HeaderRewrites

microgateway.airlock.com/v1alpha1

HeaderRewrites is the Schema for the headerrewrites API

apiVersion: microgateway.airlock.com/v1alpha1
kind: HeaderRewrites
metadata:
  name: header-rewrites-example
spec:
  request:
    allow:
      matchingHeaders:
        # Drop all request headers except "X-CSRF-TOKEN" and those in the built-in
        # standard header allow list (Accept, Cookie, etc.) to reduce the attack surface.
        builtIn:
          standardHeaders: true
        custom:
          - name: Allow X-CSRF-Token header
            headers:
              - name:
                  matcher:
                    exact: X-CSRF-TOKEN
    remove:
      # Remove the "X-Forwarded-Host" header and those in the built-in
      # alternative forwarded headers list from the request.
      builtIn:
        alternativeForwardedHeaders: true
      custom:
        - name: Remove X-Forwarded-Host
          headers:
            - name:
                matcher:
                  exact: X-Forwarded-Host
    add:
      # Inject a custom header into the request.
      custom:
        - name: Add headers with TLS information of the downstream connection
          headers:
            - name: X-TLS-DOWNSTREAM-PEER-CERT
              value: "%DOWNSTREAM_PEER_CERT%"
          mode: OverwriteOrAdd
  response:
    allow:
      # Allow all response headers.
      allHeaders: {}
    remove:
      # Remove the headers in the built-in auth basic list from the response.
      builtIn:
        auth:
          basic: true
    add:
      # Inject a custom header into the response.
      custom:
        - name: Add application version as header
          headers:
            - name: X-APP-VERSION
              value: "3.7.4"
          mode: OverwriteOrAdd
apiVersion: microgateway.airlock.com/v1alpha1
kind: HeaderRewrites
metadata:
  name: default
spec: 
  settings: 
    operationalMode: Production
  request: 
    allow: 
      matchingHeaders: 
        builtIn: 
          standardHeaders: true
    remove: 
      builtIn: 
        alternativeForwardedHeaders: true
    add: {}
  response: 
    allow: 
      allHeaders: {}
    remove: 
      builtIn: 
        informationLeakage: 
          server: true
          application: true
        auth: 
          basic: false
          ntlm: true
          negotiate: true
        permissiveCors: true
    add: 
      builtIn: 
        xFrameOptions: true
        hsts: true
        hstsPreload: false
        csp: true
        xContentTypeOptions: true
        referrerPolicy: true
        featurePolicy: true

HeaderRewrites

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of the desired header rewriting behavior. no

HeaderRewrites.spec

Field Type Description Required Default Allowed Values
request object Request defines manipulations on upstream request headers. no
response object Response defines manipulations on upstream response headers. no
settings object Settings configures the HeaderRewrites filter. no

HeaderRewrites.spec.request

Field Type Description Required Default Allowed Values
add object Add defines which request headers will be added before forwarding to the upstream. no
allow object Allow defines which request headers will be forwarded to the upstream. This can either be allHeaders or matchingHeaders. Default: matchingHeaders: {…} no matchingHeaders{...} allHeaders{}, matchingHeaders{}
remove object Remove defines which request headers will be removed before forwarding to the upstream. no

HeaderRewrites.spec.request.add

Field Type Description Required Default Allowed Values
custom object[] Custom allows configuring additional upstream request headers. Add selected headers. no

HeaderRewrites.spec.request.add.custom[]

Field Type Description Required Default Allowed Values
headers object[] Headers to add. yes
mode enum Mode defines the header addition strategy. no AddIfAbsent AddIfAbsent, OverwriteOrAdd
name string Name describing the configured operation. yes

HeaderRewrites.spec.request.add.custom[].headers[]

Field Type Description Required Default Allowed Values
name string Name defines the name of a header. yes
value string Value defines the value of a header. yes

HeaderRewrites.spec.request.allow

Field Type Description Required Default Allowed Values
allHeaders object AllHeaders specifies that all request headers should be forwarded. no
matchingHeaders object MatchingHeaders specifies which request headers should be forwarded. no

HeaderRewrites.spec.request.allow.matchingHeaders

Field Type Description Required Default Allowed Values
builtIn object BuiltIn allows configuring a set of predefined upstream request headers. no
custom object[] Custom allows configuring additional upstream request headers. no

HeaderRewrites.spec.request.allow.matchingHeaders.builtIn

Field Type Description Required Default Allowed Values
standardHeaders bool StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. no true true, false

HeaderRewrites.spec.request.allow.matchingHeaders.custom[]

Field Type Description Required Default Allowed Values
headers object[] Headers to allow. yes
name string Name describing the configured operation. Must be unique. yes

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[]

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.request.remove

Field Type Description Required Default Allowed Values
builtIn object BuiltIn allows configuring a set of predefined upstream request headers. no
custom object[] Custom allows configuring additional upstream request headers. no

HeaderRewrites.spec.request.remove.builtIn

Field Type Description Required Default Allowed Values
alternativeForwardedHeaders bool AlternativeForwardedHeaders removes downstream request headers which could potentially be abused to alter the upstream’s view of the remote connection: Front-End-Https. no true true, false

HeaderRewrites.spec.request.remove.custom[]

Field Type Description Required Default Allowed Values
headers object[] Headers to remove. yes
name string Name describing the configured operation. Must be unique. yes

HeaderRewrites.spec.request.remove.custom[].headers[]

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

HeaderRewrites.spec.request.remove.custom[].headers[].name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.request.remove.custom[].headers[].name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.request.remove.custom[].headers[].value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.request.remove.custom[].headers[].value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.response

Field Type Description Required Default Allowed Values
add object Add defines which response headers will be added before forwarding to the downstream. no
allow object Allow defines which response headers will be forwarded to the downstream. This can either be allHeaders or matchingHeaders. Default: allHeaders: {} no allHeaders{...} allHeaders{}, matchingHeaders{}
remove object Remove defines which response headers will be removed before forwarding to the downstream. no

HeaderRewrites.spec.response.add

Field Type Description Required Default Allowed Values
builtIn object BuiltIn allows configuring a set of predefined upstream response headers. no
custom object[] Custom allows configuring additional upstream response headers. no

HeaderRewrites.spec.response.add.builtIn

Field Type Description Required Default Allowed Values
csp bool CSP sets a content security policy which allows only same-origin requests except for images if the ‘Content-Security-Policy’ header is not set by the upstream. no true true, false
featurePolicy bool FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features if the ‘Feature-Policy’ header is not set by the upstream. no true true, false
hsts bool HSTS enforces the use of HTTPS if the ‘Strict-Transport-Security’ header is not already set by the upstream. no true true, false
hstsPreload bool HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. no false true, false
referrerPolicy bool ReferrerPolicy ensures that no ‘Referer’ header is sent for cross-origin requests if the ‘Referrer-Policy’ header is not set by the upstream. no true true, false
xContentTypeOptions bool XContentTypeOptions sets ‘X-Content-Type-Options’ to ’nosniff’ if it is not set by the upstream. no true true, false
xFrameOptions bool XFrameOptions sets ‘X-Frame-Options’ to SAMEORIGIN if it is not set by the upstream. no true true, false

HeaderRewrites.spec.response.add.custom[]

Field Type Description Required Default Allowed Values
headers object[] Headers to add. yes
mode enum Mode defines the header addition strategy. no AddIfAbsent AddIfAbsent, OverwriteOrAdd
name string Name describing the configured operation. yes

HeaderRewrites.spec.response.add.custom[].headers[]

Field Type Description Required Default Allowed Values
name string Name defines the name of a header. yes
value string Value defines the value of a header. yes

HeaderRewrites.spec.response.allow

Field Type Description Required Default Allowed Values
allHeaders object AllHeaders specifies that all response headers should be forwarded. no
matchingHeaders object MatchingHeaders specifies which response headers should be forwarded. no

HeaderRewrites.spec.response.allow.matchingHeaders

Field Type Description Required Default Allowed Values
builtIn object BuiltIn allows configuring a set of predefined upstream response header. no
custom object[] Custom allows configuring additional upstream response headers. no

HeaderRewrites.spec.response.allow.matchingHeaders.builtIn

Field Type Description Required Default Allowed Values
standardHeaders bool StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. no false true, false

HeaderRewrites.spec.response.allow.matchingHeaders.custom[]

Field Type Description Required Default Allowed Values
headers object[] Headers to allow. yes
name string Name describing the configured operation. Must be unique. yes

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[]

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.response.remove

Field Type Description Required Default Allowed Values
builtIn object BuiltIn allows configuring a set of predefined upstream response headers. no
custom object[] Custom allows configuring additional upstream response headers. no

HeaderRewrites.spec.response.remove.builtIn

Field Type Description Required Default Allowed Values
auth object Auth defines the categories of headers concerning authentication. no
informationLeakage object InformationLeakage defines the categories of headers concerning information leakage. no
permissiveCors bool PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. no true true, false

HeaderRewrites.spec.response.remove.builtIn.auth

Field Type Description Required Default Allowed Values
basic bool Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. no false true, false
ntlm bool NTLM removes upstream response headers that advise clients to authenticate with NTLM. By default, these headers are removed, because NTLM pass-through is not supported. no true true, false
negotiate bool Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. no true true, false

HeaderRewrites.spec.response.remove.builtIn.informationLeakage

Field Type Description Required Default Allowed Values
application bool Application removes upstream response headers that leak information about the deployed software: X-AspNet-Version, X-AspNetMvc-Version, X-Generator, X-Powered-By. no true true, false
server bool Server removes upstream response headers that leak information about the server: Age, Link, P3P, Proxy-Authenticate, Server, Via. no true true, false

HeaderRewrites.spec.response.remove.custom[]

Field Type Description Required Default Allowed Values
headers object[] Headers to remove. yes
name string Name describing the configured remove operation. Must be unique. yes

HeaderRewrites.spec.response.remove.custom[].headers[]

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

HeaderRewrites.spec.response.remove.custom[].headers[].name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.response.remove.custom[].headers[].name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.response.remove.custom[].headers[].value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

HeaderRewrites.spec.response.remove.custom[].headers[].value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
exact string Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used (https://github.com/google/re2/wiki/Syntax). The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. no

HeaderRewrites.spec.settings

Field Type Description Required Default Allowed Values
operationalMode enum OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. no Production Production, Integration