Open shulin-sq opened 1 week ago
@nbaws
Thank you for your bug report! This issue will be addressed via https://github.com/envoyproxy/envoy/pull/35082 , which explicitly replaces (rather than appends) existing headers, and explicitly removes those headers which are going to be used in the signing process. Documentation for this extension has also been updated to describe the behaviour of header modification/removal.
This PR has been merged, so you are free to test against latest dev build. Please let me know if you see any issues.
Title: AWS Sigv4 signer does not clear previously set headers
Description:
It seems that the AWS Sigv4 signer does not set previously set headers that are used for sigv4 signing (eg authorization, X-Amz-Security-Token, etc)
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/aws_request_signing_filter
I'm unsure what the ideal behavior here is. It seems like either the filter should clear the headers that it needs for sigv4 header, or guidance should be given in the docs on how people can optionally set this behavior.
the issue is that setting any of the sigv4 headers from the client side will invalidate the sigv4 signature. In addition, retries do not work well when the signer is used as an upstream filter.
Repro steps: This is particularly bad when used with retries + sigv4 signer as an upstream filter.
You can also do a simpler repro by just sending the authorization header separately. You'll see in this example that my "test" string is now part of the authorization header.