6

Is there any way to remove a header going upstream after the external authentication with the envoy proxy? We planned to migrate to envoy proxy for our internal API gateway, but this is a blocker now.

For example: the external authentication service gets the request and processes the authentication header, in case the validation fails, it throws the 401. But if it succeeds, I want to prevent the auth headers from going upstream.

As per the documentation Ext Auth:

A successful check allows the authorization service adding or overriding headers from the original request before dispatching it to the upstream. This is done by configuring which headers in the authorization response should be sent to the upstream. See allowed_authorization_headers below.

There is no mention whether I can completely remove the header going upstream.

I have the option to override the headers, but that is causing header conflict at the upstream servers. So it is not a possible solution.

How can I achieve this?

BartoszKP
  • 34,786
  • 15
  • 102
  • 130
Ysak
  • 2,601
  • 6
  • 29
  • 53

2 Answers2

2

Note that I am not an expert in envoy proxy, but from what I was able to find you can actually write a Lua script that would be able to remove the headers. In the documentation you can find an example of such script, and with a little bit of tinkering you should be able to customize it if needed:

-- Remove a response header named 'foo'
response_handle:headers():remove("foo")

You can find more information in the official documentation. Here for config.filter.http.lua.v2.Lua and here are the script examples.

BartoszKP
  • 34,786
  • 15
  • 102
  • 130
aurelius
  • 3,433
  • 1
  • 13
  • 22
2

What about using the route level option request_headers_to_remove to remove an Authorization header?

See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto

Erik
  • 163
  • 1
  • 2
  • 10