envoy: add global response headers to local replies (#2217) (#2225)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-08-02 08:19:23 +02:00 · 2021-05-21 02:48:36 +00:00 · 2021-05-21 02:48:36 +00:00 · 8bf389e077
commit 8bf389e077
parent 479c0290d0
3 changed files with 121 additions and 24 deletions
--- a/config/envoyconfig/http_connection_manager.go
+++ b/config/envoyconfig/http_connection_manager.go
@ -0,0 +1,59 @@
+package envoyconfig
+
+import (
+	envoy_config_accesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
+	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+
+	"github.com/pomerium/pomerium/config"
+)
+
+func (b *Builder) buildVirtualHost(
+	options *config.Options,
+	name string,
+	domain string,
+) (*envoy_config_route_v3.VirtualHost, error) {
+	vh := &envoy_config_route_v3.VirtualHost{
+		Name:    name,
+		Domains: []string{domain},
+	}
+
+	// these routes match /.pomerium/... and similar paths
+	rs, err := b.buildPomeriumHTTPRoutes(options, domain)
+	if err != nil {
+		return nil, err
+	}
+	vh.Routes = append(vh.Routes, rs...)
+
+	// if we're the proxy or authenticate service, add our global headers
+	if config.IsProxy(options.Services) || config.IsAuthenticate(options.Services) {
+		vh.ResponseHeadersToAdd = toEnvoyHeaders(options.GetSetResponseHeaders())
+	}
+
+	return vh, nil
+}
+
+// buildLocalReplyConfig builds the local reply config: the config used to modify "local" replies, that is replies
+// coming directly from envoy
+func (b *Builder) buildLocalReplyConfig(
+	options *config.Options,
+) *envoy_http_connection_manager.LocalReplyConfig {
+	// add global headers for HSTS headers (#2110)
+	var headers []*envoy_config_core_v3.HeaderValueOption
+	// if we're the proxy or authenticate service, add our global headers
+	if config.IsProxy(options.Services) || config.IsAuthenticate(options.Services) {
+		headers = toEnvoyHeaders(options.GetSetResponseHeaders())
+	}
+
+	return &envoy_http_connection_manager.LocalReplyConfig{
+		Mappers: []*envoy_http_connection_manager.ResponseMapper{{
+			Filter: &envoy_config_accesslog_v3.AccessLogFilter{
+				FilterSpecifier: &envoy_config_accesslog_v3.AccessLogFilter_ResponseFlagFilter{
+					ResponseFlagFilter: &envoy_config_accesslog_v3.ResponseFlagFilter{},
+				},
+			},
+			HeadersToAdd: headers,
+		}},
+	}
+}
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@ -301,9 +301,9 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(

 	var virtualHosts []*envoy_config_route_v3.VirtualHost
 	for _, domain := range domains {
-		vh := &envoy_config_route_v3.VirtualHost{
-			Name:    domain,
-			Domains: []string{domain},
+		vh, err := b.buildVirtualHost(options, domain, domain)
+		if err != nil {
+			return nil, err
 		}

 		if options.Addr == options.GetGRPCAddr() {
@ -318,13 +318,6 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 			}
 		}

-		// these routes match /.pomerium/... and similar paths
-		rs, err := b.buildPomeriumHTTPRoutes(options, domain)
-		if err != nil {
-			return nil, err
-		}
-		vh.Routes = append(vh.Routes, rs...)
-
 		// if we're the proxy, add all the policy routes
 		if config.IsProxy(options.Services) {
 			rs, err := b.buildPolicyRoutes(options, domain)
@ -334,31 +327,22 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 			vh.Routes = append(vh.Routes, rs...)
 		}

-		// if we're the proxy or authenticate service, add our global headers
-		if config.IsProxy(options.Services) || config.IsAuthenticate(options.Services) {
-			vh.ResponseHeadersToAdd = toEnvoyHeaders(options.GetSetResponseHeaders())
-		}
-
 		if len(vh.Routes) > 0 {
 			virtualHosts = append(virtualHosts, vh)
 		}
 	}

-	rs, err := b.buildPomeriumHTTPRoutes(options, "*")
+	vh, err := b.buildVirtualHost(options, "catch-all", "*")
 	if err != nil {
 		return nil, err
 	}
-	virtualHosts = append(virtualHosts, &envoy_config_route_v3.VirtualHost{
-		Name:    "catch-all",
-		Domains: []string{"*"},
-		Routes:  rs,
-	})
+	virtualHosts = append(virtualHosts, vh)

 	var grpcClientTimeout *durationpb.Duration
 	if options.GRPCClientTimeout != 0 {
-		grpcClientTimeout = ptypes.DurationProto(options.GRPCClientTimeout)
+		grpcClientTimeout = durationpb.New(options.GRPCClientTimeout)
 	} else {
-		grpcClientTimeout = ptypes.DurationProto(30 * time.Second)
+		grpcClientTimeout = durationpb.New(30 * time.Second)
 	}

 	extAuthZ := marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
@ -473,6 +457,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 		UseRemoteAddress:  &wrappers.BoolValue{Value: true},
 		SkipXffAppend:     options.SkipXffAppend,
 		XffNumTrustedHops: options.XffNumTrustedHops,
+		LocalReplyConfig:  b.buildLocalReplyConfig(options),
 	})

 	return &envoy_config_listener_v3.Filter{
--- a/config/envoyconfig/listeners_test.go
+++ b/config/envoyconfig/listeners_test.go
@ -335,6 +335,27 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 					{
 						"name": "catch-all",
 						"domains": ["*"],
+						"responseHeadersToAdd": [{
+							"append": false,
+							"header": {
+								"key": "Strict-Transport-Security",
+								"value": "max-age=31536000; includeSubDomains; preload"
+							}
+						},
+						{
+							"append": false,
+							"header": {
+								"key": "X-Frame-Options",
+								"value": "SAMEORIGIN"
+							}
+						},
+						{
+							"append": false,
+							"header": {
+								"key": "X-XSS-Protection",
+								"value": "1; mode=block"
+							}
+						}],
 						"routes": [
 							{
 								"name": "pomerium-path-/.pomerium/jwt",
@ -463,7 +484,39 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 			},
 			"useRemoteAddress": true,
 			"skipXffAppend": true,
-			"xffNumTrustedHops": 1
+			"xffNumTrustedHops": 1,
+			"localReplyConfig":{
+				"mappers":[
+					{
+						"filter":{
+							"responseFlagFilter":{}
+						},
+						"headersToAdd":[
+							{
+								"append":false,
+								"header":{
+									"key":"Strict-Transport-Security",
+									"value":"max-age=31536000; includeSubDomains; preload"
+								}
+							},
+							{
+								"append":false,
+								"header":{
+									"key":"X-Frame-Options",
+									"value":"SAMEORIGIN"
+								}
+							},
+							{
+								"append":false,
+								"header":{
+									"key":"X-XSS-Protection",
+									"value":"1; mode=block"
+								}
+							}
+						]
+					}
+				]
+			}
 		}
 	}`, filter)
 }