Allow removal of the `x-envoy-ratelimited` header

[edheliel]

Description:

Use Case: I want to disable x-envoy-ratelimited header which is being set when a request is rate limited, as I do not need it and it doesn't really bring additional information about the ratelimit (correct me if that header is needed for something else).

Problem:

1. I tried the approach of removing the header using a HTTPRoute filter but the header doesn't get removed, which I am not entirely sure why, as the documentation mentions, that in the default filter chain the header modification filter is executed after the ratelimit one (which supposedly sets the header). My other assumption is that the filter set in the HTTPRoute can't re-write the header, as this is not a response from a service that is being intercepted, but that response is generate by a call to the ratelimit service, which potentially bypasses the response modification filters?

2. I found that the fiter.ratelimit does have an option to disable setting the header (linked the PR below), but that option is not exposed & it seems the only way to enable it is to use EnvoyPatchPolicy which is not something my organisation wants to use due to it's instability

3. There is the possibility to disable all x-envoy-* headers, but I don't want to disable all of the headers just this one.

4. The ratelimit service does have the option to add custom headers, but the x-envoy-ratelimited seems to not be set in it.

Solution:

• Add a configuration option that would allow disabling the x-envoy-ratelimited filter without using EnvoyPatchPolicy

[optional Relevant Links:]

PR that added disabling the header in the filter

[arkodg]

should be possible with ClientTrafficPolicy https://gateway.envoyproxy.io/docs/api/extension_types/#headersettings

[edheliel]

@arkodg ClientTrafficPolicy allows for disabling all x-envoy-* headers, which is not what I want to do (as I pointed out in 3. in my original message).

The functionality I am asking for is to be able to disable just the x-envoy-ratelimited header which is not an option in ClientTrafficPolicy at least to my understanding of the documentation.

[arkodg]

there's an option in CTP to disable RL headers - disableRateLimitHeaders

[edheliel]

1. I have no permissions to open this issue (I am mentioning that as you asked me to reopen this issue on setting enableEnvoyHeaders to false doesn't remove x-envoy-ratelimited header #7064)
2. @zirain has already mentioned disableRateLimitHeaders and I explained in the other issue why this is not the behaviour I want and it follows what I have already mentioned here, that I want to remove only x-envoy-ratelimited not all ratelimit headers, as some of them are actually needed and part of the standard.

The documentation for disableRateLimitHeaders states:

DisableRateLimitHeaders configures Envoy Proxy to omit the “X-RateLimit-” response headers
when rate limiting is enabled.

This implies that it would disable all ratelimit headers.

So the questions is do you want to support adding a feature to disable the x-envoy-ratelimited header specifically , so the other ratelimiting related headers can be kept?

[arkodg]

apologies from not reading the issue throughly @edheliel

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-field-extensions-filters-http-ratelimit-v3-ratelimit-disable-x-envoy-ratelimited-header

so it looks like for the default case x-envoy-ratelimited is being set, when it shouldnt, which imo is a bug

regarding only setting x-envoy-ratelimited instead of all the others x-envoy-*, would like to better understand this use case, and see if others in the community are need this

[edheliel]

Thank you @arkodg ! Just to make sure we are on the same page, the behaviour that my organisation needs is to be able to disable the x-envoy-ratelimited header, without affecting any other headers.

Right now using the default configuration where enableEnvoyHeaders is set to false. We get the following response headers (once the ratelimit is reached i.e 429 response)

x-envoy-ratelimited
x-ratelimit-limit
x-ratelimit-remaining
x-ratelimit-reset

what we want to achieve is to instead receive only the following headers:

x-ratelimit-limit
x-ratelimit-remaining
x-ratelimit-reset

Based on our previous discussion, it seems that there might also be a semantic issue as to where does the x-envoy-ratelimited header belongs, i.e is it in ratelimit headers or in x-envoy as it technically fits in both, but I would say that is rather an implementation decision that could be taken.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-field-extensions-filters-http-ratelimit-v3-ratelimit-disable-x-envoy-ratelimited-header

Would it be potentially an option to expose this flag/option in the CRD?

Anyway, thank you for looking into that & let's see what other people from the community have to say.