diff --git a/docs/root/configuration/http_conn_man/headers.rst b/docs/root/configuration/http_conn_man/headers.rst
index d91be60a..282b3202 100644
--- a/docs/root/configuration/http_conn_man/headers.rst
+++ b/docs/root/configuration/http_conn_man/headers.rst
@@ -118,15 +118,22 @@ should be replaced by backslash-double-quote (\").
 
 The following keys are supported:
 
-1. ``By`` The Subject Alternative Name (SAN) of the current proxy's certificate.
+1. ``By`` The Subject Alternative Name (URI type) of the current proxy's certificate.
 2. ``Hash`` The SHA 256 diguest of the current client certificate.
-3. ``SAN`` The SAN field (URI type) of the current client certificate.
+3. ``Cert`` The entire client certificate in URL encoded PEM format.
 4. ``Subject`` The Subject field of the current client certificate. The value is always double-quoted.
+5. ``URI`` The URI type Subject Alternative Name field of the current client certificate.
+6. ``DNS`` The DNS type Subject Alternative Name field of the current client certificate. A client certificate may contain multiple DNS type Subject Alternative Names, each will be a separate key-value pair.
+
+A client certificate may contain multiple Subject Alternative Name types. For details on different Subject Alternative Name types, please refer `RFC 2459`_.
+
+.. _RFC 2459: https://tools.ietf.org/html/rfc2459#section-4.2.1.7
 
 Some examples of the XFCC header are:
 
-1. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";SAN=http://testclient.lyft.com``
-2. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;SAN=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;SAN=http://frontend.lyft.com``
+1. For one client certificate with only URI type Subject Alternative Name: ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com``
+2. For two client certificates with only URI type Subject Alternative Name: ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;URI=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;URI=http://frontend.lyft.com``
+3. For one client certificate with both URI type and DNS type Subject Alternative Name: ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com;DNS=lyft.com;DNS=www.lyft.com``
 
 How Envoy processes XFCC is specified by the
 :ref:`forward_client_cert<config_http_conn_man_forward_client_cert>` and the
diff --git a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
index 2aa65dfe..1c573cc0 100644
--- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@@ -209,13 +209,22 @@ message HttpConnectionManager {
     // Whether to forward the subject of the client cert. Defaults to false.
     google.protobuf.BoolValue subject = 1;
 
-    // Whether to forward the SAN of the client cert. Defaults to false.
-    google.protobuf.BoolValue san = 2;
+    // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+    // false. This field is deprecated, use URI field instead.
+    google.protobuf.BoolValue san = 2 [deprecated = true];
 
     // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
     // XFCC header comma separated from other values with the value Cert="PEM".
     // Defaults to false.
     bool cert = 3;
+
+    // Whether to forward the DNS type Subject Alternative Names of the client cert.
+    // Defaults to false.
+    bool dns = 4;
+
+    // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+    // false.
+    bool uri = 5;
   };
 
   // This field is valid only when :ref:`forward_client_cert_details
@@ -223,7 +232,8 @@ message HttpConnectionManager {
   // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in
   // the client certificate to be forwarded. Note that in the
   // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, *Hash* is always set, and
-  // *By* is always set when the client certificate presents the SAN value.
+  // *By* is always set when the client certificate presents the URI type Subject Alternative Name
+  // value.
   SetCurrentClientCertDetails set_current_client_cert_details = 17;
 
   // If proxy_100_continue is true, Envoy will proxy incoming "Expect: