For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

Strip port from Host header

When a downstream client includes a port number in the Host or authority header, such as www.example.com:9999, the port is forwarded to the upstream backend by default. Some upstream services do not accept ports in the Host header and might reject or mishandle such requests. Use the stripHostPortMode field in a ListenerPolicy to configure your gateway proxy to strip the port from the Host header before forwarding the request.

Note that the stripHostPortMode field only affects requests where the client explicitly sends a port in the Host header. If the client does not include a port, the header is forwarded unchanged regardless of this setting.

Supported modes

You can configure the following port stripping behaviors.

Before you begin

1. Follow the Get started guide to install kgateway.

2. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

3. Get the external address of the gateway and save it in an environment variable.

   Cloud Provider LoadBalancerPort-forward for local testing

   export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
   echo $INGRESS_GW_ADDRESS  

   kubectl port-forward deployment/http -n kgateway-system 8080:8080

Strip any port

Use the AnyPort setting to strip any port from the Host header, regardless of its value. For example, a Host header of www.example.com:443 becomes www.example.com.

1. Send a request to the httpbin app and include a port number in the Host header. Verify that you see the port included in the Host header of your response.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -v http://$INGRESS_GW_ADDRESS:8080/headers -H "host: www.example.com:9999"

   curl -v localhost:8080/headers -H "host: www.example.com:9999"

   Example output:

   {
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
         "www.example.com:9999"
       ],
       "User-Agent": [
         "curl/8.7.1"
       ],
       "X-Envoy-Expected-Rq-Timeout-Ms": [
         "15000"
       ],
       "X-Envoy-External-Address": [
         "127.0.0.1"
       ],
       "X-Forwarded-For": [
         "10.244.0.7"
       ],
       "X-Forwarded-Proto": [
         "http"
       ],
       "X-Request-Id": [
         "03f7152b-0546-4080-b7cb-43a4c64b0d2a"
       ]
     }
   }
   

2. Create a ListenerPolicy with the stripHostPortMode: AnyPort setting.

   kubectl apply -f- <<EOF
   apiVersion: gateway.kgateway.dev/v1alpha1
   kind: ListenerPolicy
   metadata:
     name: strip-host-port
     namespace: kgateway-system
   spec:
     targetRefs:
     - group: gateway.networking.k8s.io
       kind: Gateway
       name: http
     default:
       httpSettings:
         stripHostPortMode: AnyPort
   EOF

   Review the following table to understand this configuration. For more information about the available fields, see the API reference.

   Setting	Description
   spec.targetRefs	The Gateway this policy applies to.
   spec.default.httpSettings.stripHostPortMode	How Envoy strips the port from the Host/authority header. In this example, the AnyPort setting is used that removes any port that the client sends as part of the request.

3. Send another request to the httpbin app. Verify that this time, port 9999 is not returned in the Host header.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -v http://$INGRESS_GW_ADDRESS:8080/headers -H "host: www.example.com:9999"

   curl -v localhost:8080/headers -H "host: www.example.com:9999"

   Example output:

   {
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
         "www.example.com"
       ],
       "User-Agent": [
         "curl/8.7.1"
       ],
       "X-Envoy-Expected-Rq-Timeout-Ms": [
         "15000"
       ],
       "X-Envoy-External-Address": [
         "127.0.0.1"
       ],
       "X-Forwarded-For": [
         "10.244.0.7"
       ],
       "X-Forwarded-Proto": [
         "http"
       ],
       "X-Request-Id": [
         "03f7152b-0546-4080-b7cb-43a4c64b0d2a"
       ]
     }
   }
   

Strip listener ports only

Use the MatchingPort setting to strip the port only when it matches the listener’s own port. Ports that do not match the listener port are preserved in the header and forwarded to the upstream backend.

1. Review the port settings on your Gateway. The Gateway in this example has a listener on port 8080.

   kubectl get gateway http -n kgateway-system -o yaml

   Example output:

   apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
   metadata:
     generation: 1
     name: http
     namespace: kgateway-system
     resourceVersion: "768"
     uid: 6dba42be-3e96-4616-a56a-267f0f01a207
   spec:
    gatewayClassName: kgateway
     listeners:
     - allowedRoutes:
         namespaces:
           from: All
       name: http
       port: 8080
       protocol: HTTP
   ...
   

2. Create or update the ListenerPolicy to enable port stripping when a client sends a port in the Host header that matches the listener’s port.

   kubectl apply -f- <<EOF
   apiVersion: gateway.kgateway.dev/v1alpha1
   kind: ListenerPolicy
   metadata:
     name: strip-host-port
     namespace: kgateway-system
   spec:
     targetRefs:
     - group: gateway.networking.k8s.io
       kind: Gateway
       name: http
     default:
       httpSettings:
         stripHostPortMode: MatchingPort
   EOF

   Review the following table to understand this configuration. For more information about the available fields, see the API reference.

   Setting	Description
   spec.targetRefs	The Gateway this policy applies to.
   spec.default.httpSettings.stripHostPortMode	How Envoy strips the port from the Host/authority header. In this example, the MatchingPort setting is used that removes a port only if it matches the listener’s own port.

3. Send a request to the httpbin app and include the listener port in the Host header. Verify that the port is removed from the Host header.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -v http://$INGRESS_GW_ADDRESS:8080/headers -H "host: www.example.com:8080"

   curl -v localhost:8080/headers -H "host: www.example.com:8080"

   Example output:

   {
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
        "www.example.com"
       ],
       "User-Agent": [
         "curl/8.7.1"
       ],
   ...
   

4. Send another request to the httpbin app. This time, you include a port in the Host header that does not match the listener port, such as 9999. Verify that the port is not removed from the Host header.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -v http://$INGRESS_GW_ADDRESS:8080/headers -H "host: www.example.com:9999"

   curl -v localhost:8080/headers -H "host: www.example.com:9999"

   Example output:

   {
     "headers": {
       "Accept": [
         "*/*"
       ],
       "Host": [
         "www.example.com:9999"
       ],
       "User-Agent": [
         "curl/8.7.1"
       ],
   ...
   

Cleanup

kubectl delete listenerpolicy strip-host-port -n kgateway-system