracing when performing random sampling via the :ref:`tracing.random_sampling
|
||
|
<config_http_conn_man_runtime_random_sampling>` runtime setting or via forced tracing using the
|
||
|
:ref:`config_http_conn_man_headers_x-envoy-force-trace` and
|
||
|
:ref:`config_http_conn_man_headers_x-client-trace-id` headers.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-ot-span-context:
|
||
|
|
||
|
x-ot-span-context
|
||
|
-----------------
|
||
|
|
||
|
The *x-ot-span-context* HTTP header is used by Envoy to establish proper parent-child relationships
|
||
|
between tracing spans. This header can be used with both LightStep and Zipkin tracers.
|
||
|
For example, an egress span is a child of an ingress
|
||
|
span (if the ingress span was present). Envoy injects the *x-ot-span-context* header on ingress requests and
|
||
|
forwards it to the local service. Envoy relies on the application to propagate *x-ot-span-context* on
|
||
|
the egress call to an upstream. See more on tracing :ref:`here <arch_overview_tracing>`.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-b3-traceid:
|
||
|
|
||
|
x-b3-traceid
|
||
|
------------
|
||
|
|
||
|
The *x-b3-traceid* HTTP header is used by the Zipkin tracer in Envoy.
|
||
|
The TraceId is 64-bit in length and indicates the overall ID of the
|
||
|
trace. Every span in a trace shares this ID. See more on zipkin tracing
|
||
|
`here <https://github.com/openzipkin/b3-propagation>`.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-b3-spanid:
|
||
|
|
||
|
x-b3-spanid
|
||
|
-----------
|
||
|
|
||
|
The *x-b3-spanid* HTTP header is used by the Zipkin tracer in Envoy.
|
||
|
The SpanId is 64-bit in length and indicates the position of the current
|
||
|
operation in the trace tree. The value should not be interpreted: it may or
|
||
|
may not be derived from the value of the TraceId. See more on zipkin tracing
|
||
|
`here <https://github.com/openzipkin/b3-propagation>`.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-b3-parentspanid:
|
||
|
|
||
|
x-b3-parentspanid
|
||
|
-----------------
|
||
|
|
||
|
The *x-b3-parentspanid* HTTP header is used by the Zipkin tracer in Envoy.
|
||
|
The ParentSpanId is 64-bit in length and indicates the position of the
|
||
|
parent operation in the trace tree. When the span is the root of the trace
|
||
|
tree, the ParentSpanId is absent. See more on zipkin tracing
|
||
|
`here <https://github.com/openzipkin/b3-propagation>`.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-b3-sampled:
|
||
|
|
||
|
x-b3-sampled
|
||
|
------------
|
||
|
|
||
|
The *x-b3-sampled* HTTP header is used by the Zipkin tracer in Envoy.
|
||
|
When the Sampled flag is 1, the soan will be reported to the tracing
|
||
|
system. Once Sampled is set to 0 or 1, the same
|
||
|
value should be consistently sent downstream. See more on zipkin tracing
|
||
|
`here <https://github.com/openzipkin/b3-propagation>`.
|
||
|
|
||
|
.. _config_http_conn_man_headers_x-b3-flags:
|
||
|
|
||
|
x-b3-flags
|
||
|
----------
|
||
|
|
||
|
The *x-b3-flags* HTTP header is used by the Zipkin tracer in Envoy.
|
||
|
The encode one or more options. For example, Debug is encoded as
|
||
|
``X-B3-Flags: 1``. See more on zipkin tracing
|
||
|
`here <https://github.com/openzipkin/b3-propagation>`.
|