Skip to content

Commit

Permalink
Add strip trailing host dot option from Envoy
Browse files Browse the repository at this point in the history 
Fixes #6334

Signed-off-by: David Sale <[email protected]>
  • Loading branch information
@saley89
saley89 committed Nov 27, 2024
1 parent 63bb34a commit 6420272
Show file tree
Hide file tree
Showing 19 changed files with 340 additions and 12 deletions.
13 changes: 13 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -757,6 +757,19 @@ type NetworkParameters struct {
// Contour's default is 9001.
// +optional
EnvoyAdminPort *int `json:"adminPort,omitempty"`

// EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
// before any processing of request by HTTP filters or routing. This
// affects the upstream host header. Without setting this option to true, incoming
// requests with host example.com. will not match against route with domains
// match set to example.com.
//
// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
// for more information.
//
// Contour's default is false.
// +optional
EnvoyStripTrailingHostDot *bool `json:"stripTrailingHostDot,omitempty"`
}

// RateLimitServiceConfig defines properties of a global Rate Limit Service.
Expand Down
1 change: 1 addition & 0 deletions cmd/contour/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,7 @@ func (s *Server) doServe() error {
MergeSlashes: !*contourConfiguration.Envoy.Listener.DisableMergeSlashes,
ServerHeaderTransformation: contourConfiguration.Envoy.Listener.ServerHeaderTransformation,
XffNumTrustedHops: *contourConfiguration.Envoy.Network.XffNumTrustedHops,
StripTrailingHostDot: *contourConfiguration.Envoy.Network.EnvoyStripTrailingHostDot,
ConnectionBalancer: contourConfiguration.Envoy.Listener.ConnectionBalancer,
MaxRequestsPerConnection: contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
HTTP2MaxConcurrentStreams: contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,
Expand Down
5 changes: 3 additions & 2 deletions cmd/contour/servecontext.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -580,8 +580,9 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
},
},
Network: &contour_v1alpha1.NetworkParameters{
XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
EnvoyAdminPort: &ctx.Config.Network.EnvoyAdminPort,
XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
EnvoyAdminPort: &ctx.Config.Network.EnvoyAdminPort,
EnvoyStripTrailingHostDot: &ctx.Config.Network.EnvoyStripTrailingHostDot,
},
},
Gateway: gatewayConfig,
Expand Down
5 changes: 3 additions & 2 deletions cmd/contour/servecontext_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -484,8 +484,9 @@ func TestConvertServeContext(t *testing.T) {
},
},
Network: &contour_v1alpha1.NetworkParameters{
EnvoyAdminPort: ptr.To(9001),
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyAdminPort: ptr.To(9001),
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyStripTrailingHostDot: ptr.To(false),
},
},
Gateway: nil,
Expand Down
22 changes: 22 additions & 0 deletions examples/contour/01-crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4323,6 +4334,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4543,6 +4554,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour-gateway-provisioner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -532,6 +532,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4334,6 +4345,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour-gateway.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4359,6 +4370,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4543,6 +4554,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
5 changes: 3 additions & 2 deletions internal/contourconfig/contourconfiguration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,9 @@ func Defaults() contour_v1alpha1.ContourConfigurationSpec {
},
},
Network: &contour_v1alpha1.NetworkParameters{
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyAdminPort: ptr.To(9001),
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyAdminPort: ptr.To(9001),
EnvoyStripTrailingHostDot: ptr.To(false),
},
},
Gateway: nil,
Expand Down
5 changes: 3 additions & 2 deletions internal/contourconfig/contourconfiguration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,9 @@ func TestOverlayOnDefaults(t *testing.T) {
},
},
Network: &contour_v1alpha1.NetworkParameters{
XffNumTrustedHops: ptr.To(uint32(77)),
EnvoyAdminPort: ptr.To(9997),
XffNumTrustedHops: ptr.To(uint32(77)),
EnvoyAdminPort: ptr.To(9997),
EnvoyStripTrailingHostDot: ptr.To(true),
},
},
Gateway: &contour_v1alpha1.GatewayConfig{
Expand Down
11 changes: 9 additions & 2 deletions internal/envoy/v3/listener.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ type httpConnectionManagerBuilder struct {
serverHeaderTransformation envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_ServerHeaderTransformation
forwardClientCertificate *dag.ClientCertificateDetails
numTrustedHops uint32
stripTrailingHostDot bool
tracingConfig *envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_Tracing
maxRequestsPerConnection *uint32
http2MaxConcurrentStreams *uint32
Expand Down Expand Up @@ -293,6 +294,11 @@ func (b *httpConnectionManagerBuilder) NumTrustedHops(num uint32) *httpConnectio
return b
}

func (b *httpConnectionManagerBuilder) StripTrailingHostDot(strip bool) *httpConnectionManagerBuilder {
b.stripTrailingHostDot = strip
return b
}

// MaxRequestsPerConnection sets max requests per connection for the downstream.
func (b *httpConnectionManagerBuilder) MaxRequestsPerConnection(maxRequestsPerConnection *uint32) *httpConnectionManagerBuilder {
b.maxRequestsPerConnection = maxRequestsPerConnection
Expand Down Expand Up @@ -505,8 +511,9 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_config_listener_v3.Filter {
AllowChunkedLength: b.allowChunkedLength,
},

UseRemoteAddress: wrapperspb.Bool(true),
XffNumTrustedHops: b.numTrustedHops,
UseRemoteAddress: wrapperspb.Bool(true),
XffNumTrustedHops: b.numTrustedHops,
StripTrailingHostDot: b.stripTrailingHostDot,

NormalizePath: wrapperspb.Bool(true),

Expand Down
50 changes: 50 additions & 0 deletions internal/envoy/v3/listener_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -662,6 +662,7 @@ func TestHTTPConnectionManager(t *testing.T) {
serverHeaderTranformation contour_v1alpha1.ServerHeaderTransformationType
forwardClientCertificate *dag.ClientCertificateDetails
xffNumTrustedHops uint32
stripTrailingHostDot bool
maxRequestsPerConnection *uint32
http2MaxConcurrentStreams *uint32
want *envoy_config_listener_v3.Filter
Expand Down Expand Up @@ -1359,6 +1360,54 @@ func TestHTTPConnectionManager(t *testing.T) {
},
},
},
"enable StripTrailingHostDot": {
routename: "default/kuard",
accesslogger: FileAccessLogEnvoy("/dev/stdout", "", nil, contour_v1alpha1.LogLevelInfo),
stripTrailingHostDot: true,
want: &envoy_config_listener_v3.Filter{
Name: wellknown.HTTPConnectionManager,
ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
TypedConfig: protobuf.MustMarshalAny(&envoy_filter_network_http_connection_manager_v3.HttpConnectionManager{
StatPrefix: "default/kuard",
RouteSpecifier: &envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_Rds{
Rds: &envoy_filter_network_http_connection_manager_v3.Rds{
RouteConfigName: "default/kuard",
ConfigSource: &envoy_config_core_v3.ConfigSource{
ResourceApiVersion: envoy_config_core_v3.ApiVersion_V3,
ConfigSourceSpecifier: &envoy_config_core_v3.ConfigSource_ApiConfigSource{
ApiConfigSource: &envoy_config_core_v3.ApiConfigSource{
ApiType: envoy_config_core_v3.ApiConfigSource_GRPC,
TransportApiVersion: envoy_config_core_v3.ApiVersion_V3,
GrpcServices: []*envoy_config_core_v3.GrpcService{{
TargetSpecifier: &envoy_config_core_v3.GrpcService_EnvoyGrpc_{
EnvoyGrpc: &envoy_config_core_v3.GrpcService_EnvoyGrpc{
ClusterName: "contour",
Authority: "contour",
},
},
}},
},
},
},
},
},
HttpFilters: defaultHTTPFilters,
HttpProtocolOptions: &envoy_config_core_v3.Http1ProtocolOptions{
// Enable support for HTTP/1.0 requests that carry
// a Host: header. See #537.
AcceptHttp_10: true,
},
CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{},
AccessLog: FileAccessLogEnvoy("/dev/stdout", "", nil, contour_v1alpha1.LogLevelInfo),
UseRemoteAddress: wrapperspb.Bool(true),
NormalizePath: wrapperspb.Bool(true),
PreserveExternalRequestId: true,
MergeSlashes: false,
StripTrailingHostDot: true,
}),
},
},
},
"maxRequestsPerConnection set to 1": {
routename: "default/kuard",
accesslogger: FileAccessLogEnvoy("/dev/stdout", "", nil, contour_v1alpha1.LogLevelInfo),
Expand Down Expand Up @@ -1475,6 +1524,7 @@ func TestHTTPConnectionManager(t *testing.T) {
MergeSlashes(tc.mergeSlashes).
ServerHeaderTransformation(tc.serverHeaderTranformation).
NumTrustedHops(tc.xffNumTrustedHops).
StripTrailingHostDot(tc.stripTrailingHostDot).
ForwardClientCertificate(tc.forwardClientCertificate).
MaxRequestsPerConnection(tc.maxRequestsPerConnection).
HTTP2MaxConcurrentStreams(tc.http2MaxConcurrentStreams).
Expand Down
Loading

0 comments on commit 6420272

Please sign in to comment.