HTTP header manipulation¶

The HTTP connection coach manipulates several HTTP headers both during decode ( when the request is being received ) american samoa well as during encoding ( when the reply is being sent ) .

:scheme¶

Envoy will always set the : schema header while processing a request. It should constantly be available to filters, and should be forwarded upstream for HTTP/2 and HTTP/3, where x-forwarded-proto will be sent for HTTP/1.1.

For HTTP/2, and HTTP/3, incoming : system headers are trusted and propogated through upstream. For HTTP/1, the : outline heading will be set 1 ) From the absolute URL if present and valid. An disable ( not “ hypertext transfer protocol ” or “ hypertext transfer protocol ” ) scheme, or an hypertext transfer protocol system over an unencrypted connection will result in Envoy rejecting the request. This is the only scheme validation Envoy performs as it avoids a HTTP/1.1-specific privilege escalation attack for boundary Envoys which doesn ’ t have a comparable vector for HTTP/2 and above. 2 ) From the value of the x-forwarded-proto header after sanitation ( to valid x-forwarded-proto from entrust downstreams, otherwise based on downriver encoding grade ) .
This default behavior can be overrule via the scheme_header_transformation configuration choice .
The : scheme header will be used by Envoy over x-forwarded-proto where the URI scheme is wanted, for example serving subject from cache based on the : scheme header quite than X-Forwarded-Proto, or setting the system of redirects based on the outline of the original URI. See Why is Envoy operating on X-Forwarded-Proto alternatively of : scheme or vice-versa ? for more details .

user-agent¶

The user-agent header may be set by the connection director during decoding if the add_user_agent option is enabled. The header is only modify if it is not already set. If the connection coach does set the header, the prize is determined by the --service-cluster command line choice .

server¶

The server header will be set during encoding to the value in the server_name choice .

referer¶

The referer header will be sanitized during decoding. multiple URLs or invalid URLs will be removed .

x-client-trace-id¶

If an external node sets this header, Envoy will join the provide trace ID with the internally generated x-request-id. x-client-trace-id needs to be globally unique and generating a uuid4 is recommended. If this header is set, it has similar impression to x-envoy-force-trace. See the tracing.client_enabled runtime shape jell .

x-envoy-downstream-service-cluster¶

Internal services frequently want to know which service is calling them. This header is cleaned from external requests, but for home requests will contain the service cluster of the caller. note that in the stream implementation, this should be considered a hint as it is set by the caller and could be easily spoofed by any internal entity. In the future Envoy will support a common authentication TLS mesh which will make this header fully dependable. Like user-agent, the value is determined by the --service-cluster command line option. In holy order to enable this feature you need to set the user_agent option to true .

x-envoy-downstream-service-node¶

Internal services may want to know the downriver node request comes from. This header is quite alike to x-envoy-downstream-service-cluster, except the value is taken from the --service-node option .

x-envoy-external-address¶

It is a park case where a service wants to perform analytics based on the origin customer ’ s IP address. Per the drawn-out discussion on XFF, this can get quite complicated, then emissary simplifies this by setting x-envoy-external-address to the trust client address if the request is from an external node. x-envoy-external-address is not set or overwritten for internal requests. This header can be safely forwarded between internal services for analytics purposes without having to deal with the complexities of XFF .

x-envoy-force-trace¶

If an inner request sets this header, Envoy will modify the render x-request-id such that it forces traces to be collected. This besides forces x-request-id to be returned in the response headers. If this request ID is then propagated to other hosts, traces will besides be collected on those hosts which will provide a consistent touch for an entire request menstruation. See the tracing.global_enabled and tracing.random_sampling runtime configuration settings .

x-envoy-internal¶

It is a common case where a service wants to know whether a request is internal origin or not. Envoy uses XFF to determine this and then will set the heading value to true .
This is a convenience to avoid having to parse and understand XFF .

x-envoy-original-dst-host¶

The header used to override destination address when using the original Destination load balance policy .
It is ignored, unless the use of it is enabled via use_http_header .

x-forwarded-client-cert¶

x-forwarded-client-cert ( XFCC ) is a proxy header which indicates certificate data of separate or all of the clients or proxies that a request has flowed through, on its way from the node to the server. A proxy may choose to sanitize/append/forward the XFCC header before proxying the request .
The XFCC header measure is a comma ( “, ” ) separated string. Each substring is an XFCC element, which holds data added by a single proxy. A proxy can append the current customer certificate information as an XFCC component, to the end of the request ’ randomness XFCC heading after a comma .
Each XFCC element is a semicolon “ ; ” separated string. Each substring is a key-value pair, grouped together by an equals ( “ = ” ) bless. The keys are case-insensitive, the values are case-sensitive. If “, ”, “ ; ” or “ = ” appear in a respect, the value should be double-quoted. Double-quotes in the value should be replaced by backslash-double-quote ( “ ) .
The follow keys are supported :

  1. By The Subject Alternative Name ( URI type ) of the stream proxy ’ mho certificate. The current proxy ’ s certificate may contain multiple URI type Subject Alternative Names, each will be a separate key-value pair .
  2. Hash The SHA 256 digest of the stream client certificate .
  3. Cert The entire client certificate in URL encoded PEM format .
  4. Chain The entire customer certificate chain ( including the flick certificate ) in URL encoded PEM format .
  5. Subject The Subject field of the current client certificate. The value is constantly double-quoted .
  6. URI The URI type Subject Alternative Name field of the current customer security. A customer certificate may contain multiple URI character Subject Alternative Names, each will be a separate key-value match .
  7. DNS The DNS type Subject Alternative Name plain of the current node certificate. A node certificate may contain multiple DNS type Subject Alternative Names, each will be a divide key-value pair .

A customer certificate may contain multiple Subject Alternative Name types. For details on different Subject Alternative Name types, please consult RFC 2459 .
Some examples of the XFCC header are :

  1. For one node certificate with only URI type Subject Alternative name : x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com
  2. For two node certificates with only URI type Subject Alternative name : x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;URI=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;URI=http://frontend.lyft.com
  3. For one customer certificate with both URI type and DNS type Subject Alternative name : x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com;DNS=lyft.com;DNS=www.lyft.com

How envoy processes XFCC is specified by the forward_client_cert_details and the set_current_client_cert_details HTTP connection director options. If forward_client_cert_details is unset, the XFCC heading will be sanitized by nonpayment .

x-forwarded-for¶

x-forwarded-for ( XFF ) is a standard proxy header which indicates the IP addresses that a request has flowed through on its room from the customer to the server. A compliant proxy will append the IP address of the nearest node to the XFF list before proxying the request. Some examples of XFF are :

  1. x-forwarded-for: 50.0.0.1 ( individual client )
  2. x-forwarded-for: 50.0.0.1, 40.0.0.1 ( external proxy hop )
  3. x-forwarded-for: 50.0.0.1, 10.0.0.1 ( inner proxy hop )

Envoy will merely append to XFF if the use_remote_address HTTP connection director option is set to true and the skip_xff_append is set assumed. This means that if use_remote_address is false ( which is the nonpayment ) or skip_xff_append is true, the connection director operates in a guileless mood where it does not modify XFF .
attention
In general, use_remote_address should be set to true when Envoy is deployed as an edge node ( aka a front proxy ), whereas it may need to be set to false when Envoy is used as an internal overhaul node in a interlock deployment .
The measure of use_remote_address controls how Envoy determines the entrust customer address. Given an HTTP request that has traveled through a series of zero or more proxies to reach Envoy, the believe client address is the earliest source IP address that is known to be accurate. The source IP address of the immediate downstream lymph node ’ s connection to Envoy is trusted. XFF sometimes can be trusted. malicious clients can forge XFF, but the death savoir-faire in XFF can be trusted if it was put there by a entrust proxy .
alternatively, Envoy supports extensions for determining the entrust customer address or original IP address .
note
The use of such extensions can not be desegregate with use_remote_address nor xff_num_trusted_hops .
Envoy ’ s default option rules for determining the sure client address ( before appending anything to XFF ) are :

  • If use_remote_address is fake and an XFF containing at least one IP address is deliver in the request, the believe customer address is the final ( rightmost ) IP address in XFF .
  • otherwise, the trust node address is the source IP address of the immediate downriver node ’ s connection to Envoy .

In an environment where there are one or more hope proxies in front of an edge Envoy exemplify, the xff_num_trusted_hops shape option can be used to trust extra addresses from XFF :

  • If use_remote_address is false and xff_num_trusted_hops is set to a value N that is greater than zero, the entrust customer address is the ( N+1 ) thorium address from the correct end of XFF. ( If the XFF contains fewer than N+1 addresses, Envoy falls back to using the immediate downstream connection ’ s source address as entrust node savoir-faire. )
  • If use_remote_address is true and xff_num_trusted_hops is set to a value N that is greater than zero, the hope customer address is the Nth address from the right end of XFF. ( If the XFF contains fewer than N addresses, Envoy falls back to using the immediate downriver connection ’ s source address as entrust customer address. )

Envoy uses the trust node address contents to determine whether a request originated outwardly or internally. This influences whether the x-envoy-internal header is set .

Example 1: Envoy as edge proxy, without a trusted proxy in front of it
Settings:
use_remote_address = true
xff_num_trusted_hops = 0
Request details:
Downstream IP address = 192.0.2.5
XFF = “ 203.0.113.128, 203.0.113.10, 203.0.113.1 ”
Result:
Trusted client address = 192.0.2.5 ( XFF is ignored )
X-Envoy-External-Address is set to 192.0.2.5
XFF is changed to “ 203.0.113.128, 203.0.113.10, 203.0.113.1, 192.0.2.5 ”
X-Envoy-Internal is removed ( if it was present in the incoming request )
Example 2: Envoy as internal proxy, with the Envoy edge proxy from Example 1 in front of it
Settings:
use_remote_address = fake
xff_num_trusted_hops = 0
Request details:
Downstream IP address = 10.11.12.13 ( address of the Envoy boundary proxy )
XFF = “ 203.0.113.128, 203.0.113.10, 203.0.113.1, 192.0.2.5 ”
Result:
Trusted node address = 192.0.2.5 ( last address in XFF is trusted )
X-Envoy-External-Address is not modified
X-Envoy-Internal is removed ( if it was introduce in the incoming request )
Example 3: Envoy as edge proxy, with two trusted external proxies in front of it
Settings:
use_remote_address = truthful
xff_num_trusted_hops = 2
Request details:
Downstream IP address = 192.0.2.5
XFF = “ 203.0.113.128, 203.0.113.10, 203.0.113.1 ”
Result:
Trusted client address = 203.0.113.10 ( 2nd to stopping point address in XFF is trusted )
X-Envoy-External-Address is set to 203.0.113.10
XFF is changed to “ 203.0.113.128, 203.0.113.10, 203.0.113.1, 192.0.2.5 ”
X-Envoy-Internal is removed ( if it was salute in the entrance request )
Example 4: Envoy as internal proxy, with the edge proxy from Example 3 in front of it
Settings:
use_remote_address = false
xff_num_trusted_hops = 2
Request details:
Downstream IP address = 10.11.12.13 ( address of the Envoy boundary proxy )
XFF = “ 203.0.113.128, 203.0.113.10, 203.0.113.1, 192.0.2.5 ”
Result:
Trusted client address = 203.0.113.10
X-Envoy-External-Address is not modified
X-Envoy-Internal is removed ( if it was portray in the entrance request )
Example 5: Envoy as an internal proxy, receiving a request from an internal client
Settings:
use_remote_address = assumed
xff_num_trusted_hops = 0
Request details:
Downstream IP address = 10.20.30.40 ( savoir-faire of the inner node )
XFF is not award
Result:
Trusted customer address = 10.20.30.40
X-Envoy-External-Address remains unset
X-Envoy-Internal is set to “ faithlessly ”
Example 6: The internal Envoy from Example 5, receiving a request proxied by another Envoy
Settings:
use_remote_address = false
xff_num_trusted_hops = 0
Request details:
Downstream IP address = 10.20.30.50 ( address of the Envoy example proxying to this matchless )
XFF = “ 10.20.30.40 ”
Result:
Trusted node address = 10.20.30.40
X-Envoy-External-Address remains unset
X-Envoy-Internal is set to “ true ”

A few very important notes about XFF :

  1. If use_remote_address is set to true, Envoy sets the x-envoy-external-address header to the entrust node cover .
  1. XFF is what Envoy uses to determine whether a request is home origin or external origin. If use_remote_address is set to genuine, the request is inner if and lone if the request contains no XFF and the immediate downstream node ’ s connection to Envoy has an inner ( RFC1918 or RFC4193 ) generator address. If use_remote_address is false, the request is internal if and alone if XFF contains a single RFC1918 or RFC4193 address .
    • NOTE : If an inner service proxies an external request to another internal service, and includes the original XFF header, Envoy will append to it on emergence if use_remote_address is set. This will cause the other slope to think the request is external. by and large, this is what is intended if XFF is being forwarded. If it is not intended, do not ahead XFF, and forward x-envoy-internal rather .
    • NOTE : If an home service call is forwarded to another home service ( preserving XFF ), Envoy will not consider it inner. This is a know “ bug ” ascribable to the simplification of how XFF is parsed to determine if a request is inner. In this scenario, do not forward XFF and allow Envoy to generate a new one with a one home origin IP .

x-forwarded-host¶

The x-forwarded-host header is a de-facto standard proxy header which indicates the original horde requested by the node in the : agency ( server in HTTP1 ) header. A compliant proxy appends the original prize of the : authority header to x-forwarded-host only if the : agency heading is modified .
Envoy updates the : authority header if a host rewrite option ( one of host_rewrite_literal, auto_host_rewrite, host_rewrite_header, or host_rewrite_path_regex ) is used and appends its original value to x-forwarded-host if append_x_forwarded_host is set .

Read more: Sproutsandstuff

x-forwarded-proto¶

It is a common shell where a service wants to know what the originating protocol ( HTTP or HTTPS ) was of the connection terminated by front/edge Envoy. x-forwarded-proto contains this information. It will be set to either hypertext transfer protocol or hypertext transfer protocol .
Downstream x-forwarded-proto headers will only be trusted if xff_num_trusted_hops is non-zero. If xff_num_trusted_hops is zero, downstream x-forwarded-proto headers and : outline headers will be set to http or https based on if the downriver joining is TLS or not .
If the schema is changed via the scheme_header_transformation shape option, x-forwarded-proto will be updated arsenic well .
The x-forwarded-proto header will be used by Envoy over : system where the underlying encoding is wanted, for example authorize nonpayment ports based on x-forwarded-proto. See Why is Envoy operating on X-Forwarded-Proto rather of : scheme or vice-versa ? for more details .

x-request-id¶

The x-request-id header is used by Envoy to uniquely identify a request ampere well as do stable access log and trace. Envoy will generate an x-request-id header for all external origin requests ( the heading is sanitized ). It will besides generate an x-request-id header for internal requests that do not already have one. This means that x-request-id can and should be propagated between client applications in order to have stable IDs across the integral mesh topology. Due to the knocked out of march architecture of Envoy, the header can not be mechanically forwarded by Envoy itself. This is one of the few areas where a reduce customer library is needed to perform this duty. How that is done is out of setting for this documentation. If x-request-id is propagated across all hosts, the succeed features are available :

  • stable access logging via the v3 API runtime filter .
  • stable tracing when performing random sampling via the tracing.random_sampling runtime setting or via forced tracing using the x-envoy-force-trace and x-client-trace-id headers .

See the architecture overview on context propagation for more information .

x-ot-span-context¶

The x-ot-span-context HTTP header is used by Envoy to establish proper parent-child relationships between tracing spans when used with the LightStep tracer. For example, an egress bridge is a child of an entrance bridge ( if the ingres couple was present ). Envoy injects the x-ot-span-context header on entrance requests and forwards it to the local service. Envoy relies on the application to propagate x-ot-span-context on the egress call to an upstream. See more on tracing here .

x-b3-traceid¶

The x-b3-traceid HTTP header is used by the Zipkin tracer in Envoy. The TraceId is 64-bit in length and indicates the overall ID of the decipher. Every bridge in a hound shares this ID. See more on zipkin tracing here .

x-b3-spanid¶

The x-b3-spanid HTTP header is used by the Zipkin tracer in Envoy. The SpanId is 64-bit in length and indicates the position of the current mathematical process in the trace tree. The value should not be interpreted : it may or may not be derived from the value of the TraceId. See more on zipkin tracing here .

x-b3-parentspanid¶

The x-b3-parentspanid HTTP header is used by the Zipkin tracer in Envoy. The ParentSpanId is 64-bit in distance and indicates the put of the parent operation in the trace corner. When the cross is the root of the touch corner, the ParentSpanId is absent. See more on zipkin trace here .

x-b3-sampled¶

The x-b3-sampled HTTP heading is used by the Zipkin tracer in Envoy. When the Sampled flag is either not specified or set to 1, the span will be reported to the trace system. once Sampled is set to 0 or 1, the lapp rate should be systematically sent downriver. See more on zipkin decipher here .

x-b3-flags¶

The x-b3-flags HTTP header is used by the Zipkin tracer in Envoy. The encode one or more options. For example, Debug is encoded as X-B3-Flags: 1. See more on zipkin decipher here .

b3¶

The b3 HTTP header is used by the Zipkin tracer in Envoy. Is a more compressed header format. See more on zipkin decipher here .

x-datadog-trace-id¶

The x-datadog-trace-id HTTP header is used by the Datadog tracer in Envoy. The 64-bit rate represents the ID of the overall trace, and is used to correlate the spans .

x-datadog-parent-id¶

The x-datadog-parent-id HTTP header is used by the Datadog tracer in Envoy. The 64-bit value uniquely identifies the span within the trace, and is used to create parent-child relationships between spans .

x-datadog-sampling-priority¶

The x-datadog-sampling-priority HTTP header is used by the Datadog tracer in Envoy. The integer measure indicates the sampling decision that has been made for this trace. A value of 0 indicates that the trace should not be collected, and a value of 1 requests that spans are sampled and reported .

sw8¶

The sw8 HTTP header is used by the SkyWalking tracer in Envoy. It contains the key tracing context for the SkyWalking tracer and is used to establish the relationship between the tracing spans of downriver and Envoy. See more on SkyWalking tracing here .

x-amzn-trace-id¶

The x-amzn-trace-id HTTP header is used by the AWS x-ray tracer in Envoy. The trace ID, parent ID and sampling decisiveness are added to HTTP requests in the trace header. See more on AWS X-Ray tracing hera .

Custom request/response headers¶

Custom request/response headers can be added to a request/response at the weighted bunch, road, virtual host, and/or global path shape level. See the v3 API documentation .
Neither : -prefixed pseudo-headers nor the master of ceremonies : header may be modified via this mechanism. The : path and : authority headers may rather be modified via mechanisms such as prefix_rewrite, regex_rewrite, and host_rewrite .
Headers are appended to requests/responses in the pursuit order : weighted bunch level headers, route tied headers, virtual host floor headers and last ball-shaped degree headers .
Envoy supports adding moral force values to request and reaction headers. The percentage symbol ( % ) is used to delimit variable names .
attention
If a actual percentage symbol ( % ) is desired in a request/response heading, it must be escaped by doubling it. For example, to emit a header with the value 100%, the customs header prize in the Envoy shape must be 100%% .
Supported variable names are :

%DOWNSTREAM_REMOTE_ADDRESS%
Remote address of the downstream connection. If the address is an IP address it includes both address and larboard .
bill
This may not be the physical distant address of the peer if the address has been inferred from Proxy Protocol filter or x-forwarded-for .
%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%
Remote address of the downriver association, without any port component. IP addresses are the only address type with a port component .
eminence
This may not be the forcible outback address of the peer if the address has been inferred from Proxy Protocol filter or x-forwarded-for .
%DOWNSTREAM_REMOTE_PORT%
Remote port of the downstream connection. information science addresses are the entirely address type with a port component .
notice
This may not be the physical distant address of the peer if the address has been inferred from Proxy Protocol percolate or x-forwarded-for .
%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%
send distant address of the downstream connection. If the cover is an IP address it includes both address and port .
notice
This is constantly the physical outback savoir-faire of the peer even if the downstream distant address has been inferred from Proxy Protocol filter or x-forwarded-for .
%DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT%
direct remote control address of the downriver connection, without any port component. IP addresses are the alone address type with a port component .
note
This is constantly the physical remote control address of the peer even if the downstream outside address has been inferred from Proxy Protocol percolate or x-forwarded-for .
%DOWNSTREAM_DIRECT_REMOTE_PORT%
steer distant port of the downriver connection. information science addresses are the only address type with a port component .
note
This is always the forcible distant address of the peer tied if the downriver distant address has been inferred from Proxy Protocol filter or x-forwarded-for .
%DOWNSTREAM_LOCAL_ADDRESS%
local address of the downstream association. If the address is an IP address it includes both address and port .
If the original connection was redirected by iptables REDIRECT, this represents the master destination address restored by the Original Destination Filter using SO_ORIGINAL_DST socket option. If the original association was redirected by iptables TPROXY, and the hearer ’ randomness transparent option was set to true, this represents the original destination address and port .
%DOWNSTREAM_LOCAL_ADDRESS_WITHOUT_PORT%
local address of the downriver connection, without any port part. IP addresses are the lone address character with a port component .
%DOWNSTREAM_LOCAL_PORT%
local port of the downstream association. information science addresses are the only address character with a port component .
%DOWNSTREAM_LOCAL_URI_SAN%
HTTP
The URIs present in the SAN of the local security used to establish the downstream TLS association .
TCP
The URIs present in the SAN of the local certificate used to establish the downstream TLS connection .
%DOWNSTREAM_PEER_URI_SAN%
HTTP
The URIs present in the SAN of the peer security used to establish the downriver TLS connection .
TCP
The URIs present in the SAN of the peer security used to establish the downriver TLS connection .
%DOWNSTREAM_LOCAL_SUBJECT%
HTTP
The topic present in the local security used to establish the downstream TLS joining .
TCP
The subjugate present in the local certificate used to establish the downstream TLS connection .
%DOWNSTREAM_PEER_SUBJECT%
HTTP
The national show in the peer certificate used to establish the downstream TLS connection .
TCP
The subject award in the peer certificate used to establish the downriver TLS connection .
%DOWNSTREAM_PEER_ISSUER%
HTTP
The issuer present in the peer certificate used to establish the downstream TLS connection .
TCP
The issuer present in the peer certificate used to establish the downriver TLS connection .
%DOWNSTREAM_TLS_SESSION_ID%
HTTP
The session ID for the established downriver TLS connection .
TCP
The seance ID for the established downriver TLS connection .
%DOWNSTREAM_TLS_CIPHER%
HTTP
The OpenSSL name for the set of ciphers used to establish the downstream TLS joining .
TCP
The OpenSSL name for the fit of ciphers used to establish the downstream TLS connection .
%DOWNSTREAM_TLS_VERSION%
HTTP
The TLS interpretation ( for example, TLSv1.2, TLSv1.3 ) used to establish the downstream TLS connection .
TCP
The TLS version ( for example, TLSv1.2, TLSv1.3 ) used to establish the downriver TLS connection .
%DOWNSTREAM_PEER_FINGERPRINT_256%
HTTP
The hex-encoded SHA256 fingermark of the node security used to establish the downriver TLS connection .
TCP
The hex-encoded SHA256 fingermark of the customer certificate used to establish the downstream TLS connection .
%DOWNSTREAM_PEER_FINGERPRINT_1%
HTTP
The hex-encoded SHA1 fingerprint of the node security used to establish the downriver TLS connection .
TCP
The hex-encoded SHA1 fingerprint of the customer security used to establish the downstream TLS joining .
%DOWNSTREAM_PEER_SERIAL%
HTTP
The serial number of the customer security used to establish the downstream TLS connection .
TCP
The serial number of the customer certificate used to establish the downstream TLS joining .
%DOWNSTREAM_PEER_CERT%
HTTP
The customer certificate in the URL-encoded PEM format used to establish the downriver TLS association .
TCP
The customer certificate in the URL-encoded PEM format used to establish the downstream TLS connection .
%DOWNSTREAM_PEER_CERT_V_START%
HTTP
The robustness begin go steady of the node certificate used to establish the downriver TLS connection .
TCP
The robustness start date of the client certificate used to establish the downstream TLS connection .

DOWNSTREAM_PEER_CERT_V_START can be customized with specifiers as specified in access log format rules .

%DOWNSTREAM_PEER_CERT_V_END%
HTTP
The validity end date of the customer certificate used to establish the downriver TLS connection .
TCP
The robustness conclusion date of the node certificate used to establish the downriver TLS association .

DOWNSTREAM_PEER_CERT_V_END can be customized with specifiers as specified in access logarithm format rules .

%HOSTNAME%
The arrangement hostname .
%PROTOCOL%
The original protocol which is already added by Envoy as a x-forwarded-proto request header .
%REQUESTED_SERVER_NAME%
HTTP
String measure set on ssl connection socket for Server Name Indication ( SNI )
TCP
String value set on ssl joining socket for Server Name Indication ( SNI )
%UPSTREAM_METADATA([“namespace”, “key”, …])%
Populates the header with EDS end point metadata from the upriver host selected by the router. Metadata may be selected from any namespace. In general, metadata values may be strings, numbers, booleans, lists, nest structures, or null. Upstream metadata values may be selected from nested structs by specifying multiple keys. differently, only string, boolean, and numeric values are supported. If the namespace or key ( south ) are not found, or if the selected prize is not a support character, then no header is emitted. The namespace and key ( mho ) are specified as a JSON array of strings. ultimately, percentage symbols in the parameters do not indigence to be escaped by doubling them .
Upstream metadata can not be added to request headers as the upstream host has not been selected when custom request headers are generated .
%DYNAMIC_METADATA([“namespace”, “key”, …])%
similar to UPSTREAM_METADATA, populates the header with dynamic metadata available in a request ( e.g. : added by filters like the header-to-metadata filter ) .
This works both on request and response headers .
%UPSTREAM_LOCAL_ADDRESS%
local address of the upstream connection. If the address is an IP address it includes both address and port .
The upstream local savoir-faire can not be added to request headers as the upriver host hremote as not been selected when customs request headers are generated .
%UPSTREAM_LOCAL_ADDRESS_WITHOUT_PORT%
local savoir-faire of the upstream connection, without any port component. IP addresses are the lone address type with a port part .
%UPSTREAM_LOCAL_PORT%
local anesthetic interface of the upstream joining. information science addresses are the only address type with a port component .
%UPSTREAM_REMOTE_ADDRESS%
Remote address of the upstream connection. If the address is an IP address it includes both address and port .
The upriver distant address can not be added to request headers as the upstream host has not been selected when custom request headers are generated .
%UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%
Remote cover of the upriver connection, without any port component. IP addresses are the merely address type with a port part .
%UPSTREAM_REMOTE_PORT%
Remote port of the upstream connection. information science addresses are the only address type with a port component .
%PER_REQUEST_STATE(reverse.dns.data.name)%
Populates the header with values set on the current information filterState ( ) object. To be functional in customs request/response headers, these values must be of character Envoy : :Router : :StringAccessor. These values should be named in standard reverse DNS vogue, identifying the organization that created the value and ending in a unique name for the data .
%REQ(header-name)%
Populates the header with a value of the request header .
%START_TIME%
Request start clock time. START_TIME can be customized with specifiers as specified in access logarithm format rules .
An example of setting a custom header with current meter in seconds with the milliseconds resolution :

 route:
  cluster: www
request_headers_to_add:
  - header:
      key: "x-request-start"
      value: "%START_TIME(%s.%3f)%"
    append: true
%RESPONSE_FLAGS%
Additional details about the response or connection, if any. possible values and their meanings are listed in the access logarithm formatter documentation .
%RESPONSE_CODE_DETAILS%
Response code details provides extra information about the HTTP response code, such as who set it ( the upstream or envoy ) and why .
%VIRTUAL_CLUSTER_NAME%
name of the Virtual Cluster which gets matched ( if any ) .

Leave a Reply

Your email address will not be published.