fix(*-proxy): proxy policy doesn't send headers set by APIcast to API backend

tkan145 · tkan145 · commit 39d97e19baf2 · 2026-06-08T13:22:24.000+10:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Correct FAPI header to `x-fapi-interaction-id` [PR #1557](https://github.com/3scale/APIcast/pull/1557) [THREESCALE-11957](https://issues.redhat.com/browse/THREESCALE-11957)
 - Only validate oidc setting if authentication method is set to oidc [PR #1568](https://github.com/3scale/APIcast/pull/1568) [THREESCALE-11441](https://issues.redhat.com/browse/THREESCALE-11441)
 - Reduce memory consumption when returning large response that has been routed through a proxy server. [PR #1572](https://github.com/3scale/APIcast/pull/1572) [THREESCALE-12258](https://issues.redhat.com/browse/THREESCALE-12258)
+- Fix proxy policy doesn't send headers set by APIcast to the API Backend. [PR #1588](https://github.com/3scale/APIcast/pull/1588) [THREESCALE-10151](https://redhat.atlassian.net/browse/THREESCALE-10151)
 
 ### Added
 - Update APIcast schema manifest [PR #1550](https://github.com/3scale/APIcast/pull/1550)
diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua
@@ -138,10 +138,15 @@ local function forward_https_request(proxy_uri, uri, proxy_opts)
       end
     end
 
+    local headers = ngx_req_get_headers(0, true)
+    headers["X-Real-IP"] = ngx.var.remote_addr
+    headers["X-3scale-debug"] = ""
+    headers["X-3scale-proxy-secret-token"] = ngx.var.secret_token
+
     local request = {
         uri = uri,
         method = req_method,
-        headers = ngx_req_get_headers(0, true),
+        headers = headers,
         path = (ngx.var.uri or '') .. (ngx.var.is_args or '') .. (ngx.var.query_string or ''),
         body = body,
         proxy_uri = proxy_uri,
@@ -159,6 +164,8 @@ local function forward_https_request(proxy_uri, uri, proxy_opts)
     local res
     res, err = httpc:request(request)
 
+    local inspect = require 'inspect'
+    ngx.log(ngx.INFO, "\n-------\n", inspect(res.headers))
     if res then
         if opts.request_unbuffered and raw then
             err = send_response(sock, res, DEFAULT_CHUNKSIZE)
diff --git a/t/apicast-policy-camel.t b/t/apicast-policy-camel.t
@@ -12,6 +12,7 @@ sub large_body {
 }
 
 $ENV{'LARGE_BODY'} = large_body();
+require("policies.pl");
 
 repeat_each(1);
 
@@ -140,6 +141,7 @@ $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
     {
       "backend_version":  1,
       "proxy": {
+        "secret_token": "token",
         "api_backend": "https://localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT",
         "proxy_rules": [
           { "pattern": "/test", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
@@ -177,6 +179,9 @@ EOF
   server_name _ default_server;
 
   location /test {
+    echo_foreach_split '\r\n' \$echo_client_request_headers;
+    echo \$echo_it;
+    echo_end;
     access_by_lua_block {
       assert = require('luassert')
       assert.equal('https', ngx.var.scheme)
@@ -186,8 +191,6 @@ EOF
 
       local host = ngx.req.get_headers()["Host"]
       assert.equal(host, 'localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT')
-      ngx.say("yay, endpoint backend")
-
     }
   }
 }
@@ -211,6 +214,16 @@ GET /test?user_key=test3
 --- more_headers
 User-Agent: Test::APIcast::Blackbox
 ETag: foobar
+--- expected_response_body_like_multiple eval
+[[
+    qr{GET \/test\?user_key=test3 HTTP\/1\.1},
+    qr{ETag\: foobar},
+    qr{Connection\: close},
+    qr{User\-Agent\: Test\:\:APIcast\:\:Blackbox},
+    qr{Host\: localhost\:\d+},
+    qr{X\-Real\-IP\: 127.0.0.1},
+    qr{X\-3scale\-proxy\-secret\-token\: token}
+]]
 --- error_code: 200
 --- user_files fixture=tls.pl eval
 --- error_log eval
diff --git a/t/apicast-policy-http-proxy.t b/t/apicast-policy-http-proxy.t
@@ -13,6 +13,7 @@ sub large_body {
 
 
 $ENV{'LARGE_BODY'} = large_body();
+require("policies.pl");
 
 repeat_each(3);
 
@@ -132,12 +133,14 @@ using proxy: $TEST_NGINX_HTTP_PROXY
 
 
 === TEST 3: using HTTPS proxy for backend
+--- ONLY
 --- configuration random_port env
 {
   "services": [
     {
       "backend_version":  1,
       "proxy": {
+        "secret_token": "token",
         "api_backend": "https://test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT",
         "proxy_rules": [
           { "pattern": "/test", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
@@ -197,7 +200,9 @@ ETag: foobar
     qr{ETag\: foobar},
     qr{Connection\: close},
     qr{User\-Agent\: Test\:\:APIcast\:\:Blackbox},
-    qr{Host\: test-upstream.lvh.me\:\d+}
+    qr{Host\: test-upstream.lvh.me\:\d+},
+    qr{X\-Real\-IP\: 127.0.0.1},
+    qr{X\-3scale\-proxy\-secret\-token\: token},
 ]]
 --- error_code: 200
 --- error_log env
diff --git a/t/http-proxy.t b/t/http-proxy.t
@@ -451,6 +451,7 @@ proxy request: GET http://test-upstream.lvh.me:$TEST_NGINX_SERVER_PORT/test?user
     {
       "backend_version":  1,
       "proxy": {
+        "secret_token": "token",
         "api_backend": "https://test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT",
         "proxy_rules": [
           { "pattern": "/test", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
@@ -495,7 +496,9 @@ ETag: foobar
     qr{ETag\: foobar},
     qr{Connection\: close},
     qr{User\-Agent\: Test\:\:APIcast\:\:Blackbox},
-    qr{Host\: test-upstream.lvh.me\:\d+}
+    qr{Host\: test-upstream.lvh.me\:\d+},
+    qr{X\-Real\-IP\: 127.0.0.1},
+    qr{X\-3scale\-proxy\-secret\-token\: token}
 ]]
 --- error_code: 200
 --- error_log env
