1135 lines
44 KiB
Plaintext
Raw Normal View History

Docs/api-gw-jwts-openshift-1-17-x (#19035) * update main apigw overview * moved the tech specs to main gw folder * merged tech specs into single topic * restructure nav part 1 * fix typo in nav json file * moved k8s install up one level * restructure nav part 2 * moved and created all listeners and routes content * moved errors ref and upgrades * fix error in upgrade-k8s link * moved conf refs to appropriate spots * updated conf overview * fixed some links and bad formatting * fixed link * added JWT on VMs usage page * added JWT conf to APIGW conf entry * added JWTs to HTTP route conf entry * added new gatwaypolicy k8s conf reference * added metadesc for gatewaypolicy conf ref * added http route auth filter k8s conf ref * added http route auth filter k8s conf ref to nav * updates to k8s route conf ref to include extensionRef * added JWTs usage page for k8s * fixed link in gwpolicy conf ref * added openshift installation info to installation pages * fixed bad link on tech specs * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * fixed VerityClaims param * best guess at verifyclaims params * tweaks to gateway policy dconf ref * Docs/ce 475 retries timeouts for apigw (#19086) * added timeout and retry conf ref for k8s * added retry and TO filters to HTTP routes conf ref for VMs * Apply suggestions from code review Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * fix copy/paste error in http route conf entry --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * update links across site and add redirects * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Applied feedback from review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update CRD configuration for responseHeaderModifiers * Update Config Entry for http-route * Add ResponseFilter example to service * Update website/redirects.js errant curly brace breaking the preview * fix links and bad MD * fixed md formatting issues * fix formatting errors * fix formatting errors * Update website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx * Apply suggestions from code review * fixed typo * Fix headers in http-route * Apply suggestions from code review Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: John Maguire <john.maguire@hashicorp.com>
2023-10-10 13:29:55 -07:00
---
layout: docs
page_title: HTTP Route Configuration
description: Learn how to configure an HTTP Route bound to an API Gateway on VMs.
---
# HTTP route configuration reference
This topic provides reference information for the gateway routes configuration entry. Refer to [Route Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/routes) for information about configuring API gateway routes in Kubernetes environments.
## Configuration model
The following list outlines field hierarchy, language-specific data types, and
requirements in an `http-route` configuration entry. Click on a property name
to view additional details, including default values.
- [`Kind`](#kind): string | must be `http-route`
- [`Name`](#name): string | no default
- [`Namespace`](#namespace): string | no default <EnterpriseAlert inline />
- [`Partition`](#partition): string | no default <EnterpriseAlert inline />
- [`Meta`](#meta): map | no default
- [`Hostnames`](#hostnames): list | no default
- [`Parents`](#parents): list | no default
- [`Kind`](#parents-kind): string | must be `api-gateway`
- [`Name`](#parents-name): string | no default
- [`Namespace`](#parents-namespace): string | no default <EnterpriseAlert inline />
- [`Partition`](#parents-partition): string | no default <EnterpriseAlert inline />
- [`SectionName`](#parents-sectionname): string | no default
- [`Rules`](#rules): list | no default
- [`Filters`](#rules-filters): map | no default
- [`Headers`](#rules-filters-headers): list | no default
- [`Add`](#rules-filters-headers-add): map | no default
- [`Remove`](#rules-filters-headers-remove): list | no default
- [`Set`](#rules-filters-headers-set): map | no default
- [`URLRewrite`](#rules-filters-urlrewrite): map | no default
- [`Path`](#rules-filters-urlrewrite-path): string | no default
- [`RetryFilter`](#rules-filters-retryfilter): map
- [`NumRetries`](#rules-filters-retryfilter-numretries): number | `1`
- [`RetryOnConnectionFailure`](#rules-filters-retryfilter-retryonconnectionfailure): boolean | `false`
- [`RetryOn`](#rules-filters-retryfilter-retryon): list of strings
- [`RetryOnStatusCodes`](#rules-filters-retryfilter-retryon): list of numbers
- [`TimeoutFilter`](#rules-filters-timeoutfilter): map
- [`IdleTimeout`](#rules-filters-timeoutfilter): number | `0`
- [`RequestTimeout`](#rules-filters-timeoutfilter): number | `0`
- [`JWT`](#rules-filters-jwt): map
- [`Providers`](#rules-filters-jwt-providers): list
- [`Name`](#rules-filters-jwt-providers): string
- [`VerifyClaims`](#rules-filters-jwt-providers): map
- [`Path`](#rules-filters-jwt-providers): list
- [`Value`](#rules-filters-jwt-providers): string
- [`ResponseFilters`](#rules-responsefilters)
- [`Headers`](#rules-responsefilters-headers): list | no default
- [`Add`](#rules-responsefilters-headers-add): map | no default
- [`Remove`](#rules-responsefilters-headers-remove): list | no default
- [`Set`](#rules-responsefilters-headers-set): map | no default
- [`Matches`](#rules-matches): list | no default
- [`Headers`](#rules-matches-headers): list | no default
- [`Match`](#rules-matches-headers-match): string | no default
- [`Name`](#rules-matches-headers-name): string | no default
- [`Value`](#rules-matches-headers-value): string | no default
- [`Method`](#rules-matches-method): string | no default
- [`Path`](#rules-matches-path): map | no default
- [`Match`](#rules-matches-path-match): string | no default
- [`Value`](#rules-matches-path-value): string | no default
- [`Query`](#rules-matches-query): list | no default
- [`Match`](#rules-matches-query-match): string | no default
- [`Name`](#rules-matches-query-name): string | no default
- [`Value`](#rules-matches-query-value): string | no default
- [`Services`](#rules-services): list | no default
- [`Name`](#rules-services-name): string | no default
- [`Namespace`](#rules-services-namespace): string <EnterpriseAlert inline />
- [`Partition`](#rules-services-partition): string <EnterpriseAlert inline />
- [`Weight`](#rules-services-weight): number | `1`
- [`Filters`](#rules-services-filters): map | no default
- [`Headers`](#rules-services-filters-headers): list | no default
- [`Add`](#rules-services-filters-headers-add): map | no default
- [`Remove`](#rules-services-filters-headers-remove): list | no default
- [`Set`](#rules-services-filters-headers-set): map | no default
- [`URLRewrite`](#rules-services-filters-urlrewrite): map | no default
- [`Path`](#rules-services-filters-urlrewrite-path): string | no default
- [`RetryFilter`](#rules-services-filters-retryfilter): map
- [`NumRetries`](#rules-services-filters-retryfilter-numretries): number | `1`
- [`RetryOnConnectionFailure`](#rules-services-filters-retryfilter-retryonconnectionfailure): boolean | `false`
- [`RetryOn`](#rules-services-filters-retryfilter-retryon): list of strings
- [`RetryOnStatusCodes`](#rules-services-filters-retryfilter-retryon): list of numbers
- [`TimeoutFilter`](#rules-services-filters-timeoutfilter): map
- [`IdleTimeout`](#rules-services-filters-timeoutfilter): number | `0`
- [`RequestTimeout`](#rules-services-filters-timeoutfilter): number | `0`
- [`JWT`](#rules-filters-jwt): map
- [`Providers`](#rules-filters-jwt-providers): list
- [`Name`](#rules-filters-jwt-providers): string
- [`VerifyClaims`](#rules-filters-jwt-providers): map
- [`Path`](#rules-filters-jwt-providers): list
- [`Value`](#rules-filters-jwt-providers): string
Docs/api-gw-jwts-openshift-1-17-x (#19035) * update main apigw overview * moved the tech specs to main gw folder * merged tech specs into single topic * restructure nav part 1 * fix typo in nav json file * moved k8s install up one level * restructure nav part 2 * moved and created all listeners and routes content * moved errors ref and upgrades * fix error in upgrade-k8s link * moved conf refs to appropriate spots * updated conf overview * fixed some links and bad formatting * fixed link * added JWT on VMs usage page * added JWT conf to APIGW conf entry * added JWTs to HTTP route conf entry * added new gatwaypolicy k8s conf reference * added metadesc for gatewaypolicy conf ref * added http route auth filter k8s conf ref * added http route auth filter k8s conf ref to nav * updates to k8s route conf ref to include extensionRef * added JWTs usage page for k8s * fixed link in gwpolicy conf ref * added openshift installation info to installation pages * fixed bad link on tech specs * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * fixed VerityClaims param * best guess at verifyclaims params * tweaks to gateway policy dconf ref * Docs/ce 475 retries timeouts for apigw (#19086) * added timeout and retry conf ref for k8s * added retry and TO filters to HTTP routes conf ref for VMs * Apply suggestions from code review Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * fix copy/paste error in http route conf entry --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * update links across site and add redirects * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Applied feedback from review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update CRD configuration for responseHeaderModifiers * Update Config Entry for http-route * Add ResponseFilter example to service * Update website/redirects.js errant curly brace breaking the preview * fix links and bad MD * fixed md formatting issues * fix formatting errors * fix formatting errors * Update website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx * Apply suggestions from code review * fixed typo * Fix headers in http-route * Apply suggestions from code review Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: John Maguire <john.maguire@hashicorp.com>
2023-10-10 13:29:55 -07:00
- [`ResponseFilters`](#rules-services-responsefilters)
- [`Headers`](#rules-services-responsefilters-headers): list | no default
- [`Add`](#rules-services-responsefilters-headers-add): map | no default
- [`Remove`](#rules-services-responsefilters-headers-remove): list | no default
- [`Set`](#rules-services-responsefilters-headers-set): map | no default
## Complete configuration
When every field is defined, an `http-route` configuration entry has the following form:
<CodeTabs>
```hcl
Kind = "http-route"
Name = "<name of the route>"
Namespace = "<enterprise: namespace of the service>"
Partition = "<enterprise: partition of the service>"
Meta = {
"<any key>" = "<any value>"
}
Hostnames = ["<hostnames for which this HTTPRoute should respond to requests>"]
Parents = [
{
Kind = "api-gateway"
Name = "<name of the api-gateway to bind to>"
Namespace = "<enterprise: namespace of the service>"
Partition = "<enterprise: partition of the service>"
SectionName = "<optional name of a specific listener on the api-gateway to bind to>"
}
]
Rules = [
{
Filters = {
Headers = [
{
Add = {
"<name of header to add>" = "<value of header to add>"
}
Remove = [
"<name of header to remove from request>"
]
Set = {
"<name of header to set>" = "<value of header to set>"
}
}
]
URLRewrite = {
Path = "<path to rewrite request to>"
}
JWT = {
Providers = [
Name = "<name of the provider>"
VerifyClaim = {
Path = ["<path to claim>"]
Value = "<value of claim>"
}
]
}
}
ResponseFilters = {
Headers = [
{
Add = {
"<name of header to add>" = "<value of header to add>"
}
Remove = [
"<name of header to remove from response>"
]
Set = {
"<name of header to set>" = "<value of header to set>"
}
}
]
}
Matches = [
{
Headers = [
{
Match = "<type of match: exact, prefix or regex>"
Name = "<name of header to match on>"
Value = "<value of header to match on>"
}
]
Method = "<method type to match on>"
Path = {
Match = "<type of match: exact, prefix or regex>"
Value = "<value to match on>"
}
Query = [
{
Match = "<type of match: exact, present or regex>"
Name = "<name of query parameter to match on>"
Value = "<value of query parameter to match on>"
}
]
}
]
Services = [
{
Name = "<name of Consul service to route to>"
Namespace = "<enterprise: namespace of the service>"
Partition = "<enterprise: partition of the service>"
Weight = "<number proportional to other weights>"
Filters = {
Headers = [
{
Add = {
"<name of header to add>" = "<value of header to add>"
}
Remove = [
"<name of header to remove from request>"
]
Set = {
"<name of header to set>" = "<value of header to set>"
}
}
]
URLRewrite = {
Path = "<path to rewrite request to>"
}
}
}
]
}
]
```
```json
{
"Kind": "http-route",
"Name": "<name of the route>",
"Namespace": "<enterprise: namespace of the route>",
"Partition": "<enterprise: partition of the route>",
"Meta": {
"<any key>": "<any value>"
},
"Hostnames": [
"<hostnames for which this HTTPRoute should respond to requests>"
],
"Parents": [
{
"Kind": "api-gateway",
"Name": "<name of the api-gateway to bind to>",
"Namespace": "<enterprise: namespace of the route>",
"Partition": "<enterprise: partition of the route>",
"SectionName": "<optional name of a specific listener on the api-gateway to bind to>"
}
],
"Rules": [
{
"Filters": [
{
"Headers": [
{
"Add": [
{
"<name of header to add>": "<value of header to add>"
}
],
"Remove": ["<header to remove from request>"],
"Set": [
{
"<name of header to set>": "<value of header to set>"
}
]
}
],
"URLRewrite": [
{
"Path": "<path to rewrite request to>"
}
],
"JWT": {
"Providers": [{
"Name": "okta",
"VerifyClaims": {
"Path": ["perms", "role"],
"Value": "user"
}
}]
}
}
],
"Matches": [
{
"Headers": [
{
"Match": "<type of match: exact, prefix or regex>",
"Name": "<name of header to match on>",
"Value": "<value of header to match on>"
}
],
"Method": "<method type to match on>",
"Path": [
{
"Match": "<type of match: exact, prefix or regex>",
"Value": "<value to match on>"
}
],
"Query": [
{
"Match": "<type of match: exact, present or regex>",
"Name": "<name of query parameter to match on>",
"Value": "<value of query parameter to match on>"
}
]
}
],
"Services": [
{
"Name": "<name of Consul service to route to>",
"Namespace": "<enterprise: namespace of the route>",
"Partition": "<enterprise: partition of the route>",
"Weight": "<number proportional to other weights>",
"Filters": [
{
"Headers": [
{
"Add": [
{
"<name of header to add": "<value of header to add>"
}
],
"Remove": ["<header to remove from request>"],
"Set": [
{
"<name of header to set": "<value of header to set>"
}
]
}
],
"URLRewrite": [
{
"Path": "<path to rewrite request to>"
}
]
}
],
"ResponseFilters": [
{
"Headers": [
{
"Add": [
{
"<name of header to add": "<value of header to add>"
}
],
"Remove": ["<header to remove from response>"],
"Set": [
{
"<name of header to set": "<value of header to set>"
}
]
}
]
}
]
}
]
}]
}
```
</CodeTabs>
## Specification
This section provides details about the fields you can configure in the `http-route` configuration entry.
### `Kind`
Specifies the type of configuration entry to implement. For HTTP routes, this must be `http-route`.
#### Values
- Default: none
- This field is required.
- Data type: string value that must be set to `"http-route"`.
### `Name`
Specifies a name for the configuration entry. The name is metadata that you can
use to reference the configuration entry when performing Consul operations,
such as applying a configuration entry to a specific cluster.
#### Values
- Default: Defaults to the name of the node after writing the entry to the Consul server.
- This field is required.
- Data type: string
### `Namespace` <EnterpriseAlert inline />
Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Partition` <EnterpriseAlert inline />
Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Meta`
Specifies an arbitrary set of key-value pairs to associate with the route.
#### Values
- Default: none
- Data type: map containing one or more keys and string values.
### `Parents[]`
Specifies the list of gateways that this route binds to.
#### Values
- Default: none
- Data type: List of map. Each member of the list contains the following fields:
- `Kind`
- `Name`
- `Namespace` <EnterpriseAlert inline />
- `Partition` <EnterpriseAlert inline />
- `SectionName`
### `Parents[].Kind`
Specifies the type of resource to bind to. This field is required and must be
set to `"api-gateway"`
#### Values
- Default: none
- This field is required.
- Data type: string value set to `"api-gateway"`
### `Parents[].Name`
Specifies the name of the api-gateway to bind to.
#### Values
- Default: none
- This field is required.
- Data type: string
### `Parents[].Namespace` <EnterpriseAlert inline />
Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Parents[].Partition` <EnterpriseAlert inline />
Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Parents[].SectionName`
Specifies the name of the listener to bind to on the `api-gateway`. If left
empty, this route binds to _all listeners_ on the parent gateway.
#### Values
- Default: ""
- Data type: string
### `Rules[]`
Specifies the list of HTTP-based routing rules that this route uses to construct a route table.
#### Values
- Default:
- Data type: List of maps. Each member of the list contains the following fields:
- `Filters`
- `Matches`
- `Services`
### `Rules[].Filters[]`
Specifies the list of HTTP-based filters used to modify a request prior to routing it to the upstream service.
#### Values
- Default: none
- Data type: Map that contains the following fields:
- `Headers`
- `UrlRewrite`
- `RetryFilter`
- `TimeoutFilter`
### `Rules[].Filters[].Headers[]`
Defines operations to perform on matching request headers when an incoming request matches the `Rules.Matches` configuration.
#### Values
This field contains the following configuration objects:
| Parameter | Description | Type |
| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `set` | Configure this field to rewrite the HTTP request header. It specifies the name of an HTTP header to overwrite and the new value to set. Any existing values associated with the header name are overwritten. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to set.</li><li>`value`: Required string that specifies the value of the HTTP header to set.</li></ul> | List of maps |
| `add` | Configure this field to append the request header with a new value. It specifies the name of an HTTP header to append and the values to add. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to append.</li><li>`value`: Required string that specifies the value of the HTTP header to add.</li></ul> | List of maps |
| `remove` | Configure this field to specify an array of header names to remove from the request header. | List of strings |
### `Rules[].Filters[].URLRewrite`
Specifies rule for rewriting the URL of incoming requests when an incoming request matches the `Rules.Matches` configuration.
#### Values
- Default: none
- This field is a map that contains a `Path` field.
### `Rules[].Filters[].URLRewrite.Path`
Specifies a path that determines how Consul API Gateway rewrites a URL path. Refer to [Reroute HTTP requests](/consul/docs/connect/gateways/api-gateway/define-routes/reroute-http-requests) for additional information.
#### Values
The following table describes the parameters for `path`:
| Parameter | Description | Type |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------ |
| `replacePrefixMatch` | Specifies a value that replaces the path prefix for incoming HTTP requests. The operation only affects the path prefix. The rest of the path is unchanged. | String |
| `type` | Specifies the type of replacement to use for the URL path. You can specify the following values: <ul><li>`ReplacePrefixMatch`: Replaces the matched prefix of the URL path (default). </li></ul> | String |
### `Rules[].Filters[].RetryFilter`
Specifies a block of settings Consul uses to retry a request if it fails.
#### Values
- Default: None
- Data type: Map containing the following parameters:
- `NumRetries`
- `RetryOnConnectFailure`
- `RetryOn`
- `RetryOnStatusCodes`
### `Rules[].Filters[].RetryFilter{}.NumRetries`
Specifies the number of times to retry the request when a retry condition occurs.
#### Values
- Default: `1`
- Data type: Integer
### `Rules[].Filters[].RetryFilter{}.RetryOnConnectFailure`
Enables Consul to retry the request if the connection fails. Define the one or more retry configurations to define the retry logic for the route.
#### Values
- Default: `false`
- Data type: Boolean
### `Rules[].Filters[].RetryFilter{}.RetryOn`
Specifies a list of conditions for Consul to retry requests based on the response from an upstream service. The following retry conditions are supported:
| Conditions | Description |
| :------------------- | :------------------------------------------------------------------------------------------------------- |
| `5xx` | Consul retries the request when an upstream responds with any 5xx error code or does not respond at all. |
| `gateway-error` | Consul retries the request when the upstream responds with a 502, 503, or 504 error. |
| `reset` | Consul retries the request when the upstream does not respond at all. |
| `connect-failure` | Consul retries the request when the connection to the upstream fails. |
| `envoy-ratelimited` | Consul retries the request when the header `x-envoy-ratelimited` is present. |
| `retriable-4xx` | Consul retries the request when the upstream responds with a retriable 4xx code. |
| `refused-stream` | Consul retries the request when the upstream resets the stream with a `REFUSED_STREAM` error code. |
| `cancelled` | Consul retries the request when the gRPC status code in the response headers is `cancelled`. |
| `deadline-exceeded` | Consul retries the request when the gRPC status code in the response headers is `deadline-exceeded`. |
| `internal` | Consul retries the request when the gRPC status code in the response headers is `internal`. |
| <nobr>`resource-exhausted`</nobr> | Consul retries the request when the gRPC status code in the response headers is `resource-exhausted`. |
| `unavailable` | Consul retries the request when the gRPC status code in the response headers is `unavailable`. |
#### Values
- Default: None
- Data type: List of strings. Strings must match one of the following values:
- `5xx`
- `gateway-error`
- `reset`
- `connect-failure`
- `envoy-ratelimited`
- `retriable-4xx`
- `refused-stream`
- `cancelled`
- `deadline-exceeded`
- `internal`
- `resource-exhausted`
- `unavailable`
### `Rules[].Filters[].RetryFilter{}.RetryOnStatusCodes`
Specifies a list of integers for [HTTP response status codes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) that trigger a retry request.
#### Values
- Default: None
- Data type: List of integers
### `Rules[].Filters[].TimeoutFilter`
Specifies timeout settings for routes from an API gateway listener to the destination service in Consul service mesh.
#### Values
- Default: None
- Data type: Map
The following table describes the settings you can configure in the `TimeoutFilter` map:
| Parameter | Description | Data type | Default |
| --- | --- | --- | --- |
| `IdleTimeout` | Specifies the total amount of time permitted for the request stream to be idle. | Integer | `0` |
| `RequestTimeout` | Specifies the total amount of time in nanoseconds, including retry attempts, Consul permits for the entire downstream request to be processed. | Integer | `0` |
### `Rules[].Filters{}.JWT`
Specifies a block of JWT verification configurations to apply to the route. These route-specific settings have precedence over default configurations defined for listeners the route attaches to on the API gateway. Refer to [`Listeners[].default{}.JWT`](/consul/docs/connect/config-entries/api-gateway#listeners-default-jwt) for additional information.
#### Values
- Default: None
- Data type: Map
### `Rules[].Filters[].JWT{}.Providers`
Specifies a list of JWT provider configurations to apply to the route. A provider configuration contains the name of the provider and claims.
#### Values
- Default: None
- Data type: List of maps
The following table describes the parameters you can specify in a member of the `Providers` list:
| Parameter | Description | Data type | Default |
| --- | --- | --- | --- |
| `Name` | Specifies the name of the provider. | String | None |
| `VerifyClaims` | Specifies a list of paths and a value that define the claim. Consul verifies requests that match the claims declared in the listener JWT configuration and allow the request through the gateway. The `VerifyClaims` map specifies the following settings: <ul><li>`Path`: Specifies a list of one or more registered or custom claims.</li><li>`Value`: Specifies the expected value of the claim.</li></ul> | Map | None |
Refer to [Configure JWT verification settings](#configure-jwt-verification-settings) for an example configuration.
### `Rules[].ResponseFilters[]`
Specifies the list of HTTP-based filters used to modify a response prior to routing it to the calling client.
#### Values
- Default: none
- Data type: Map that contains the following fields:
- `Headers`
### `Rules[].ResponseFilters[].Headers[]`
Defines operations to perform on matching response headers when an incoming request matches the `Rules.Matches` configuration.
#### Values
This field contains the following configuration objects:
| Parameter | Description | Type |
| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `set` | Configure this field to rewrite the HTTP response header. It specifies the name of an HTTP header to overwrite and the new value to set. Any existing values associated with the header name are overwritten. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to set.</li><li>`value`: Required string that specifies the value of the HTTP header to set.</li></ul> | List of maps |
| `add` | Configure this field to append the response header with a new value. It specifies the name of an HTTP header to append and the values to add. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to append.</li><li>`value`: Required string that specifies the value of the HTTP header to add.</li></ul> | List of maps |
| `remove` | Configure this field to specify an array of header names to remove from the response header. | List of strings |
### `Rules[].Matches[]`
Specifies the matching criteria used in the routing table. When an incoming
request matches the given HTTPMatch configuration, traffic routes to
services specified in the [`Rules.Services`](#rules-services) field.
#### Values
- Default: none
- Data type: List containing maps. Each member of the list contains the following fields:
- `Headers`
- `Method`
- `Path`
- `Query`
### `Rules[].Matches[].Headers[]`
Specifies rules for matching incoming request headers. You can specify multiple rules in a list, as well as multiple lists of rules. If all rules in a single list are satisfied, then the route forwards the request to the appropriate service defined in the [`Rules.Services`](#rules-services) configuration. You can create multiple `Header[]` lists to create a range of matching criteria. When at least one list of matching rules are satisfied, the route forwards the request to the appropriate service defined in the [`Rules.Services`](#rules-services) configuration.
#### Values
- Default: none
- Data type: List containing maps with the following fields:
- `Match`
- `Name`
- `Value`
### `Rules.Matches.Headers.Match`
Specifies type of match for headers: `"exact"`, `"prefix"`, or `"regex"`.
#### Values
- Default: none
- Data type: string
### `Rules.Matches.Headers.Name`
Specifies the name of the header to match.
#### Values
- Default: none
- Data type: string
### `Rules[].Matches.Headers.Value`
Specifies the value of the header to match.
#### Values
- Default: none
- Data type: string
### `Rules[].Matches[].Method`
Specifies a list of strings that define matches based on HTTP request method.
#### Values
Specify one of the following string values:
- `HEAD`
- `POST`
- `PUT`
- `PATCH`
- `GET`
- `DELETE`
- `OPTIONS`
- `TRACE`
- `CONNECT`
### `Rules[].Matches[].Path`
Specifies the HTTP method to match.
#### Values
- Default: none
- Data type: map containing the following fields:
- `Match`
- `Value`
### `Rules[].Matches[].Path.Match`
Specifies type of match for the path: `"exact"`, `"prefix"`, or `"regex"`.
If set to `prefix`, Consul uses simple string matching to identify incoming request prefixes. For example, if the route is configured to match incoming requests to services prefixed with `/dev`, then the gateway would match requests to `/dev-` and `/deviate` and route to the upstream.
This deviates from the
[Kubernetes Gateway API specification](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.PathMatchType), which matches on full path elements. In the previous example, _only_ requests to `/dev` or `/dev/` would match.
#### Values
- Default: none
- Data type: string
### `Rules[].Matches[].Path.Value`
Specifies the value of the path to match.
#### Values
- Default: none
- Data type: string
### `Rules[].Matches[].Query[]`
Specifies how a match is completed on a requests query parameters.
#### Values
- Default: none
- Data type: List of map that contains the following fields:
- `Match`
- `Name`
- `Value`
### `Rules[].Matches[].Query[].Match`
Specifies type of match for query parameters: `"exact"`, `"prefix"`, or `"regex"`.
#### Values
- Default: none
- Data type: string
### `Rules[].Matches[].Query[].Name`
Specifies the name of the query parameter to match.
#### Values
- Default: none
- Data type: string
### `Rules[].Matches[].Query[].Value`
Specifies the value of the query parameter to match.
#### Values
- Default: none
- Data type: string
### `Rules[].Services[]`
Specifies the service that the API gateway routes incoming requests to when the
requests match the `Rules.Matches` configuration.
#### Values
- Default: none
- This field contains a list of maps. Each member of the list contains the following fields:
- `Name`
- `Weight`
- `Filters`
- `Namespace` <EnterpriseAlert inline />
- `Partition` <EnterpriseAlert inline />
### `Rules[].Services[].Name`
Specifies the name of an HTTP-based service to route to.
#### Values
- Default: none
- Data type: string
### `Rules[].Services[].Namespace` <EnterpriseAlert inline />
Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Rules[].Services.Partition` <EnterpriseAlert inline />
Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Rules[].Services[].Weight`
Specifies the proportion of requests forwarded to the specified service. If no weight is specified, or if the specified
weight is set to less than or equal to `0`, the weight is normalized to `1`. The
proportion is determined by dividing the value of the weight by the sum of all
weights in the service list. For non-zero values, there may be some deviation
from the exact proportion depending on the precision an implementation
supports. Weight is not a percentage and the sum of weights does not need to
equal 100.
#### Values
- Default: none
- Data type: integer
### `Rules[].Services[].Filters[]`
Specifies the list of HTTP-based filters used to modify a request prior to
routing it to this upstream service.
#### Values
- Default: none
- Data type: Map that contains the following fields:
- `Headers`
- `UrlRewrite`
### `Rules[].Services[].Filters[].Headers[]`
Defines operations to perform on matching request headers.
#### Values
This field contains the following configuration objects:
| Parameter | Description | Type |
| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `set` | Configure this field to rewrite the HTTP request header. It specifies the name of an HTTP header to overwrite and the new value to set. Any existing values associated with the header name are overwritten. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to set.</li><li>`value`: Required string that specifies the value of the HTTP header to set.</li></ul> | List of maps |
| `add` | Configure this field to append the request header with a new value. It specifies the name of an HTTP header to append and the values to add. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to append.</li><li>`value`: Required string that specifies the value of the HTTP header to add.</li></ul> | List of maps |
| `remove` | Configure this field to specify an array of header names to remove from the request header. | List of strings |
### `Rules[].Services[].Filters[].URLRewrite`
Specifies rule for rewriting the URL of incoming requests.
#### Values
- Default: none
- This field is a map that contains a `Path` field.
### `Rules[].Services[].Filters[].RetryFilters`
Specifies a block of settings Consul uses to retry a request if it fails.
### Values
- Default: None
- Data type: Map containing the following parameters:
- `NumRetries`
- `RetryOnConnectFailure`
- `RetryOn`
- `RetryOnStatusCodes`
### `Rules[].Services[].Filters[].RetryFilters{}.NumRetries`
Specifies the number of times to retry the request when a retry condition occurs.
#### Values
- Default: `1`
- Data type: Integer
### `Rules[].Services[].Filters[].RetryFilters{}.RetryOnConnectFailure`
Enables Consul to retry the request if the connection fails. Define the one or more retry configurations to define the retry logic for the route.
#### Values
- Default: `false`
- Data type: Boolean
### `Rules[].Services[].Filters[].RetryFilters{}.RetryOn`
Specifies a list of conditions for Consul to retry requests based on the response from an upstream service. The following retry conditions are supported:
| Conditions | Description |
| :------------------- | :------------------------------------------------------------------------------------------------------- |
| `5xx` | Consul retries the request when an upstream responds with any 5xx error code or does not respond at all. |
| `gateway-error` | Consul retries the request when the upstream responds with a 502, 503, or 504 error. |
| `reset` | Consul retries the request when the upstream does not respond at all. |
| `connect-failure` | Consul retries the request when the connection to the upstream fails. |
| `envoy-ratelimited` | Consul retries the request when the header `x-envoy-ratelimited` is present. |
| `retriable-4xx` | Consul retries the request when the upstream responds with a retriable 4xx code. |
| `refused-stream` | Consul retries the request when the upstream resets the stream with a `REFUSED_STREAM` error code. |
| `cancelled` | Consul retries the request when the gRPC status code in the response headers is `cancelled`. |
| `deadline-exceeded` | Consul retries the request when the gRPC status code in the response headers is `deadline-exceeded`. |
| `internal` | Consul retries the request when the gRPC status code in the response headers is `internal`. |
| <nobr>`resource-exhausted`</nobr> | Consul retries the request when the gRPC status code in the response headers is `resource-exhausted`. |
| `unavailable` | Consul retries the request when the gRPC status code in the response headers is `unavailable`. |
#### Values
- Default: None
- Data type: List of strings. Strings must match one of the following values:
- `5xx`
- `gateway-error`
- `reset`
- `connect-failure`
- `envoy-ratelimited`
- `retriable-4xx`
- `refused-stream`
- `cancelled`
- `deadline-exceeded`
- `internal`
- `resource-exhausted`
- `unavailable`
### `Rules[].Services[].Filters[].RetryFilters{}.RetryOnStatusCodes`
Specifies a list of integers for [HTTP response status codes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) that trigger a retry request.
#### Values
- Default: None
- Data type: List of integers
### `Rules[].Services[].Filters[].TimeoutFilter`
Specifies timeout settings for routes from an API gateway listener to the destination service in Consul service mesh.
#### Values
- Default: None
- Data type: Map
The following table describes the settings you can configure in the `TimeoutFilter` map:
| Parameter | Description | Data type | Default |
| --- | --- | --- | --- |
| `IdleTimeout` | Specifies the total amount of time permitted for the request stream to be idle. | Integer | `0` |
| `RequestTimeout` | Specifies the total amount of time in nanoseconds, including retry attempts, Consul permits for the entire downstream request to be processed. | Integer | `0` |
### `Rules[].Services[].ResponseFilters[]`
Specifies the list of HTTP-based filters used to modify a response prior to routing it to the calling client.
#### Values
- Default: none
- Data type: Map that contains the following fields:
- `Headers`
### `Rules[].Services[].ResponseFilters[].Headers[]`
Defines operations to perform on matching response headers when an incoming request matches the `Rules.Matches` configuration.
#### Values
This field contains the following configuration objects:
| Parameter | Description | Type |
| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `set` | Configure this field to rewrite the HTTP response header. It specifies the name of an HTTP header to overwrite and the new value to set. Any existing values associated with the header name are overwritten. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to set.</li><li>`value`: Required string that specifies the value of the HTTP header to set.</li></ul> | List of maps |
| `add` | Configure this field to append the response header with a new value. It specifies the name of an HTTP header to append and the values to add. You can specify the following configurations: <ul><li>`name`: Required string that specifies the name of the HTTP header to append.</li><li>`value`: Required string that specifies the value of the HTTP header to add.</li></ul> | List of maps |
| `remove` | Configure this field to specify an array of header names to remove from the response header. | List of strings |
## Examples
The following examples demonstrate common HTTP route configuration patterns for specific use cases.
### Configure JWT verification settings
In the following example, the route is configured to accept incoming requests from the `okta` provider that requires the client to have `admin` permissions.
<Tabs>
<Tab heading="HCL" group="hcl">
```hcl
kind = "http-route"
name = "api-gateway-route"
parents = [
{
sectionName = "listener-one"
name = "api-gateway"
kind = "api-gateway"
},
]
rules = [
{
matches = /
}
{
matches = /admin
filters = {
JWT = {
Providers = [
{
Name = "okta", # this is referencing an existing JWT provider config entry
VerifyClaims = {
Path = ["perms", "role"],
Value = "admin",
}
}
]
}
}
services = [
{
name = "bender"
}
]
}
]
```
</Tab>
<Tab heading="JSON" group="json">
```json
{
"kind": "http-route",
"name": "api-gateway-route",
"parents": [
{
"sectionName": "listener-one",
"name": "api-gateway",
"kind": "api-gateway"
}
],
"rules": [
{
"matches": "/"
},
{
"matches": "/admin",
"filters": {
"JWT": {
"Providers": [
{
"Name": "okta",
"VerifyClaims": {
"Path": ["perms", "role"],
"Value": "admin"
}
}
]
}
},
"services": [
{
"name": "okta-verified-service"
}
]
}]
}
```
</Tab>
</Tabs>