hcm: adding a knob for setting scheme (#17070)

Adding the option to override scheme Risk Level: low (config guarded code) Testing: unit testing Docs Changes: n/a Release Notes: inline Part of #14587 Fixes #17105 Signed-off-by: Alyssa Wilk <alyssar@chromium.org> Mirrored from https://github.com/envoyproxy/envoy @ fe8f2243b287feb2d6868a151e299e54c71036d3
3 years ago · d035362259
parent 5747b966e2
commit d035362259
4 changed files with 31 additions and 2 deletions
--- a/envoy/config/core/v3/protocol.proto
+++ b/envoy/config/core/v3/protocol.proto
@ -478,3 +478,11 @@ message Http3ProtocolOptions {
  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`.
  google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2;
 }
+
+// A message to control transformations to the :scheme header
+message SchemeHeaderTransformation {
+  oneof transformation {
+    // Overwrite any Scheme header with the contents of this string.
+    string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}];
+  }
+}
--- a/envoy/config/core/v4alpha/protocol.proto
+++ b/envoy/config/core/v4alpha/protocol.proto
@ -478,3 +478,14 @@ message Http3ProtocolOptions {
  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`.
  google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2;
 }
+
+// A message to control transformations to the :scheme header
+message SchemeHeaderTransformation {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.config.core.v3.SchemeHeaderTransformation";
+
+  oneof transformation {
+    // Overwrite any Scheme header with the contents of this string.
+    string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}];
+  }
+}
--- a/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+++ b/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@ -35,7 +35,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]

-// [#next-free-field: 48]
+// [#next-free-field: 49]
 message HttpConnectionManager {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@ -371,6 +371,11 @@ message HttpConnectionManager {
  ServerHeaderTransformation server_header_transformation = 34
      [(validate.rules).enum = {defined_only: true}];

+  // Allows for explicit transformation of the :scheme header on the request path.
+  // If not set, Envoy's default :ref:`scheme  <config_http_conn_man_headers_scheme>`
+  // handling applies.
+  config.core.v3.SchemeHeaderTransformation scheme_header_transformation = 48;
+
  // The maximum request headers size for incoming connections.
  // If unconfigured, the default max request headers allowed is 60 KiB.
  // Requests that exceed this limit will receive a 431 response.
--- a/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
+++ b/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
@ -33,7 +33,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]

-// [#next-free-field: 48]
+// [#next-free-field: 49]
 message HttpConnectionManager {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager";
@ -373,6 +373,11 @@ message HttpConnectionManager {
  ServerHeaderTransformation server_header_transformation = 34
      [(validate.rules).enum = {defined_only: true}];

+  // Allows for explicit transformation of the :scheme header on the request path.
+  // If not set, Envoy's default :ref:`scheme  <config_http_conn_man_headers_scheme>`
+  // handling applies.
+  config.core.v4alpha.SchemeHeaderTransformation scheme_header_transformation = 48;
+
  // The maximum request headers size for incoming connections.
  // If unconfigured, the default max request headers allowed is 60 KiB.
  // Requests that exceed this limit will receive a 431 response.