Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

StripTrailingHostDot: Expose new configuration option to enable Envoy removal of trailing dot on hostnames #6792

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -757,6 +757,19 @@ type NetworkParameters struct {
// Contour's default is 9001.
// +optional
EnvoyAdminPort *int `json:"adminPort,omitempty"`

// EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
// before any processing of request by HTTP filters or routing. This
// affects the upstream host header. Without setting this option to true, incoming
// requests with host example.com. will not match against route with domains
// match set to example.com.
//
// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
// for more information.
//
// Contour's default is false.
// +optional
EnvoyStripTrailingHostDot *bool `json:"stripTrailingHostDot,omitempty"`
}

// RateLimitServiceConfig defines properties of a global Rate Limit Service.
Expand Down
1 change: 1 addition & 0 deletions changelogs/unreleased/6792-saley89-small.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Envoy's listener configuration to remove trailing dots at the end of a hostname before request processing can now be configured using the `network.strip-trailing-host-dot` field in the configuration file or the `spec.envoy.network.stripTrailingHostDot` field in the `ContourConfiguration` CRD. The available values are `false` (default) and `true`.
1 change: 1 addition & 0 deletions cmd/contour/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,7 @@
MergeSlashes: !*contourConfiguration.Envoy.Listener.DisableMergeSlashes,
ServerHeaderTransformation: contourConfiguration.Envoy.Listener.ServerHeaderTransformation,
XffNumTrustedHops: *contourConfiguration.Envoy.Network.XffNumTrustedHops,
StripTrailingHostDot: *contourConfiguration.Envoy.Network.EnvoyStripTrailingHostDot,

Check warning on line 467 in cmd/contour/serve.go

View check run for this annotation

Codecov / codecov/patch

cmd/contour/serve.go#L467

Added line #L467 was not covered by tests
ConnectionBalancer: contourConfiguration.Envoy.Listener.ConnectionBalancer,
MaxRequestsPerConnection: contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
HTTP2MaxConcurrentStreams: contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,
Expand Down
5 changes: 3 additions & 2 deletions cmd/contour/servecontext.go
Original file line number Diff line number Diff line change
Expand Up @@ -580,8 +580,9 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
},
},
Network: &contour_v1alpha1.NetworkParameters{
XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
EnvoyAdminPort: &ctx.Config.Network.EnvoyAdminPort,
XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
EnvoyAdminPort: &ctx.Config.Network.EnvoyAdminPort,
EnvoyStripTrailingHostDot: &ctx.Config.Network.EnvoyStripTrailingHostDot,
},
},
Gateway: gatewayConfig,
Expand Down
5 changes: 3 additions & 2 deletions cmd/contour/servecontext_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -484,8 +484,9 @@ func TestConvertServeContext(t *testing.T) {
},
},
Network: &contour_v1alpha1.NetworkParameters{
EnvoyAdminPort: ptr.To(9001),
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyAdminPort: ptr.To(9001),
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyStripTrailingHostDot: ptr.To(false),
},
},
Gateway: nil,
Expand Down
22 changes: 22 additions & 0 deletions examples/contour/01-crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4323,6 +4334,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4543,6 +4554,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour-gateway-provisioner.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -532,6 +532,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4334,6 +4345,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour-gateway.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4359,6 +4370,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
22 changes: 22 additions & 0 deletions examples/render/contour.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down Expand Up @@ -4543,6 +4554,17 @@ spec:
Contour's default is 0.
format: int32
type: integer
stripTrailingHostDot:
description: |-
EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
before any processing of request by HTTP filters or routing. This
affects the upstream host header. Without setting this option to true, incoming
requests with host example.com. will not match against route with domains
match set to example.com.
See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
for more information.
Contour's default is false.
type: boolean
type: object
service:
description: |-
Expand Down
5 changes: 3 additions & 2 deletions internal/contourconfig/contourconfiguration.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,9 @@ func Defaults() contour_v1alpha1.ContourConfigurationSpec {
},
},
Network: &contour_v1alpha1.NetworkParameters{
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyAdminPort: ptr.To(9001),
XffNumTrustedHops: ptr.To(uint32(0)),
EnvoyAdminPort: ptr.To(9001),
EnvoyStripTrailingHostDot: ptr.To(false),
},
},
Gateway: nil,
Expand Down
5 changes: 3 additions & 2 deletions internal/contourconfig/contourconfiguration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,9 @@ func TestOverlayOnDefaults(t *testing.T) {
},
},
Network: &contour_v1alpha1.NetworkParameters{
XffNumTrustedHops: ptr.To(uint32(77)),
EnvoyAdminPort: ptr.To(9997),
XffNumTrustedHops: ptr.To(uint32(77)),
EnvoyAdminPort: ptr.To(9997),
EnvoyStripTrailingHostDot: ptr.To(true),
},
},
Gateway: &contour_v1alpha1.GatewayConfig{
Expand Down
11 changes: 9 additions & 2 deletions internal/envoy/v3/listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ type httpConnectionManagerBuilder struct {
serverHeaderTransformation envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_ServerHeaderTransformation
forwardClientCertificate *dag.ClientCertificateDetails
numTrustedHops uint32
stripTrailingHostDot bool
tracingConfig *envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_Tracing
maxRequestsPerConnection *uint32
http2MaxConcurrentStreams *uint32
Expand Down Expand Up @@ -293,6 +294,11 @@ func (b *httpConnectionManagerBuilder) NumTrustedHops(num uint32) *httpConnectio
return b
}

func (b *httpConnectionManagerBuilder) StripTrailingHostDot(strip bool) *httpConnectionManagerBuilder {
b.stripTrailingHostDot = strip
return b
}

// MaxRequestsPerConnection sets max requests per connection for the downstream.
func (b *httpConnectionManagerBuilder) MaxRequestsPerConnection(maxRequestsPerConnection *uint32) *httpConnectionManagerBuilder {
b.maxRequestsPerConnection = maxRequestsPerConnection
Expand Down Expand Up @@ -505,8 +511,9 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_config_listener_v3.Filter {
AllowChunkedLength: b.allowChunkedLength,
},

UseRemoteAddress: wrapperspb.Bool(true),
XffNumTrustedHops: b.numTrustedHops,
UseRemoteAddress: wrapperspb.Bool(true),
XffNumTrustedHops: b.numTrustedHops,
StripTrailingHostDot: b.stripTrailingHostDot,

NormalizePath: wrapperspb.Bool(true),

Expand Down
Loading
Loading