How does Istio Gateway handle headers when terminating TLS?

Question

Is there any documentation on what headers (specifically XFCC) the Istio Gateway might set when doing TLS termination with mutual TLS? Or does it not touch the headers?

Specifically referring to this section:

https://istio.io/docs/tasks/traffic-management/secure-ingress/#configure-a-mutual-tls-ingress-gateway

The following issue might be related to what I want, though it seems to be dealing more with east-west traffic and i'm more concerned with north-south:

https://github.com/istio/old_issues_repo/issues/165

Thanks!

Nick Rak Nick Rak · Accepted Answer · 2018-10-12T09:45:42

I think Istio uses envoy to implement proxies so probably this is the proper documentation to look for headers, especially for XFCC: https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers#x-forwarded-client-cert

For the modification of headers, I've found the following issue, which I guess is not solved yet.

How does Istio Gateway handle headers when terminating TLS?

1 Answers