aws_request_signing: a few fixes (#10280)

There were a few things missing to make this filter work with S3: * empty body requests (e.g.: GET) still need a sha256 content header (the empty string hash) * requests for s3 shouldn't sign all headers (especially because some of them might change, e.g.: x-forwarded-for) * when proxying requests to s3, HCM's host rewrite won't work so support it as a filter config option * ditto for prefix rewrite Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com> Mirrored from https://github.com/envoyproxy/envoy @ 28f33a776960dd717d4b57da73b0dbce7dbb3e85
5 years ago · 823ee01295
parent 7c1da45f2d
commit 823ee01295
2 changed files with 22 additions and 0 deletions
--- a/envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto
+++ b/envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto
@ -29,4 +29,15 @@ message AwsRequestSigning {
  //
  // Example: us-west-2
  string region = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Indicates that before signing headers, the host header will be swapped with
+  // this value. If not set or empty, the original host header value
+  // will be used and no rewrite will happen.
+  //
+  // Note: this rewrite affects both signing and host header forwarding. However, this
+  // option shouldn't be used with
+  // :ref:`HCM host rewrite <envoy_api_field_route.RouteAction.host_rewrite>` given that the
+  // value set here would be used for signing whereas the value set in the HCM would be used
+  // for host header forwarding which is not the desired outcome.
+  string host_rewrite = 3;
 }
--- a/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
+++ b/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
@ -31,4 +31,15 @@ message AwsRequestSigning {
  //
  // Example: us-west-2
  string region = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Indicates that before signing headers, the host header will be swapped with
+  // this value. If not set or empty, the original host header value
+  // will be used and no rewrite will happen.
+  //
+  // Note: this rewrite affects both signing and host header forwarding. However, this
+  // option shouldn't be used with
+  // :ref:`HCM host rewrite <envoy_api_field_config.route.v3.RouteAction.host_rewrite_literal>` given that the
+  // value set here would be used for signing whereas the value set in the HCM would be used
+  // for host header forwarding which is not the desired outcome.
+  string host_rewrite = 3;
 }