/
custom_header.proto
44 lines (36 loc) · 2.25 KB
/
custom_header.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
syntax = "proto3";
package envoy.extensions.http.original_ip_detection.custom_header.v3;
import "envoy/type/v3/http_status.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.http.original_ip_detection.custom_header.v3";
option java_outer_classname = "CustomHeaderProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/custom_header/v3;custom_headerv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Custom header original IP detection extension]
// This extension allows for the original downstream remote IP to be detected
// by reading the value from a configured header name. If the value is successfully parsed
// as an IP, it'll be treated as the effective downstream remote address and seen as such
// by all filters. See :ref:`original_ip_detection_extensions
// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
// for an overview of how extensions operate and what happens when an extension fails
// to detect the remote IP.
//
// [#extension: envoy.http.original_ip_detection.custom_header]
message CustomHeaderConfig {
// The header name containing the original downstream remote address, if present.
//
// Note: in the case of a multi-valued header, only the first value is tried and the rest are ignored.
string header_name = 1
[(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: true}];
// If set to true, the extension could decide that the detected address should be treated as
// trusted by the HCM. If the address is considered :ref:`trusted<config_http_conn_man_headers_x-forwarded-for_trusted_client_address>`,
// it might be used as input to determine if the request is internal (among other things).
bool allow_extension_to_set_address_as_trusted = 2;
// If this is set, the request will be rejected when detection fails using it as the HTTP response status.
//
// .. note::
// If this is set to < 400 or > 511, the default status 403 will be used instead.
type.v3.HttpStatus reject_with_status = 3;
}