Add support for host_rewrite_header (#9608)

* add it to the proto * add plugin * add changelog * Adding changelog file to new location * Deleting changelog file from old location * add validation * remove old entry * Adding changelog file to new location * Deleting changelog file from old location * dont remove exposed method * update changelog * update changelog * Update changelog/v1.18.0-beta1/add-host-rewrite-header.yaml Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io> * update changelog * update changelog * address comments --------- Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
solo-io · Jun 14, 2024 · a6d9362 · a6d9362
1 parent cdab066
commit a6d9362
Show file tree

Hide file tree

Showing 16 changed files with 499 additions and 274 deletions.
diff --git a/changelog/v1.18.0-beta1/add-host-rewrite-header.yaml b/changelog/v1.18.0-beta1/add-host-rewrite-header.yaml
@@ -0,0 +1,11 @@
+changelog:
+- type: NEW_FEATURE
+  issueLink: https://github.com/solo-io/gloo/issues/9579
+  resolvesIssue: false
+  description: >-
+    Adds the `host_rewrite_header` to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source.
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/9622
+  resolvesIssue: true
+  description: >-
+    Previously, header names consisting of invalid characters such as '()[]:;,<=>' were accepted when passed via the healthCheck or headerManipulation `requestHeadersToAdd` parameter. This resulted in envoy throwing an `invalid header name` error. Now, header names are validated according to RFC 9110, which is the same validation used by envoy. If a header name consisting of invalid characters is passed via the aforementioned parameters, it is caught and rejected in edge and does not propagate to envoy.
diff --git a/.../reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk.md b/.../reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk.md
diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml
@@ -388,6 +388,9 @@ spec:
                     type: object
                   hostRewrite:
                     type: string
+                  hostRewriteHeader:
+                    nullable: true
+                    type: string
                   hostRewritePathRegex:
                     properties:
                       pattern:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml
@@ -498,6 +498,9 @@ spec:
                           type: object
                         hostRewrite:
                           type: string
+                        hostRewriteHeader:
+                          nullable: true
+                          type: string
                         hostRewritePathRegex:
                           properties:
                             pattern:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml
@@ -3331,6 +3331,9 @@ spec:
                               type: object
                             hostRewrite:
                               type: string
+                            hostRewriteHeader:
+                              nullable: true
+                              type: string
                             hostRewritePathRegex:
                               properties:
                                 pattern:

diff --git a/pkg/utils/api_conversion/type.go b/pkg/utils/api_conversion/type.go
@@ -7,6 +7,7 @@ import (
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	envoytype_gloo "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/utils/headers"
 	envoycore_sk "github.com/solo-io/solo-kit/pkg/api/external/envoy/api/v2/core"
 	"github.com/solo-io/solo-kit/pkg/errors"
 )
@@ -71,6 +72,15 @@ func ToEnvoyHeaderValueOptionList(option []*envoycore_sk.HeaderValueOption, secr
 	return result, nil
 }
 
+// validateCustomHeaders checks whether the custom header is allowed to be modified as per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#custom-request-response-headers
+// and validates the whether the header will be accepted by envoy
+func validateCustomHeaders(header envoycore_sk.HeaderValue) error {
+	if err := CheckForbiddenCustomHeaders(header); err != nil {
+		return err
+	}
+	return headers.ValidateHeaderKey(header.GetKey())
+}
+
 // CheckForbiddenCustomHeaders checks whether the custom header is allowed to be modified as per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#custom-request-response-headers
 func CheckForbiddenCustomHeaders(header envoycore_sk.HeaderValue) error {
 	key := header.GetKey()
@@ -90,7 +100,7 @@ func ToEnvoyHeaderValueOptions(option *envoycore_sk.HeaderValueOption, secrets *
 
 	switch typedOption := option.GetHeaderOption().(type) {
 	case *envoycore_sk.HeaderValueOption_Header:
-		if err := CheckForbiddenCustomHeaders(*typedOption.Header); err != nil {
+		if err := validateCustomHeaders(*typedOption.Header); err != nil {
 			return nil, err
 		}
 		return []*envoy_config_core_v3.HeaderValueOption{

diff --git a/projects/gloo/api/v1/options.proto b/projects/gloo/api/v1/options.proto
@@ -92,10 +92,10 @@ message ListenerOptions {
     ConnectionBalanceConfig connection_balance_config = 6;
 
     // If enabled this sets up an early access logging service for the listener.
-    // Added initially to support listener level logging for HTTP listeners. 
+    // Added initially to support listener level logging for HTTP listeners.
     // For more info see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
     als.options.gloo.solo.io.AccessLoggingService listener_access_logging_service = 7;
-    
+
 }
 
 // Configuration for listener connection balancing.
@@ -421,6 +421,11 @@ message RouteOptions {
         // Indicates that during forwarding, the host header will be swapped with the result of the regex
         // substitution executed on path value with query and fragment removed.
         .solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 101;
+
+        // Indicates that during forwarding, the host header will be swapped with the content of given downstream or custom header.
+        // If header value is empty, host header is left intact.
+        // Using this option will append the x-forwarded-host header if append_x_forwarded_host is set.
+        google.protobuf.StringValue host_rewrite_header = 147;
     };
     // If true and there is a host rewrite, appends the x-forwarded-host header to requests.
     google.protobuf.BoolValue append_x_forwarded_host = 146;

diff --git a/projects/gloo/pkg/api/v1/options.pb.clone.go b/projects/gloo/pkg/api/v1/options.pb.clone.go
diff --git a/projects/gloo/pkg/api/v1/options.pb.equal.go b/projects/gloo/pkg/api/v1/options.pb.equal.go