Add support for host_rewrite_header

changelog/v1.18.0-beta1/add-host-rewrite-header.yaml

@@ -0,0 +1,5 @@
+changelog:
+- type: NEW_FEATURE
+  issueLink: https://github.com/solo-io/gloo/issues/9579
+  resolvesIssue: false
+  description: Adds the `host_rewrite_header` to the route options to allow envoy to swapped the host header with the content of given downstream or custom header. Pay attention to the potential security implications of using this option. Provided header must come from trusted source.

install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml

@@ -388,6 +388,9 @@ spec:
                     type: object
                   hostRewrite:
                     type: string
+                  hostRewriteHeader:
+                    nullable: true
+                    type: string
                   hostRewritePathRegex:
                     properties:
                       pattern:

install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml

@@ -498,6 +498,9 @@ spec:
                           type: object
                         hostRewrite:
                           type: string
+                        hostRewriteHeader:
+                          nullable: true
+                          type: string
                         hostRewritePathRegex:
                           properties:
                             pattern:

install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml

@@ -3331,6 +3331,9 @@ spec:
                               type: object
                             hostRewrite:
                               type: string
+                            hostRewriteHeader:
+                              nullable: true
+                              type: string
                             hostRewritePathRegex:
                               properties:
                                 pattern:

pkg/utils/api_conversion/type.go

@@ -7,6 +7,7 @@ import (
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	envoytype_gloo "github.com/solo-io/gloo/projects/gloo/pkg/api/external/envoy/type"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/utils/headers"
 	envoycore_sk "github.com/solo-io/solo-kit/pkg/api/external/envoy/api/v2/core"
 	"github.com/solo-io/solo-kit/pkg/errors"
 )
@@ -71,6 +72,15 @@ func ToEnvoyHeaderValueOptionList(option []*envoycore_sk.HeaderValueOption, secr
 	return result, nil
 }
 
+// validateCustomHeaders checks whether the custom header is allowed to be modified as per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#custom-request-response-headers
+// and validates the whether the header will be accepted by envoy
+func validateCustomHeaders(header envoycore_sk.HeaderValue) error {
+	if err := CheckForbiddenCustomHeaders(header); err != nil {
+		return err
+	}
+	return headers.ValidateHeaderKey(header.GetKey())
+}
+
 // CheckForbiddenCustomHeaders checks whether the custom header is allowed to be modified as per https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#custom-request-response-headers
 func CheckForbiddenCustomHeaders(header envoycore_sk.HeaderValue) error {
 	key := header.GetKey()
@@ -90,7 +100,7 @@ func ToEnvoyHeaderValueOptions(option *envoycore_sk.HeaderValueOption, secrets *
 
 	switch typedOption := option.GetHeaderOption().(type) {
 	case *envoycore_sk.HeaderValueOption_Header:
-		if err := CheckForbiddenCustomHeaders(*typedOption.Header); err != nil {
+		if err := validateCustomHeaders(*typedOption.Header); err != nil {
 			return nil, err
 		}
 		return []*envoy_config_core_v3.HeaderValueOption{

projects/gloo/api/v1/options.proto

@@ -92,10 +92,10 @@ message ListenerOptions {
     ConnectionBalanceConfig connection_balance_config = 6;
 
     // If enabled this sets up an early access logging service for the listener.
-    // Added initially to support listener level logging for HTTP listeners. 
+    // Added initially to support listener level logging for HTTP listeners.
     // For more info see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
     als.options.gloo.solo.io.AccessLoggingService listener_access_logging_service = 7;
-    
+
 }
 
 // Configuration for listener connection balancing.
@@ -421,6 +421,11 @@ message RouteOptions {
         // Indicates that during forwarding, the host header will be swapped with the result of the regex
         // substitution executed on path value with query and fragment removed.
         .solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 101;
+
+        // Indicates that during forwarding, the host header will be swapped with the content of given downstream or custom header.
+        // If header value is empty, host header is left intact.
+        // Using this option will append the x-forwarded-host header if append_x_forwarded_host is set.
+        google.protobuf.StringValue host_rewrite_header = 147;
     };
     // If true and there is a host rewrite, appends the x-forwarded-host header to requests.
     google.protobuf.BoolValue append_x_forwarded_host = 146;