Remove upstream headers in envoy proxy after external authentication

3/22/2019

Is there any way to remove a header going upstream after the external authentication with the envoy proxy? We planned to migrate to envoy proxy for our internal API gateway, but this is a blocker now.

For example: the external authentication service gets the request and processes the authentication header, in case the validation fails, it throws the 401. But if it succeeds, I want to prevent the auth headers from going upstream.

As per the documentation Ext Auth:

A successful check allows the authorization service adding or overriding headers from the original request before dispatching it to the upstream. This is done by configuring which headers in the authorization response should be sent to the upstream. See allowed_authorization_headers below.

There is no mention whether I can completely remove the header going upstream.

I have the option to override the headers, but that is causing header conflict at the upstream servers. So it is not a possible solution.

How can I achieve this?

-- Ysak
envoyproxy
kubernetes
reverse-proxy

1 Answer

4/18/2019

Note that I am not an expert in envoy proxy, but from what I was able to find you can actually write a Lua script that would be able to remove the headers. In the documentation you can find an example of such script, and with a little bit of tinkering you should be able to customize it if needed:

-- Remove a response header named 'foo'
response_handle:headers():remove("foo")

You can find more information in the official documentation. Here for config.filter.http.lua.v2.Lua and here are the script examples.

-- aurelius
Source: StackOverflow