Transport.Proxy and Proxy-Authorization header

Support Installation and Deployment
1

We have a tyk-gateway 3.2.2

We would like to use Proxy-Authorization, through which we have one of the api_definition configured.

But apparently the Proxy-Authorization header cuts out before sending the request to the proxy server.

"transport": {
            "proxy_url": "http://proxy-url:9999",
                "ssl_ciphers": [],
                "ssl_force_common_name_check": false,
                "ssl_insecure_skip_verify": true,
                "ssl_max_version": 0,
                "ssl_min_version": 0
            }

Is this the correct behaviour of the gateway ?
How can I solve this problem ?

Thanks !

2

Hello @ignashkins,

Thank you for posting this.

Proxy-Authorization is a hop-by-hop header so it gets dropped as you’ve observed.
Refs: 1, 2

Using a global header might be useful though? You can set the Proxy-Authorization within the API definition.

Screenshot 2022-07-27 at 14.18.42
Screenshot 2022-07-27 at 14.18.421920×869 53.1 KB 

"version_data": {
      "versions": {
        "Default": {
          "name": "Default",
          "global_headers": {
            "Proxy-Authorization": "hard-written-token"
          },

Or better yet, get it from the request context and (re)add it to the request.

You’ll need to enable context variables in the API definition

Screenshot 2022-07-27 at 14.39.02
Screenshot 2022-07-27 at 14.39.022178×612 94.6 KB 

"enable_context_vars": true,


"version_data": {
      "versions": {
        "Default": {
          "name": "Default",
          "global_headers": {
            "Proxy-Authorization": "$tyk_context.headers_Proxy_Authorization"
          },

Let us know how it goes?

3

Hello!

Unfortunately the header still cuts out and does not reach the proxy server.
We have tried both options. I understand that the header is cut after.

4

One more try with a Custom Post Middleware plugin. According to the Request Middleware chain, this runs just before the Proxy.

Here’s a sample implementation with Python.

@Hook
def PostMiddlewareFunction(request, session, spec):
    tyk.log("Python plugin: Post hook called", "info")
    request.add_header("Python-Plugin-Post-Hook", "Post Hook")
    
    proxy_auth = request.get_header("Proxy-Authorization")
    request.add_header("Proxy-Authorization", proxy_auth)
    
    return request, session

And the corresponding manifest.json

{
    "file_list": [
        "middleware.py"
    ],
    "custom_middleware": {
        "post": [
            {
                "name": "PostMiddlewareFunction"
            }
        ],
        "driver": "python"
    }
}

I’m doubtful though.

5

@Ubong

Post middleware is called before reverse_proxy middleware. So unfortunately this didn’t solve our problem either.

I understand that our situation is an exception to the rule. It looks like we will have to change the source code.

The idea is that with api_definition.transport.proxy_url tyk should understand that there is another proxy server behind it. And based on that be able to pass hop-by-hop headers. But this contradicts security -)

In short, a silly situation.

Thank you for your time!

https://tyk.io/docs/concepts/middleware-execution-order/