Custom header original IP detection extension


[extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig proto]

This extension allows for the original downstream remote IP to be detected by reading the value from a configured header name. If the value is successfully parsed as an IP, it’ll be treated as the effective downstream remote address and seen as such by all filters. See original_ip_detection_extensions for an overview of how extensions operate and what happens when an extension fails to detect the remote IP.

This extension may be referenced by the qualified name envoy.http.original_ip_detection.custom_header


This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.


This extension extends and can be used with the following extension category:

  "header_name": "...",
  "allow_extension_to_set_address_as_trusted": "...",
  "reject_with_status": "{...}"

(string, REQUIRED) The header name containing the original downstream remote address, if present.

Note: in the case of a multi-valued header, only the first value is tried and the rest are ignored.


(bool) If set to true, the extension could decide that the detected address should be treated as trusted by the HCM. If the address is considered trusted, it might be used as input to determine if the request is internal (among other things).


(type.v3.HttpStatus) If this is set, the request will be rejected when detection fails using it as the HTTP response status.


If this is set to < 400 or > 511, the default status 403 will be used instead.