Documentation/Config changes (proposed) for envoyproxy#6589

twghu · May 8, 2020 · 1a489d9 · 1a489d9
1 parent 690660e
commit 1a489d9
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 10 deletions.
diff --git a/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@@ -483,16 +483,32 @@ message HttpConnectionManager {
   // Should paths be normalized according to RFC 3986 before any processing of
   // requests by HTTP filters or routing? This affects the upstream *:path* header
   // as well. For paths that fail this check, Envoy will respond with 400 to
-  // paths that are malformed. This defaults to false currently but will default
-  // true in the future. When not specified, this value may be overridden by the
-  // runtime variable
+  // paths that are malformed. This defaults to true.
+  // This by default affects the upstream *:path* header as well.
+  // When not specified, this value may be overridden by the runtime variable
   // :ref:`http_connection_manager.normalize_path<config_http_conn_man_runtime_normalize_path>`.
+  // The upstream path normalization can be specified independently, see
+  // :ref:`normalize_path_for_upstream <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.normalize_path_for_upstream>`.
   // See `Normalization and Comparison <https://tools.ietf.org/html/rfc3986#section-6>`
   // for details of normalization.
   // Note that Envoy does not perform
   // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`
   google.protobuf.BoolValue normalize_path = 30;
 
+  // Should paths to upstream be normalized according to RFC 3986 after any processing of
+  // requests by HTTP filters or routing? This affects the upstream *:path* header
+  // For paths that fail this check, Envoy will respond with 400 to
+  // paths that are malformed. This defaults to the value of
+  // :ref:`normalize_path
+  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.normalize_path>`.
+  // When not specified, this value may be overridden by the runtime variable
+  // :ref:`http_connection_manager.normalize_path_for_upstream<config_http_conn_man_runtime_normalize_path_for_upstream>`.
+  // See `Normalization and Comparison <https://tools.ietf.org/html/rfc3986#section-6>`
+  // for details of normalization.
+  // Note that Envoy does not perform
+  // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`
+  google.protobuf.BoolValue normalize_path_for_upstream = 39;
+
   // Determines if adjacent slashes in the path are merged into one before any processing of
   // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without
   // setting this option, incoming requests with path `//dir///file` will not match against route

diff --git a/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@@ -478,16 +478,33 @@ message HttpConnectionManager {
   // Should paths be normalized according to RFC 3986 before any processing of
   // requests by HTTP filters or routing? This affects the upstream *:path* header
   // as well. For paths that fail this check, Envoy will respond with 400 to
-  // paths that are malformed. This defaults to false currently but will default
-  // true in the future. When not specified, this value may be overridden by the
-  // runtime variable
+  // paths that are malformed. This defaults to true.
+  // This by default affects the upstream *:path* header as well.
+  // When not specified, this value may be overridden by the runtime variable
   // :ref:`http_connection_manager.normalize_path<config_http_conn_man_runtime_normalize_path>`.
+  // The upstream path normalization can be specified independently, see
+  // :ref:`normalize_path_for_upstream
+  // <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path_for_upstream>`.
   // See `Normalization and Comparison <https://tools.ietf.org/html/rfc3986#section-6>`
   // for details of normalization.
   // Note that Envoy does not perform
   // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`
   google.protobuf.BoolValue normalize_path = 30;
 
+  // Should paths to upstream be normalized according to RFC 3986 after any processing of
+  // requests by HTTP filters or routing? This affects the upstream *:path* header
+  // For paths that fail this check, Envoy will respond with 400 to
+  // paths that are malformed. This defaults to the value of
+  // :ref:`normalize_path
+  // <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path>`.
+  // When not specified, this value may be overridden by the runtime variable
+  // :ref:`http_connection_manager.normalize_path_for_upstream<config_http_conn_man_runtime_normalize_path_for_upstream>`.
+  // See `Normalization and Comparison <https://tools.ietf.org/html/rfc3986#section-6>`
+  // for details of normalization.
+  // Note that Envoy does not perform
+  // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`
+  google.protobuf.BoolValue normalize_path_for_upstream = 39;
+
   // Determines if adjacent slashes in the path are merged into one before any processing of
   // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without
   // setting this option, incoming requests with path `//dir///file` will not match against route

diff --git a/.../extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/.../extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
@@ -478,16 +478,33 @@ message HttpConnectionManager {
   // Should paths be normalized according to RFC 3986 before any processing of
   // requests by HTTP filters or routing? This affects the upstream *:path* header
   // as well. For paths that fail this check, Envoy will respond with 400 to
-  // paths that are malformed. This defaults to false currently but will default
-  // true in the future. When not specified, this value may be overridden by the
-  // runtime variable
+  // paths that are malformed. This defaults to true.
+  // This by default affects the upstream *:path* header as well.
+  // When not specified, this value may be overridden by the runtime variable
   // :ref:`http_connection_manager.normalize_path<config_http_conn_man_runtime_normalize_path>`.
+  // The upstream path normalization can be specified independently, see
+  // :ref:`normalize_path_for_upstream
+  // <envoy_api_field_extensions.filters.network.http_connection_manager.v4alpha.HttpConnectionManager.normalize_path_for_upstream>`.
   // See `Normalization and Comparison <https://tools.ietf.org/html/rfc3986#section-6>`
   // for details of normalization.
   // Note that Envoy does not perform
   // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`
   google.protobuf.BoolValue normalize_path = 30;
 
+  // Should paths to upstream be normalized according to RFC 3986 after any processing of
+  // requests by HTTP filters or routing? This affects the upstream *:path* header
+  // For paths that fail this check, Envoy will respond with 400 to
+  // paths that are malformed. This defaults to the value of
+  // :ref:`normalize_path
+  // <envoy_api_field_extensions.filters.network.http_connection_manager.v4alpha.HttpConnectionManager.normalize_path>`.
+  // When not specified, this value may be overridden by the runtime variable
+  // :ref:`http_connection_manager.normalize_path_for_upstream<config_http_conn_man_runtime_normalize_path_for_upstream>`.
+  // See `Normalization and Comparison <https://tools.ietf.org/html/rfc3986#section-6>`
+  // for details of normalization.
+  // Note that Envoy does not perform
+  // `case normalization <https://tools.ietf.org/html/rfc3986#section-6.2.2.1>`
+  google.protobuf.BoolValue normalize_path_for_upstream = 39;
+
   // Determines if adjacent slashes in the path are merged into one before any processing of
   // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without
   // setting this option, incoming requests with path `//dir///file` will not match against route

diff --git a/docs/root/configuration/http/http_conn_man/runtime.rst b/docs/root/configuration/http/http_conn_man/runtime.rst
@@ -8,8 +8,38 @@ The HTTP connection manager supports the following runtime settings:
 .. _config_http_conn_man_runtime_normalize_path:
 
 http_connection_manager.normalize_path
-  % of requests that will have path normalization applied if not already configured in
+  Requests will have normalization applied if not already configured in
   :ref:`normalize_path <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path>`.
+
+  This setting can have the following values:
+
+  +--------------+---------------------------+
+  | Value        | Expectation               |
+  +==============+===========================+
+  | 0, false     | normalization not enabled |
+  +--------------+---------------------------+
+  | 100, true    | normalization enabled     |
+  +--------------+---------------------------+
+
+  This is evaluated at configuration load time and will apply to all requests for a given
+  configuration.
+
+.. _config_http_conn_man_runtime_normalize_path_for_upstream:
+
+http_connection_manager.normalize_path_for_upstream
+  Requests to upstream will have normalization applied if not already configured in
+  :ref:`normalize_path <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.normalize_path_for_upstream>`.
+
+  This setting can have the following values:
+
+  +--------------+------------------------------------+
+  | Value        | Expectation                        |
+  +==============+====================================+
+  | 0, false     | upstream normalization not enabled |
+  +--------------+------------------------------------+
+  | 100, true    | upstream normalization enabled     |
+  +--------------+------------------------------------+
+
   This is evaluated at configuration load time and will apply to all requests for a given
   configuration.
 

diff --git a/include/envoy/http/header_map.h b/include/envoy/http/header_map.h
@@ -310,6 +310,7 @@ class HeaderEntry {
   HEADER_FUNC(OtSpanContext)                                                                       \
   HEADER_FUNC(Origin)                                                                              \
   HEADER_FUNC(Path)                                                                                \
+  HEADER_FUNC(OriginalPathForUpstream)                                                             \
   HEADER_FUNC(Protocol)                                                                            \
   HEADER_FUNC(Referer)                                                                             \
   HEADER_FUNC(Scheme)                                                                              \

diff --git a/source/common/http/headers.h b/source/common/http/headers.h
@@ -136,6 +136,7 @@ class HeaderValues {
   const LowerCaseString Origin{"origin"};
   const LowerCaseString OtSpanContext{"x-ot-span-context"};
   const LowerCaseString Path{":path"};
+  const LowerCaseString OriginalPathForUpstream{absl::StrCat(prefix(), "-original_path_for_upstream")};
   const LowerCaseString Protocol{":protocol"};
   const LowerCaseString ProxyConnection{"proxy-connection"};
   const LowerCaseString Referer{"referer"};