Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to remove HTTP response headers in the HTTP connection manager after HTTP filters have executed #37946

Open
henrymwang opened this issue Jan 9, 2025 · 2 comments
Open

Add ability to remove HTTP response headers in the HTTP connection manager after HTTP filters have executed #37946

henrymwang opened this issue Jan 9, 2025 · 2 comments
Labels
area/http enhancement Feature requests. Not bugs or questions.

Comments

@henrymwang
Copy link
Contributor

Title: Add ability to remove HTTP response headers in the HTTP connection manager after HTTP filters have executed

Description:
The HTTP connection manager offers early header request mutations which run before HTTP filters:

We have a similar need for stripping response headers after HTTP filters have executed. This would be useful in situations where HTTP filters might add response headers unintentionally that we'd like to ensure are never leaked.

This could be implemented by adding a new field to the HTTP connection manager config and updating encodeHeaders here,

envoy/source/common/http/conn_manager_impl.cc

Line 1788 in 0038ebb

ConnectionManagerUtility::mutateResponseHeaders(
.

We can prepare a patch if this sounds reasonable.

[optional Relevant Links:]

Any extra documentation required to understand the issue.
@henrymwang henrymwang added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Jan 9, 2025
@zuercher zuercher added area/http and removed triage Issue requires triage labels Jan 9, 2025
@zuercher
Copy link
Member

zuercher commented Jan 9, 2025

I sort of expected response_headers_to_remove to handle this, but I don't think it does (maybe it used to).

cc @alyssawilk

@henrymwang
Copy link
Contributor Author

I sort of expected response_headers_to_remove to handle this, but I don't think it does (maybe it used to).

For a test: I added a network listener with 2 http filters: health-check filter in no pass through mode, then the http router filter. The http health-check filter adds some headers and uses localReply if it matches the /healthy (responds with a 200). When I curl the health path, it always returns the header x-envoy-upstream-healthchecked-cluster, which is automatically added by the http healthcheck filter.

Because the http router filter is last, it also modifies response headers first so it's too late then. Another option might be adding a filter in front to remove the response headers but it would require extra care about filter ordering. My proposal is to add this ability to unconditionally remove response headers, even ones added by http filters running before the http router.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/http enhancement Feature requests. Not bugs or questions.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zuercher @henrymwang