Expand description
The client-to-upstream header forwarding policy.
When the proxy forwards a request to a cluster it rebuilds the request from
scratch, so by default only the headers it manages (content type, trace) reach
the upstream. For a sidecar/transparent deployment that is too lossy: the
client’s own headers (custom routing hints, Authorization, vendor tracing
like B3, …) should travel through. This module computes the forwarded set:
every client header except the ones that are unsafe to relay verbatim.
Two strip lists:
- Mandatory (never forwarded, not configurable): hop-by-hop headers
(RFC 9110 §7.6.1) plus
hostandcontent-length, because the proxy re-frames the request to a different upstream and may rewrite the body, so the client’s framing headers would be wrong. - Configured deny (
header_forwarding.deny): an operator’s case-insensitive list, e.g. addauthorizationto keep the client credential from reaching the cluster. Empty by default (pass-all, the sidecar-trust default).
Trace headers (traceparent/tracestate) ride through here like any other
client header; whether the proxy overrides them with its own span is decided
separately at dispatch (only when span export is on), so a transparent proxy
passes the client’s tracing through untouched.
Structs§
- Forward
Policy - The forwarding policy: whether to forward client headers at all, and which to drop on top of the mandatory hop-by-hop/framing set.