Skip to content

add api for conditional append forward in xfcc header #41683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+15 −1
Open

add api for conditional append forward in xfcc header #41683

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion ...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import "envoy/config/trace/v3/http_tracer.proto";
import "envoy/type/http/v3/path_transformation.proto";
import "envoy/type/tracing/v3/custom_tag.proto";
import "envoy/type/v3/percent.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto";

import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
Expand All @@ -37,7 +38,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
// [#extension: envoy.filters.network.http_connection_manager]

// [#next-free-field: 60]
// [#next-free-field: 61]
message HttpConnectionManager {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
Expand Down Expand Up @@ -97,6 +98,13 @@ message HttpConnectionManager {
// Always forward the XFCC header in the request, regardless of whether the
// client connection is mTLS.
ALWAYS_FORWARD_ONLY = 4;

// When the client connection is mTLS, reset the XFCC header with the client or
// append the client certificate information to the request’s XFCC header and send it to the next hop
// based on :ref:`append_forward_matcher
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.append_forward_matcher>.
// This is useful when we want to control the XFCC header based on whether the client is a trusted client or not.
SANITIZE_SET_OR_APPEND_FORWARD = 5;
}

// Determines the action for request that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path.
Expand Down Expand Up @@ -784,6 +792,12 @@ message HttpConnectionManager {
// value.
SetCurrentClientCertDetails set_current_client_cert_details = 17;

// This field is valid only when :ref:`forward_client_cert_details
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.forward_client_cert_details>`
// is SANITIZE_SET_OR_APPEND_FORWARD and the client connection is mTLS. If the client certificate matches the matcher,
// the client certificate information will be appended to the request’s XFCC header. Otherwise, the XFCC header will be sanitized.
SubjectAltNameMatcher append_forward_matcher = 60;

Comment on lines +795 to +800
Copy link
Member

@wbpcode wbpcode Oct 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The requirement is reasonable, But I think this API is too specific for the feature requirement. I think maybe we can add a generic matcher tree here. And make the following result as the match result. Then, we can get a very flexible and powerful way to customize the client cert forward behavior?

message ForwardClientCertConfig {
  // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP
  // header.
  ForwardClientCertDetails forward_client_cert_details = 1
      [(validate.rules).enum = {defined_only: true}];
  // This field is valid only when :ref:`forward_client_cert_details
  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.forward_client_cert_details>`
  // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in
  // the client certificate to be forwarded. Note that in the
  // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, ``Hash`` is always set, and
  // ``By`` is always set when the client certificate presents the URI type Subject Alternative Name
  // value.
  SetCurrentClientCertDetails set_current_client_cert_details = 2;
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What other generic matching use cases do you anticipate? BTW, filter chain match does not work for us. The same api call can come from both types of clients

Copy link
Member

@wbpcode wbpcode Oct 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What other generic matching use cases do you anticipate?

With the generic matching, 1. we can use more flexible matching conditions, 2. we can select any behavior based on the matching results and no only the SANITIZE_SET_OR_APPEND_FORWARD, 3. we can also customize the SetCurrentClientCertDetails based on the matching results.

But anyway, I still prefer to use the filter chain matching. We can enhance the filter chain matching to support san matcher. (To enhance envoy.config.listener.v3.FilterChainMatch or filter chain matcher tree envoy.config.listener.v3.filter_chain_matcher.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you are saying about filter chain matcher. Let me think about how it works with Istio Ingress Gateway

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/wait-any

// If proxy_100_continue is true, Envoy will proxy incoming "Expect:
// 100-continue" headers upstream, and forward "100 Continue" responses
// downstream. If this is false or not set, Envoy will instead strip the
Expand Down