删除服务器:Istio 1.8.2 中的 istio-envoy 标头

问题描述 投票:0回答:5

如何删除 Istio 生成的服务器标头?

在 Istio 1.5.6 中,我有一个 Istio EnvoyFilter,但在 Istio 1.8.2 中似乎不再起作用。

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: dgp-headerstrip-server
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        config:
          server_header_transformation: PASS_THROUGH
istio
5个回答
1
投票

已解决:使用 typed_config (https://github.com/istio/istio/issues/13861)

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: dgp-headerstrip-server
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: MERGE
      value:
        typed_config:
          '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          server_header_transformation: PASS_THROUGH
0
投票

为了避免已弃用的警告,已使用 Istio 1.9 进行了测试

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: remove-server-header
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: MERGE
      value:
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          server_header_transformation: PASS_THROUGH
0
投票

您还可以使用 VirtualService 对象直接从 Istio 

设置、添加、删除
标头?

示例

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: reviews-route
spec:
  hosts:
  - reviews.prod.svc.cluster.local
  http:
  - headers:
      request:
        set:
          test: "true"
    route:
    - destination:
        host: reviews.prod.svc.cluster.local
        subset: v2
      weight: 25
    - destination:
        host: reviews.prod.svc.cluster.local
        subset: v1
      headers:
        response:   # this is from the response, but you can put it in the request as well.
          remove:
          - foo
      weight: 75

标题参数

0
投票

我使用的是 Istio-1.9.0 版本,要删除响应标头,您必须将 envoy 过滤器配置应用到 Kubernetes 集群上,然后您必须将其添加到虚拟服务中,否则它将无法工作。

除了remove之外,我们还可以添加set、add进行修改并添加标题

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  namespace: istio-system
  name: remove-server-header
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: envoy.filters.network.http_connection_manager
      patch:
        operation: MERGE
        value:
          typed_config:
            '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
            server_header_transformation: PASS_THROUGH

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: x-api-vs
spec:
  hosts:
  - {{ .Values.domain }}
  - {{ .Values.serviceName }}
  gateways:
  - istio-system/istio-ingressgateway
  http:
    - match:
        - port: 80
      route:
      - destination:
            host: {{ .Values.serviceName }}
            subset: x-v1-app  
            port:
               number: {{ .Values.service.servicePort }}
      headers:
        response: 
          remove:
          - Server
---
kind: DestinationRule
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: x-api-dr-rules
spec:
  host: {{ .Values.serviceName }}
  subsets:
    - labels:
        version: v1
      name: x-v1-app

Istio 文档 https://istio.io/latest/docs/reference/config/networking/virtual-service/#Headers-HeaderOperations

0
投票

Istio 现在可以在 workloads 上使用 ProxyConfig 注释来禁用 服务器标头注入

apiVersion: apps/v1
kind: Deployment
metadata:
  name: whereami
  namespace: app-1
  labels:
    app: whereami
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whereami
  template:
    metadata:
      labels:
        app: whereami
      annotations:
        # Change or disable server response header https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig-ProxyHeaders
        proxy.istio.io/config: |
          proxyHeaders:
            server:
              disabled: true      # Prevent local sidecar proxy from setting server: envoy. Note: other mesh services may still include server: istio-envoy if not configured to disable server header
              value: "my-custom-server"   # when server header enabled, this will overide local sidecar value for all responses (in mesh or outside clients as well)
    spec:
      containers:
...rest omitted...

您还可以使用 meshConfig 配置网格范围默认值:

kubectl get cm -n istio-system
kubectl edit cm -n istio-system istio-asm-managed

# It should look something like this to disable the server header
# but also requires restarting existing services using something like 
kubectl rollout restart deploy/whereami -n app-1

apiVersion: v1
data:
  mesh: |2-
    # Not all values supported by ASM or CSM https://cloud.google.com/service-mesh/docs/supported-features-managed#meshconfig
    # This section can be updated with user configuration settings from https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/
    # Some options required for ASM to not be modified will be ignored
    defaultConfig:
      proxyHeaders:
        server:
          disabled: true
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.