Spring Cloud Netflix add an ability to ignore header's values from request

See the issue.

zuul appends header's values to its own and in response we can see joined values. Add an option to point which headers should be ignored.

example:

curl -H 'X-Forwarded-Port:A' -H 'X-Forwarded-Host:B' -H 'X-Forwarded-Proto:C' http://127.0.0.1:8080/echo-server

current response:

Request Headers:
    accept=*/*
    accept-encoding=gzip
    connection=Keep-Alive
    host=localhost:9080
    user-agent=curl/7.52.1
    x-forwarded-for=127.0.0.1
    x-forwarded-host=B,127.0.0.1:8080
    x-forwarded-port=A,8080
    x-forwarded-prefix=/echo-server
    x-forwarded-proto=C,http

expected response:

Request Headers:
    accept=*/*
    accept-encoding=gzip
    connection=Keep-Alive
    host=localhost:9080
    user-agent=curl/7.52.1
    x-forwarded-for=127.0.0.1
    x-forwarded-host=127.0.0.1:8080
    x-forwarded-port=8080
    x-forwarded-prefix=/echo-server
    x-forwarded-proto=http

Note that A,B,C were removed from X-Forwarded-Port , X-Forwarded-Host , X-Forwarded-Proto

Comment From: ryanjbaxter

Im going to close this for now. We can reopen if we think it is necessary.

Comment From: chrisupb

I would really appreciate a configuration property to exlude http headers only from requests.

Example: If you use ZUUL to forward a request to a SpringBoot application using Spring HATEOAS , an attacker could simple add X-forarded-** headers to manipulate the hyperlink generation in SpringBoot application. https://docs.spring.io/spring-hateoas/docs/1.1.0.RELEASE/reference/html/#server.link-builder.forwarded-headers

This is why ZUUL SHOULD replace the x-forwarded-** headers in PreDecorationFilter.addProxyHeaders() instead of appending them.