Formats the RESPONSE HEADER by proper casing words: the first character and any character following a special character will be capitalized if it’s an alpha character. For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. Note that while this results in most headers following conventional casing, certain headers are not covered. For example, the “TE” header will be formatted as “Te”. Only one of properCaseHeaderKeyFormat or preserveCaseHeaderKeyFormat can be set.
preserveCaseHeaderKeyFormat
bool
Generates configuration for a stateful formatter extension that allows using received headers to affect the output of encoding headers. Specifically: preserving RESPONSE HEADER case during proxying. Only one of preserveCaseHeaderKeyFormat or properCaseHeaderKeyFormat can be set.
HttpConnectionManager configuration for protocol upgrade requests. Note: WebSocket upgrades are enabled by default on the HTTP Connection Manager and must be explicitly disabled.
Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). The default value can be overridden by the :ref:http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action> runtime variable. The :ref:http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled> runtime variable can be used to apply the action to a portion of all requests.
Whether the implementation alters the UUID to contain the trace sampling decision as per the UuidRequestIdConfig message documentation. This defaults to true. If disabled no modification to the UUID will be performed. It is important to note that if disabled, stable sampling of traces, access logs, etc. will no longer work and only random sampling will be possible.
Set whether to use :ref:x-request-id<config_http_conn_man_headers_x-request-id> for sampling or not. This defaults to true. See the :ref:context propagation <arch_overview_tracing_context_propagation> overview for more information.
ForwardClientCertDetails
Name
Description
SANITIZE
FORWARD_ONLY
APPEND_FORWARD
SANITIZE_SET
ALWAYS_FORWARD_ONLY
ServerHeaderTransformation
Name
Description
OVERWRITE
(DEFAULT) Overwrite any Server header with the contents of server_name.
APPEND_IF_ABSENT
If no Server header is present, append Server server_name If a Server header is present, pass it through.
PASS_THROUGH
Pass through the value of the server header, and do not append a header if none is present.
HeadersWithUnderscoreAction
Action to take when Envoy receives client request with header names containing underscore characters. Underscore character
is allowed in header names by the RFC-7230 and this behavior is implemented as a security measure due to systems that treat
‘_’ and ‘-‘ as interchangeable. Envoy by default allows client request headers with underscore characters.
Name
Description
ALLOW
Allow headers with underscores. This is the default behavior.
REJECT_CLIENT_REQUEST
Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests end with the stream reset. The “httpN.requests_rejected_with_underscores_in_headers” counter is incremented for each rejected request.
DROP_HEADER
Drop the client header with name containing underscores. The header is dropped before the filter chain is invoked and as such filters will not see dropped headers. The “httpN.dropped_headers_with_underscores” is incremented for each dropped header.
PathWithEscapedSlashesAction
Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path.
This operation occurs before URL normalization and the merge slashes transformations if they were enabled.
Name
Description
IMPLEMENTATION_SPECIFIC_DEFAULT
Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the KEEP_UNCHANGED action. NOTE: the implementation may change the default behavior at-will.
KEEP_UNCHANGED
Keep escaped slashes.
REJECT_REQUEST
Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. The “httpN.downstream_rq_failed_path_normalization” counter is incremented for each rejected request.
UNESCAPE_AND_REDIRECT
Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. Redirect occurs after path normalization and merge slashes transformations if they were configured. NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented for each redirected request.
UNESCAPE_AND_FORWARD
Unescape %2F and %5C sequences. Note: this option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities.
CodecType
Name
Description
AUTO
For every new connection, the connection manager will determine which codec to use. This mode supports both ALPN for TLS listeners as well as protocol inference for plaintext listeners. If ALPN data is available, it is preferred, otherwise protocol inference is used. In almost all cases, this is the right option to choose for this setting.
HTTP1
The connection manager will assume that the client is speaking HTTP/1.1.
HTTP2
The connection manager will assume that the client is speaking HTTP/2 (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. Prior knowledge is allowed).
