Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
[READ ONLY MIRROR] Envoy REST/proto API definitions and documentation. (grpc依赖)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
185 Commits
2 Branches
0 Tags
17 MiB
 
 
 
 
 
Tag: Branch: Tree: ac130697f5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ac130697f5'
${ noResults }
data-plane-api/docs/root/configuration/http_conn_man/headers.rst

276 lines
14 KiB
Raw Blame History

.. _config_http_conn_man_headers:
HTTP header manipulation
========================
The HTTP connection manager manipulates several HTTP headers both during decoding (when the request
is being received) as well as during encoding (when the response is being sent).
.. contents::
:local:
.. _config_http_conn_man_headers_user-agent:
user-agent
----------
The *user-agent* header may be set by the connection manager during decoding if the
:ref:`add_user_agent <config_http_conn_man_add_user_agent>` option is enabled. The header is only
modified if it is not already set. If the connection manager does set the header, the value is
determined by the :option:`--service-cluster` command line option.
.. _config_http_conn_man_headers_server:
server
------
The *server* header will be set during encoding to the value in the :ref:`server_name
<config_http_conn_man_server_name>` option.
.. _config_http_conn_man_headers_x-client-trace-id:
x-client-trace-id
-----------------
If an external client sets this header, Envoy will join the provided trace ID with the internally
generated :ref:`config_http_conn_man_headers_x-request-id`. x-client-trace-id needs to be globally
unique and generating a uuid4 is recommended. If this header is set, it has similar effect to
:ref:`config_http_conn_man_headers_x-envoy-force-trace`. See the :ref:`tracing.client_enabled
<config_http_conn_man_runtime_client_enabled>` runtime configuration setting.
.. _config_http_conn_man_headers_downstream-service-cluster:
x-envoy-downstream-service-cluster
----------------------------------
Internal services often want to know which service is calling them. This header is cleaned from
external requests, but for internal requests will contain the service cluster of the caller. Note
that in the current implementation, this should be considered a hint as it is set by the caller and
could be easily spoofed by any internal entity. In the future Envoy will support a mutual
authentication TLS mesh which will make this header fully secure. Like *user-agent*, the value
is determined by the :option:`--service-cluster` command line option. In order to enable this
feature you need to set the :ref:`user_agent <config_http_conn_man_add_user_agent>` option to true.
.. _config_http_conn_man_headers_downstream-service-node:
x-envoy-downstream-service-node
-------------------------------
Internal services may want to know the downstream node request comes from. This header
is quite similar to :ref:`config_http_conn_man_headers_downstream-service-cluster`, except the value is taken from
the :option:`--service-node` option.
.. _config_http_conn_man_headers_x-envoy-external-address:
x-envoy-external-address
------------------------
It is a common case where a service wants to perform analytics based on the client IP address. Per
the lengthy discussion on :ref:`XFF <config_http_conn_man_headers_x-forwarded-for>`, this can get
quite complicated. A proper implementation involves forwarding XFF, and then choosing the first non
RFC1918 address *from the right*. Since this is such a common occurrence, Envoy simplifies this by
setting *x-envoy-external-address* during decoding if and only if the request ingresses externally
(i.e., it's from an external client). *x-envoy-external-address* is not set or overwritten for
internal requests. This header can be safely forwarded between internal services for analytics
purposes without having to deal with the complexities of XFF.
.. _config_http_conn_man_headers_x-envoy-force-trace:
x-envoy-force-trace
-------------------
If an internal request sets this header, Envoy will modify the generated
:ref:`config_http_conn_man_headers_x-request-id` such that it forces traces to be collected.
This also forces :ref:`config_http_conn_man_headers_x-request-id` to be returned in the response
headers. If this request ID is then propagated to other hosts, traces will also be collected on
those hosts which will provide a consistent trace for an entire request flow. See the
:ref:`tracing.global_enabled <config_http_conn_man_runtime_global_enabled>` and
:ref:`tracing.random_sampling <config_http_conn_man_runtime_random_sampling>` runtime
configuration settings.
.. _config_http_conn_man_headers_x-envoy-internal:
x-envoy-internal
----------------
It is a common case where a service wants to know whether a request is internal origin or not. Envoy
uses :ref:`XFF <config_http_conn_man_headers_x-forwarded-for>` to determine this and then will set
the header value to *true*.
This is a convenience to avoid having to parse and understand XFF.
.. _config_http_conn_man_headers_x-forwarded-client-cert:
x-forwarded-client-cert
-----------------------
*x-forwarded-client-cert* (XFCC) is a proxy header which indicates certificate information of part
or all of the clients or proxies that a request has flowed through, on its way from the client to the
server. A proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
The XFCC header value is a comma (",") separated string. Each substring is an XFCC element, which
holds information added by a single proxy. A proxy can append the current client certificate
information as an XFCC element, to the end of the request's XFCC header after a comma.
Each XFCC element is a semicolon ";" separated string. Each substring is a key-value pair, grouped
together by an equals ("=") sign. The keys are case-insensitive, the values are case-sensitive. If
",", ";" or "=" appear in a value, the value should be double-quoted. Double-quotes in the value
should be replaced by backslash-double-quote (\").
The following keys are supported:
1. ``By`` The Subject Alternative Name (SAN) of the current proxy's certificate.
2. ``Hash`` The SHA 256 diguest of the current client certificate.
3. ``SAN`` The SAN field (URI type) of the current client certificate.
4. ``Subject`` The Subject field of the current client certificate. The value is always double-quoted.
Some examples of the XFCC header are:
1. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";SAN=http://testclient.lyft.com``
2. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;SAN=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;SAN=http://frontend.lyft.com``
How Envoy processes XFCC is specified by the
:ref:`forward_client_cert<config_http_conn_man_forward_client_cert>` and the
:ref:`set_current_client_cert_details<config_http_conn_man_set_current_client_cert_details>` HTTP
connection manager options. If *forward_client_cert* is unset, the XFCC header will be sanitized by
default.
.. _config_http_conn_man_headers_x-forwarded-for:
x-forwarded-for
---------------
*x-forwarded-for* (XFF) is a standard proxy header which indicates the IP addresses that a request has
flowed through on its way from the client to the server. A compliant proxy will *append* the IP
address of the nearest client to the XFF list before proxying the request. Some examples of XFF are:
1. ``x-forwarded-for: 50.0.0.1`` (single client)
2. ``x-forwarded-for: 50.0.0.1, 40.0.0.1`` (external proxy hop)
3. ``x-forwarded-for: 50.0.0.1, 10.0.0.1`` (internal proxy hop)
Envoy will only append to XFF if the :ref:`use_remote_address
<config_http_conn_man_use_remote_address>` HTTP connection manager option is set to true. This means
that if *use_remote_address* is false, the connection manager operates in a transparent mode where
it does not modify XFF. This is needed for certain types of mesh deployments depending on whether
the Envoy in question is an edge node or an internal service node.
Envoy uses the final XFF contents to determine whether a request originated externally or
internally. This influences whether the :ref:`config_http_conn_man_headers_x-envoy-internal` header
is set.
A few very important notes about XFF:
1. Since IP addresses are appended to XFF, only the last address (furthest to the right) can be
trusted. More specifically, the first external (non RFC1918) address from *the right* is the only
trustable addresses. Anything to the left of that can be spoofed. To make this easier to deal
with for analytics, etc., front Envoy will also set the
:ref:`config_http_conn_man_headers_x-envoy-external-address` header.
2. XFF is what Envoy uses to determine whether a request is internal origin or external origin. It
does this by checking to see if XFF contains a *single* IP address which is an RFC1918 address.
* **NOTE**: If an internal service proxies an external request to another internal service, and
includes the original XFF header, Envoy will append to it on egress if
:ref:`use_remote_address <config_http_conn_man_use_remote_address>` is set. This will cause
the other side to think the request is external. Generally, this is what is intended if XFF is
being forwarded. If it is not intended, do not forward XFF, and forward
:ref:`config_http_conn_man_headers_x-envoy-internal` instead.
* **NOTE**: If an internal service call is forwarded to another internal service (preserving XFF),
Envoy will not consider it internal. This is a known "bug" due to the simplification of how
XFF is parsed to determine if a request is internal. In this scenario, do not forward XFF and
allow Envoy to generate a new one with a single internal origin IP.
.. _config_http_conn_man_headers_x-forwarded-proto:
x-forwarded-proto
-----------------
It is a common case where a service wants to know what the originating protocol (HTTP or HTTPS) was
of the connection terminated by front/edge Envoy. *x-forwarded-proto* contains this information. It
will be set to either *http* or *https*.
.. _config_http_conn_man_headers_x-request-id:
x-request-id
------------
The *x-request-id* header is used by Envoy to uniquely identify a request as well as perform stable
access logging and tracing. Envoy will generate an *x-request-id* header for all external origin
requests (the header is sanitized). It will also generate an *x-request-id* header for internal
requests that do not already have one. This means that *x-request-id* can and should be propagated
between client applications in order to have stable IDs across the entire mesh. Due to the out of
process architecture of Envoy, the header can not be automatically forwarded by Envoy itself. This
is one of the few areas where a thin client library is needed to perform this duty. How that is done
is out of scope for this documentation. If *x-request-id* is propagated across all hosts, the
following features are available:
* Stable :ref:`access logging <config_access_log>` via the
:ref:`runtime filter<config_http_con_manager_access_log_filters_runtime>`.
* Stable tracing when performing random sampling via the :ref:`tracing.random_sampling
<config_http_conn_man_runtime_random_sampling>` runtime setting or via forced tracing using the
:ref:`config_http_conn_man_headers_x-envoy-force-trace` and
:ref:`config_http_conn_man_headers_x-client-trace-id` headers.
.. _config_http_conn_man_headers_x-ot-span-context:
x-ot-span-context
-----------------
The *x-ot-span-context* HTTP header is used by Envoy to establish proper parent-child relationships
between tracing spans. This header can be used with both LightStep and Zipkin tracers.
For example, an egress span is a child of an ingress
span (if the ingress span was present). Envoy injects the *x-ot-span-context* header on ingress requests and
forwards it to the local service. Envoy relies on the application to propagate *x-ot-span-context* on
the egress call to an upstream. See more on tracing :ref:`here <arch_overview_tracing>`.
.. _config_http_conn_man_headers_x-b3-traceid:
x-b3-traceid
------------
The *x-b3-traceid* HTTP header is used by the Zipkin tracer in Envoy.
The TraceId is 64-bit in length and indicates the overall ID of the
trace. Every span in a trace shares this ID. See more on zipkin tracing
`here <https://github.com/openzipkin/b3-propagation>`.
.. _config_http_conn_man_headers_x-b3-spanid:
x-b3-spanid
-----------
The *x-b3-spanid* HTTP header is used by the Zipkin tracer in Envoy.
The SpanId is 64-bit in length and indicates the position of the current
operation in the trace tree. The value should not be interpreted: it may or
may not be derived from the value of the TraceId. See more on zipkin tracing
`here <https://github.com/openzipkin/b3-propagation>`.
.. _config_http_conn_man_headers_x-b3-parentspanid:
x-b3-parentspanid
-----------------
The *x-b3-parentspanid* HTTP header is used by the Zipkin tracer in Envoy.
The ParentSpanId is 64-bit in length and indicates the position of the
parent operation in the trace tree. When the span is the root of the trace
tree, the ParentSpanId is absent. See more on zipkin tracing
`here <https://github.com/openzipkin/b3-propagation>`.
.. _config_http_conn_man_headers_x-b3-sampled:
x-b3-sampled
------------
The *x-b3-sampled* HTTP header is used by the Zipkin tracer in Envoy.
When the Sampled flag is 1, the soan will be reported to the tracing
system. Once Sampled is set to 0 or 1, the same
value should be consistently sent downstream. See more on zipkin tracing
`here <https://github.com/openzipkin/b3-propagation>`.
.. _config_http_conn_man_headers_x-b3-flags:
x-b3-flags
----------
The *x-b3-flags* HTTP header is used by the Zipkin tracer in Envoy.
The encode one or more options. For example, Debug is encoded as
``X-B3-Flags: 1``. See more on zipkin tracing
`here <https://github.com/openzipkin/b3-propagation>`.