Transport.Proxy and Proxy-Authorization header

We have a tyk-gateway 3.2.2

We would like to use Proxy-Authorization, through which we have one of the api_definition configured.

But apparently the Proxy-Authorization header cuts out before sending the request to the proxy server.

"transport": {
            "proxy_url": "http://proxy-url:9999",
                "ssl_ciphers": [],
                "ssl_force_common_name_check": false,
                "ssl_insecure_skip_verify": true,
                "ssl_max_version": 0,
                "ssl_min_version": 0

Is this the correct behaviour of the gateway ?
How can I solve this problem ?

Thanks !

Hello @ignashkins,

Thank you for posting this.

Proxy-Authorization is a hop-by-hop header so it gets dropped as you’ve observed.
Refs: 1, 2

Using a global header might be useful though? You can set the Proxy-Authorization within the API definition.

"version_data": {
      "versions": {
        "Default": {
          "name": "Default",
          "global_headers": {
            "Proxy-Authorization": "hard-written-token"

Or better yet, get it from the request context and (re)add it to the request.

You’ll need to enable context variables in the API definition

"enable_context_vars": true,

"version_data": {
      "versions": {
        "Default": {
          "name": "Default",
          "global_headers": {
            "Proxy-Authorization": "$tyk_context.headers_Proxy_Authorization"

Let us know how it goes?


Unfortunately the header still cuts out and does not reach the proxy server.
We have tried both options. I understand that the header is cut after.

One more try with a Custom Post Middleware plugin. According to the Request Middleware chain, this runs just before the Proxy.

Here’s a sample implementation with Python.

def PostMiddlewareFunction(request, session, spec):
    tyk.log("Python plugin: Post hook called", "info")
    request.add_header("Python-Plugin-Post-Hook", "Post Hook")
    proxy_auth = request.get_header("Proxy-Authorization")
    request.add_header("Proxy-Authorization", proxy_auth)
    return request, session

And the corresponding manifest.json

    "file_list": [
    "custom_middleware": {
        "post": [
                "name": "PostMiddlewareFunction"
        "driver": "python"

I’m doubtful though.


Post middleware is called before reverse_proxy middleware. So unfortunately this didn’t solve our problem either.

I understand that our situation is an exception to the rule. It looks like we will have to change the source code.

The idea is that with api_definition.transport.proxy_url tyk should understand that there is another proxy server behind it. And based on that be able to pass hop-by-hop headers. But this contradicts security -)

In short, a silly situation.

Thank you for your time!