Light Dark Auto

Inheaders

Assert the presence of data in HTTP headers

The Inheaders filter sets up HTTP request headers on all incoming traffic. The headers that will be applied by this filter are outlined in the table below. Inheaders should only be configured on TLS-enabled Listeners to allow Impersonation. See the Impersonation docs for more information on how Inheaders and Impersonation work together.

How To Enable Inheaders on the Edge Proxy

In your-org/greymatter-core repository, open gm/outputs/edge.cue and set _enable_inheaders to true within the #listener object as shown below:

edge_config: [
  #listener & {
    listener_key:                defaults.edge.key
    _gm_observables_topic:       defaults.edge.key
    _is_ingress:                 true
    _enable_oidc_authentication: false
    _enable_rbac:                false
    _enable_fault_injection:     false
    _enable_ext_authz:           false
    _enable_inheaders:           true
  },

Upon enabling the Inheaders filter, the following headers will be applied to requests passing through the Edge Proxy:

  • USER_DN - Certificate’s DN value (if user_dn header exists in the incoming request, this filter will not alter the header value).
  • SSL_CLIENT_S_DN - Certificate’s DN value.
  • EXTERNAL_SYS_DN - Certificate’s DN value (only if the incoming request has user_dn header set).
  • X-REAL-IP - The remote address of the incoming request.
  • X-FORWARDED-FOR - Certificate’s DN value.

Example

When the configuration above is applied and Inheaders are enabled, the following mesh configuration will exist in the mesh:

"active_http_filters": [
  "gm.inheaders"
],