.. _envoy_v3_api_file_envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto:

Custom header original IP detection extension (proto)
=====================================================




.. _envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig:

extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig
-------------------------------------------------------------------------

:repo:`[extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig proto] <api/envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto#L26>`

This extension allows for the original downstream remote IP to be detected
by reading the value from a configured header name. If the value is successfully parsed
as an IP, it'll be treated as the effective downstream remote address and seen as such
by all filters. See :ref:`original_ip_detection_extensions
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`
for an overview of how extensions operate and what happens when an extension fails
to detect the remote IP.



.. _extension_envoy.http.original_ip_detection.custom_header:

This extension has the qualified name ``envoy.http.original_ip_detection.custom_header``

.. note::
  

  This extension is intended to be robust against untrusted downstream traffic. It
  assumes that the upstream is trusted.

.. tip::
  This extension extends and can be used with the following extension category:


  - :ref:`envoy.http.original_ip_detection <extension_category_envoy.http.original_ip_detection>`



  This extension must be configured with one of the following type URLs:



  - :ref:`type.googleapis.com/envoy.extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig <envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>`



.. code-block:: json
  :force:

  {
    "header_name": ...,
    "allow_extension_to_set_address_as_trusted": ...,
    "reject_with_status": {...}
  }

.. _envoy_v3_api_field_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig.header_name:

header_name
  (`string <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_, *REQUIRED*) The header name containing the original downstream remote address, if present.
  
  Note: in the case of a multi-valued header, only the first value is tried and the rest are ignored.
  
  
.. _envoy_v3_api_field_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig.allow_extension_to_set_address_as_trusted:

allow_extension_to_set_address_as_trusted
  (`bool <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_) If set to true, the extension could decide that the detected address should be treated as
  trusted by the HCM. If the address is considered :ref:`trusted<config_http_conn_man_headers_x-forwarded-for_trusted_client_address>`,
  it might be used as input to determine if the request is internal (among other things).
  
  
.. _envoy_v3_api_field_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig.reject_with_status:

reject_with_status
  (:ref:`type.v3.HttpStatus <envoy_v3_api_msg_type.v3.HttpStatus>`) If this is set, the request will be rejected when detection fails using it as the HTTP response status.
  
  .. note::
    If this is set to < 400 or > 511, the default status 403 will be used instead.