add x-envoy-original-host to keep original host (#39617)

Commit Message: add x-envoy-original-host to keep original host
Additional Description:

This PR added a x-envoy-original-host to keep original host value if the
host rewriting happens.

Risk Level: low.
Testing: n/a.
Docs Changes: n/a.
Release Notes: n/a.
Platform Specific Features: n/a.

---------

Signed-off-by: wangbaiping(wbpcode) <[email protected]>
Signed-off-by: code <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: wbpcode

api/envoy/config/route/v3/route_components.proto

@@ -1161,12 +1161,21 @@ message RouteAction {
   // [#extension-category: envoy.path.rewrite]
   core.v3.TypedExtensionConfig path_rewrite_policy = 41;
 
+  // If one of the host rewrite specifiers is set and the
+  // :ref:`suppress_envoy_headers
+  // <envoy_v3_api_field_extensions.filters.http.router.v3.Router.suppress_envoy_headers>` flag is not
+  // set to true, the router filter will place the original host header value before
+  // rewriting into the :ref:`x-envoy-original-host
+  // <config_http_filters_router_x-envoy-original-host>` header.
+  //
+  // And if the
+  // :ref:`append_x_forwarded_host <envoy_v3_api_field_config.route.v3.RouteAction.append_x_forwarded_host>`
+  // is set to true, the original host value will also be appended to the
+  // :ref:`config_http_conn_man_headers_x-forwarded-host` header.
+  //
   oneof host_rewrite_specifier {
     // Indicates that during forwarding, the host header will be swapped with
-    // this value. Using this option will append the
-    // :ref:`config_http_conn_man_headers_x-forwarded-host` header if
-    // :ref:`append_x_forwarded_host <envoy_v3_api_field_config.route.v3.RouteAction.append_x_forwarded_host>`
-    // is set.
+    // this value.
     string host_rewrite_literal = 6
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
@@ -1176,18 +1185,12 @@ message RouteAction {
     // type ``strict_dns`` or ``logical_dns``,
     // or when :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>`
     // field is not empty. Setting this to true with other cluster types
-    // has no effect. Using this option will append the
-    // :ref:`config_http_conn_man_headers_x-forwarded-host` header if
-    // :ref:`append_x_forwarded_host <envoy_v3_api_field_config.route.v3.RouteAction.append_x_forwarded_host>`
-    // is set.
+    // has no effect.
     google.protobuf.BoolValue auto_host_rewrite = 7;
 
     // Indicates that during forwarding, the host header will be swapped with the content of given
     // downstream or :ref:`custom <config_http_conn_man_headers_custom_request_headers>` header.
-    // If header value is empty, host header is left intact. Using this option will append the
-    // :ref:`config_http_conn_man_headers_x-forwarded-host` header if
-    // :ref:`append_x_forwarded_host <envoy_v3_api_field_config.route.v3.RouteAction.append_x_forwarded_host>`
-    // is set.
+    // If header value is empty, host header is left intact.
     //
     // .. attention::
     //
@@ -1203,10 +1206,6 @@ message RouteAction {
     // Indicates that during forwarding, the host header will be swapped with
     // the result of the regex substitution executed on path value with query and fragment removed.
     // This is useful for transitioning variable content between path segment and subdomain.
-    // Using this option will append the
-    // :ref:`config_http_conn_man_headers_x-forwarded-host` header if
-    // :ref:`append_x_forwarded_host <envoy_v3_api_field_config.route.v3.RouteAction.append_x_forwarded_host>`
-    // is set.
     //
     // For example with the following config:
     //

changelogs/current.yaml

@@ -112,6 +112,10 @@ removed_config_or_runtime:
     Removed runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` and legacy code paths.
 
 new_features:
+- area: http
+  change: |
+    added :ref:`x-envoy-original-host <config_http_filters_router_x-envoy-original-host>` that
+    used to record the original host header value before it is mutated by the router filter.
 - area: stateful_session
   change: |
     Supports envelope stateful session extension to keep the exist session header value

docs/root/configuration/http/http_filters/router_filter.rst

@@ -376,6 +376,19 @@ or :ref:`regex_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.regex_rew
 Envoy will put the original path header in this header. This can be useful for logging and
 debugging.
 
+.. _config_http_filters_router_x-envoy-original-host:
+
+x-envoy-original-host
+^^^^^^^^^^^^^^^^^^^^^
+
+If the route utilizes
+:ref:`host_rewrite_literal <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_literal>`,
+:ref:`auto_host_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.auto_host_rewrite>`,
+:ref:`host_rewrite_header <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_header>`,
+:ref:`host_rewrite_path_regex <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_path_regex>`,
+Envoy will put the original host header in this header. This can be useful for logging and
+debugging.
+
 .. _config_http_filters_router_x-envoy-upstream-stream-duration-ms:
 
 x-envoy-upstream-stream-duration-ms

envoy/http/header_map.h

@@ -191,6 +191,7 @@ class HeaderEntry {
   HEADER_FUNC(EnvoyRetriableHeaderNames)                                                           \
   HEADER_FUNC(EnvoyIsTimeoutRetry)                                                                 \
   HEADER_FUNC(EnvoyOriginalPath)                                                                   \
+  HEADER_FUNC(EnvoyOriginalHost)                                                                   \
   HEADER_FUNC(EnvoyOriginalUrl)                                                                    \
   HEADER_FUNC(EnvoyUpstreamAltStatName)                                                            \
   HEADER_FUNC(EnvoyUpstreamRequestTimeoutAltResponse)                                              \

envoy/router/router.h

@@ -901,23 +901,6 @@ class RouteEntry : public ResponseEntry {
    */
   virtual const std::string& clusterName() const PURE;
 
-  /**
-   * Returns the final host value for the request, taking into account route-level mutations.
-   *
-   * The value returned is computed with the following logic in order:
-   *
-   * 1. If a host rewrite is configured for the route, it returns that value.
-   * 2. If a host rewrite header is specified, it attempts to use the value from that header.
-   * 3. If a host rewrite path regex is configured, it applies the regex to the request path and
-   *    returns the result.
-   * 4. If none of the above apply, it returns the original host value from the request headers.
-   *
-   * @param headers The constant reference to the request headers.
-   * @note This function will not attempt to restore the port in the host value. If port information
-   *       is required, it should be handled separately.
-   */
-  virtual const std::string getRequestHostValue(const Http::RequestHeaderMap& headers) const PURE;
-
   /**
    * Returns the HTTP status code to use when configured cluster is not found.
    * @return Http::Code to use when configured cluster is not found.
@@ -946,11 +929,12 @@ class RouteEntry : public ResponseEntry {
    * immediately prior to forwarding. It is done this way vs. copying for performance reasons.
    * @param headers supplies the request headers, which may be modified during this call.
    * @param stream_info holds additional information about the request.
-   * @param insert_envoy_original_path insert x-envoy-original-path header if path rewritten?
+   * @param keep_original_host_or_path insert x-envoy-original-path header if path rewritten,
+   *        or x-envoy-original-host header if host rewritten.
    */
   virtual void finalizeRequestHeaders(Http::RequestHeaderMap& headers,
                                       const StreamInfo::StreamInfo& stream_info,
-                                      bool insert_envoy_original_path) const PURE;
+                                      bool keep_original_host_or_path) const PURE;
 
   /**
    * Returns the request header transforms that would be applied if finalizeRequestHeaders were

source/common/http/conn_manager_utility.cc

@@ -325,7 +325,11 @@ void ConnectionManagerUtility::cleanInternalHeaders(
     request_headers.removeEnvoyDecoratorOperation();
     request_headers.removeEnvoyDownstreamServiceCluster();
     request_headers.removeEnvoyDownstreamServiceNode();
+
+    // TODO(wbpcode): Envoy may should always remove these headers from client because
+    // these headers are hop by hop headers and should not be sent to upstream.
     request_headers.removeEnvoyOriginalPath();
+    request_headers.removeEnvoyOriginalHost();
   }
 
   // Headers to be stripped from edge *and* intermediate-hop external requests.

source/common/http/headers.h

@@ -176,6 +176,7 @@ class HeaderValues {
   const LowerCaseString EnvoyOriginalDstHost{absl::StrCat(prefix(), "-original-dst-host")};
   const LowerCaseString EnvoyOriginalMethod{absl::StrCat(prefix(), "-original-method")};
   const LowerCaseString EnvoyOriginalPath{absl::StrCat(prefix(), "-original-path")};
+  const LowerCaseString EnvoyOriginalHost{absl::StrCat(prefix(), "-original-host")};
   const LowerCaseString EnvoyOverloaded{absl::StrCat(prefix(), "-overloaded")};
   const LowerCaseString EnvoyDropOverload{absl::StrCat(prefix(), "-drop-overload")};
   const LowerCaseString EnvoyUnconditionalDropOverload{

source/common/http/null_route_impl.h

@@ -123,9 +123,6 @@ struct RouteEntryImpl : public Router::RouteEntry {
 
   // Router::RouteEntry
   const std::string& clusterName() const override { return cluster_name_; }
-  const std::string getRequestHostValue(const Http::RequestHeaderMap& headers) const override {
-    return std::string(headers.getHostValue());
-  }
   const Router::RouteStatsContextOptRef routeStatsContext() const override {
     return Router::RouteStatsContextOptRef();
   }

source/common/http/utility.cc

@@ -444,20 +444,21 @@ void Utility::appendVia(RequestOrResponseHeaderMap& headers, const std::string&
 }
 
 void Utility::updateAuthority(RequestHeaderMap& headers, absl::string_view hostname,
-                              const bool append_xfh) {
-  const auto host = headers.getHostValue();
-
-  // Only append to x-forwarded-host if the value was not the last value appended.
-  const auto xfh = headers.getForwardedHostValue();
+                              bool append_xfh, bool keep_old) {
+  if (const absl::string_view host = headers.getHostValue(); !host.empty()) {
+    // Insert the x-envoy-original-host header if required.
+    if (keep_old) {
+      headers.setEnvoyOriginalHost(host);
+    }
 
-  if (append_xfh && !host.empty()) {
-    if (!xfh.empty()) {
-      const auto xfh_split = StringUtil::splitToken(xfh, ",");
-      if (!xfh_split.empty() && xfh_split.back() != host) {
+    // Append the x-forwarded-host header if required. Only append to x-forwarded-host
+    // if the value was not the last value appended.
+    if (append_xfh) {
+      const absl::InlinedVector<absl::string_view, 4> xfh_split =
+          absl::StrSplit(headers.getForwardedHostValue(), ',', absl::SkipWhitespace());
+      if (xfh_split.empty() || xfh_split.back() != host) {
         headers.appendForwardedHost(host, ",");
       }
-    } else {
-      headers.appendForwardedHost(host, ",");
     }
   }
 

source/common/http/utility.h

@@ -202,8 +202,10 @@ void appendVia(RequestOrResponseHeaderMap& headers, const std::string& via);
  * @param headers headers where authority should be updated.
  * @param hostname hostname that authority should be updated with.
  * @param append_xfh append the original authority to the x-forwarded-host header.
+ * @param keep_old insert the original authority in the x-envoy-original-host header.
  */
-void updateAuthority(RequestHeaderMap& headers, absl::string_view hostname, bool append_xfh);
+void updateAuthority(RequestHeaderMap& headers, absl::string_view hostname, bool append_xfh,
+                     bool keep_old);
 
 /**
  * Creates an SSL (https) redirect path based on the input host and path headers.