envoy_defaultv3

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2024 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	HeaderValidatorConfig_HeadersWithUnderscoresAction_name = map[int32]string{
		0: "ALLOW",
		1: "REJECT_REQUEST",
		2: "DROP_HEADER",
	}
	HeaderValidatorConfig_HeadersWithUnderscoresAction_value = map[string]int32{
		"ALLOW":          0,
		"REJECT_REQUEST": 1,
		"DROP_HEADER":    2,
	}
)

Enum value maps for HeaderValidatorConfig_HeadersWithUnderscoresAction.

View Source 
var (
	HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction_name = map[int32]string{
		0: "IMPLEMENTATION_SPECIFIC_DEFAULT",
		1: "KEEP_UNCHANGED",
		2: "REJECT_REQUEST",
		3: "UNESCAPE_AND_REDIRECT",
		4: "UNESCAPE_AND_FORWARD",
	}
	HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction_value = map[string]int32{
		"IMPLEMENTATION_SPECIFIC_DEFAULT": 0,
		"KEEP_UNCHANGED":                  1,
		"REJECT_REQUEST":                  2,
		"UNESCAPE_AND_REDIRECT":           3,
		"UNESCAPE_AND_FORWARD":            4,
	}
)

Enum value maps for HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction.

View Source 
var File_envoy_extensions_http_header_validators_envoy_default_v3_header_validator_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type HeaderValidatorConfig 

type HeaderValidatorConfig struct {
	Http1ProtocolOptions *HeaderValidatorConfig_Http1ProtocolOptions `protobuf:"bytes,1,opt,name=http1_protocol_options,json=http1ProtocolOptions,proto3" json:"http1_protocol_options,omitempty"`
	// The URI path normalization options.
	// By default Envoy normalizes URI path using the default values of the :ref:`UriPathNormalizationOptions
	// <envoy_v3_api_msg_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.UriPathNormalizationOptions>`.
	// URI path transformations specified by the “uri_path_normalization_options“ configuration can be applied to a portion
	// of requests by setting the “envoy_default_header_validator.uri_path_transformations“ runtime value.
	// Caution: disabling path normalization may lead to path confusion vulnerabilities in access control or incorrect service
	// selection.
	UriPathNormalizationOptions *HeaderValidatorConfig_UriPathNormalizationOptions `` /* 146-byte string literal not displayed */
	// Restrict HTTP methods to these defined in the `RFC 7231 section 4.1 <https://datatracker.ietf.org/doc/html/rfc7231#section-4.1>`_
	// Envoy will respond with 400 to requests with disallowed methods.
	// By default methods with arbitrary names are accepted.
	RestrictHttpMethods bool `protobuf:"varint,3,opt,name=restrict_http_methods,json=restrictHttpMethods,proto3" json:"restrict_http_methods,omitempty"`
	// Action to take when a client request with a header name containing underscore characters is received.
	// If this setting is not specified, the value defaults to ALLOW.
	HeadersWithUnderscoresAction HeaderValidatorConfig_HeadersWithUnderscoresAction `` /* 263-byte string literal not displayed */
	// Allow requests with fragment in URL path and strip the fragment before request processing.
	// By default Envoy rejects requests with fragment in URL path.
	StripFragmentFromPath bool `` /* 129-byte string literal not displayed */
	// contains filtered or unexported fields
}

This extension validates that HTTP request and response headers are well formed according to respective RFCs.

#. HTTP/1 header map validity according to `RFC 7230 section 3.2 <https://datatracker.ietf.org/doc/html/rfc7230#section-3.2>`_ #. Syntax of HTTP/1 request target URI and response status #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2 <https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2>`_ #. Syntax of HTTP/2 pseudo headers #. HTTP/3 header map validity according to `RFC 9114 section 4.3 <https://www.rfc-editor.org/rfc/rfc9114.html>`_ #. Syntax of HTTP/3 pseudo headers #. Syntax of Content-Length and Transfer-Encoding #. Validation of HTTP/1 requests with both “Content-Length“ and “Transfer-Encoding“ headers #. Normalization of the URI path according to `Normalization and Comparison <https://datatracker.ietf.org/doc/html/rfc3986#section-6>`_ 

without `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_

[#comment:TODO(yanavlasov): Put #extension: envoy.http.header_validators.envoy_default after it is not hidden any more] [#next-free-field: 6]

func (*HeaderValidatorConfig) Descriptor deprecated 

func (*HeaderValidatorConfig) Descriptor() ([]byte, []int)

Deprecated: Use HeaderValidatorConfig.ProtoReflect.Descriptor instead.

func (*HeaderValidatorConfig) GetHeadersWithUnderscoresAction 

func (x *HeaderValidatorConfig) GetHeadersWithUnderscoresAction() HeaderValidatorConfig_HeadersWithUnderscoresAction

func (*HeaderValidatorConfig) GetHttp1ProtocolOptions 

func (x *HeaderValidatorConfig) GetHttp1ProtocolOptions() *HeaderValidatorConfig_Http1ProtocolOptions

func (*HeaderValidatorConfig) GetRestrictHttpMethods 

func (x *HeaderValidatorConfig) GetRestrictHttpMethods() bool

func (*HeaderValidatorConfig) GetStripFragmentFromPath 

func (x *HeaderValidatorConfig) GetStripFragmentFromPath() bool

func (*HeaderValidatorConfig) GetUriPathNormalizationOptions 

func (x *HeaderValidatorConfig) GetUriPathNormalizationOptions() *HeaderValidatorConfig_UriPathNormalizationOptions

func (*HeaderValidatorConfig) ProtoMessage 

func (*HeaderValidatorConfig) ProtoMessage()

func (*HeaderValidatorConfig) ProtoReflect 

func (x *HeaderValidatorConfig) ProtoReflect() protoreflect.Message

func (*HeaderValidatorConfig) Reset 

func (x *HeaderValidatorConfig) Reset()

func (*HeaderValidatorConfig) String 

func (x *HeaderValidatorConfig) String() string

type HeaderValidatorConfig_HeadersWithUnderscoresAction 

type HeaderValidatorConfig_HeadersWithUnderscoresAction int32

Action to take when Envoy receives client request with header names containing underscore characters. Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore characters. 

const (
	// Allow headers with underscores. This is the default behavior.
	HeaderValidatorConfig_ALLOW HeaderValidatorConfig_HeadersWithUnderscoresAction = 0
	// Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests
	// end with the stream reset. The
	// :ref:`httpN.requests_rejected_with_underscores_in_headers <config_http_conn_man_stats_per_codec>` counter
	// is incremented for each rejected request.
	HeaderValidatorConfig_REJECT_REQUEST HeaderValidatorConfig_HeadersWithUnderscoresAction = 1
	// Drop the client header with name containing underscores. The header is dropped before the filter chain is
	// invoked and as such filters will not see dropped headers. The
	// :ref:`httpN.dropped_headers_with_underscores <config_http_conn_man_stats_per_codec>` is incremented for
	// each dropped header.
	HeaderValidatorConfig_DROP_HEADER HeaderValidatorConfig_HeadersWithUnderscoresAction = 2
)

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) Descriptor 

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) Descriptor() protoreflect.EnumDescriptor

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) Enum 

func (x HeaderValidatorConfig_HeadersWithUnderscoresAction) Enum() *HeaderValidatorConfig_HeadersWithUnderscoresAction

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) EnumDescriptor deprecated 

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) EnumDescriptor() ([]byte, []int)

Deprecated: Use HeaderValidatorConfig_HeadersWithUnderscoresAction.Descriptor instead.

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) Number 

func (x HeaderValidatorConfig_HeadersWithUnderscoresAction) Number() protoreflect.EnumNumber

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) String 

func (x HeaderValidatorConfig_HeadersWithUnderscoresAction) String() string

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) Type 

func (HeaderValidatorConfig_HeadersWithUnderscoresAction) Type() protoreflect.EnumType

type HeaderValidatorConfig_Http1ProtocolOptions 

type HeaderValidatorConfig_Http1ProtocolOptions struct {

	// Allows Envoy to process HTTP/1 requests/responses with both “Content-Length“ and “Transfer-Encoding“
	// headers set. By default such messages are rejected, but if option is enabled - Envoy will
	// remove the “Content-Length“ header and process the message.
	// See `RFC7230, sec. 3.3.3 <https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3>`_ for details.
	//
	// .. attention::
	//
	//	Enabling this option might lead to request smuggling vulnerabilities, especially if traffic
	//	is proxied via multiple layers of proxies.
	AllowChunkedLength bool `protobuf:"varint,1,opt,name=allow_chunked_length,json=allowChunkedLength,proto3" json:"allow_chunked_length,omitempty"`
	// contains filtered or unexported fields
}

func (*HeaderValidatorConfig_Http1ProtocolOptions) Descriptor deprecated 

func (*HeaderValidatorConfig_Http1ProtocolOptions) Descriptor() ([]byte, []int)

Deprecated: Use HeaderValidatorConfig_Http1ProtocolOptions.ProtoReflect.Descriptor instead.

func (*HeaderValidatorConfig_Http1ProtocolOptions) GetAllowChunkedLength 

func (x *HeaderValidatorConfig_Http1ProtocolOptions) GetAllowChunkedLength() bool

func (*HeaderValidatorConfig_Http1ProtocolOptions) ProtoMessage 

func (*HeaderValidatorConfig_Http1ProtocolOptions) ProtoMessage()

func (*HeaderValidatorConfig_Http1ProtocolOptions) ProtoReflect 

func (x *HeaderValidatorConfig_Http1ProtocolOptions) ProtoReflect() protoreflect.Message

func (*HeaderValidatorConfig_Http1ProtocolOptions) Reset 

func (x *HeaderValidatorConfig_Http1ProtocolOptions) Reset()

func (*HeaderValidatorConfig_Http1ProtocolOptions) String 

func (x *HeaderValidatorConfig_Http1ProtocolOptions) String() string

type HeaderValidatorConfig_UriPathNormalizationOptions 

type HeaderValidatorConfig_UriPathNormalizationOptions struct {

	// Should paths be normalized according to RFC 3986?
	// This operation overwrites the original request URI path and the new path is used for processing of
	// the request by HTTP filters and proxied to the upstream service.
	// Envoy will respond with 400 to requests with malformed paths that fail path normalization.
	// The default behavior is to normalize the path.
	// This value may be overridden by the runtime variable
	// :ref:`http_connection_manager.normalize_path<config_http_conn_man_runtime_normalize_path>`.
	// See `Normalization and Comparison <https://datatracker.ietf.org/doc/html/rfc3986#section-6>`_
	// for details of normalization.
	// Note that Envoy does not perform
	// `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_
	// URI path normalization can be applied to a portion of requests by setting the
	// “envoy_default_header_validator.path_normalization“ runtime value.
	SkipPathNormalization bool `` /* 127-byte string literal not displayed */
	// Determines if adjacent slashes in the path are merged into one.
	// This operation overwrites the original request URI path and the new path is used for processing of
	// the request by HTTP filters and proxied to the upstream service.
	// Setting this option to true will cause incoming requests with path “//dir///file“ to not match against
	// route with “prefix“ match set to “/dir“. Defaults to “false“. Note that slash merging is not part of
	// `HTTP spec <https://datatracker.ietf.org/doc/html/rfc3986>`_ and is provided for convenience.
	// Merging of slashes in URI path can be applied to a portion of requests by setting the
	// “envoy_default_header_validator.merge_slashes“ runtime value.
	SkipMergingSlashes bool `protobuf:"varint,2,opt,name=skip_merging_slashes,json=skipMergingSlashes,proto3" json:"skip_merging_slashes,omitempty"`
	// The action to take when request URL path contains escaped slash sequences (“%2F“, “%2f“, “%5C“ and “%5c“).
	// This operation may overwrite the original request URI path and the new path is used for processing of
	// the request by HTTP filters and proxied to the upstream service.
	PathWithEscapedSlashesAction HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction `` /* 293-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*HeaderValidatorConfig_UriPathNormalizationOptions) Descriptor deprecated 

func (*HeaderValidatorConfig_UriPathNormalizationOptions) Descriptor() ([]byte, []int)

Deprecated: Use HeaderValidatorConfig_UriPathNormalizationOptions.ProtoReflect.Descriptor instead.

func (*HeaderValidatorConfig_UriPathNormalizationOptions) GetPathWithEscapedSlashesAction 

func (x *HeaderValidatorConfig_UriPathNormalizationOptions) GetPathWithEscapedSlashesAction() HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction

func (*HeaderValidatorConfig_UriPathNormalizationOptions) GetSkipMergingSlashes 

func (x *HeaderValidatorConfig_UriPathNormalizationOptions) GetSkipMergingSlashes() bool

func (*HeaderValidatorConfig_UriPathNormalizationOptions) GetSkipPathNormalization 

func (x *HeaderValidatorConfig_UriPathNormalizationOptions) GetSkipPathNormalization() bool

func (*HeaderValidatorConfig_UriPathNormalizationOptions) ProtoMessage 

func (*HeaderValidatorConfig_UriPathNormalizationOptions) ProtoMessage()

func (*HeaderValidatorConfig_UriPathNormalizationOptions) ProtoReflect 

func (x *HeaderValidatorConfig_UriPathNormalizationOptions) ProtoReflect() protoreflect.Message

func (*HeaderValidatorConfig_UriPathNormalizationOptions) Reset 

func (x *HeaderValidatorConfig_UriPathNormalizationOptions) Reset()

func (*HeaderValidatorConfig_UriPathNormalizationOptions) String 

func (x *HeaderValidatorConfig_UriPathNormalizationOptions) String() string

type HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction 

type HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction int32

Determines the action for requests that contain “%2F“, “%2f“, “%5C“ or “%5c“ sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled. 

const (
	// Default behavior specific to implementation (i.e. Envoy) of this configuration option.
	// Envoy, by default, takes the “KEEP_UNCHANGED“ action.
	// NOTE: the implementation may change the default behavior at-will.
	HeaderValidatorConfig_UriPathNormalizationOptions_IMPLEMENTATION_SPECIFIC_DEFAULT HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction = 0
	// Keep escaped slashes.
	HeaderValidatorConfig_UriPathNormalizationOptions_KEEP_UNCHANGED HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction = 1
	// Reject client request with the 400 status. gRPC requests will be rejected with the “INTERNAL“ (13) error code.
	// The “http#.downstream_rq_failed_path_normalization“ counter is incremented for each rejected request.
	HeaderValidatorConfig_UriPathNormalizationOptions_REJECT_REQUEST HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction = 2
	// Unescape “%2F“ and “%5C“ sequences and redirect the request to the new path if these sequences were present.
	// The redirect occurs after path normalization and merge slashes transformations if they were configured.
	// NOTE: gRPC requests will be rejected with the “INTERNAL“ (13) error code.
	// This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to
	// traverse all parties: downstream client, intermediate proxies, Envoy and upstream server.
	// The “http#.downstream_rq_redirected_with_normalized_path“ counter is incremented for each
	// redirected request.
	HeaderValidatorConfig_UriPathNormalizationOptions_UNESCAPE_AND_REDIRECT HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction = 3
	// Unescape “%2F“ and “%5C“ sequences.
	// Note: this option should not be enabled if intermediaries perform path based access control as
	// it may lead to path confusion vulnerabilities.
	HeaderValidatorConfig_UriPathNormalizationOptions_UNESCAPE_AND_FORWARD HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction = 4
)

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Descriptor 

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Descriptor() protoreflect.EnumDescriptor

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Enum 

func (x HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Enum() *HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) EnumDescriptor deprecated 

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) EnumDescriptor() ([]byte, []int)

Deprecated: Use HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction.Descriptor instead.

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Number 

func (x HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Number() protoreflect.EnumNumber

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) String 

func (x HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) String() string

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Type 

func (HeaderValidatorConfig_UriPathNormalizationOptions_PathWithEscapedSlashesAction) Type() protoreflect.EnumType

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.