Meta tags:
description= Configure custom headers in URL maps used by regional HTTP(S) load balancers.;
Headings (most frequently used words):
headers, custom, in, and, create, url, maps, stay, organized, with, collections, save, categorize, content, based, on, your, preferences, before, you, begin, how, work, add, request, or, response, variables, that, can, appear, the, header, value, mutual, tls, limitations, regional, cross, region, products, pricing, support, resources, engage,
Text of the page (most frequently used words):
the (167), load (90), and (79), balancer (58), #header (53), set (49), backend (41), client (38), with (36), cloud (33), overview (32), backends (30), headers (29), for (28), custom (28), http (23), string (21), neg (21), application (19), region (19), certificate (18), name (18), that (18), google (17), tls (17), global (17), url (17), instance (17), balancers (16), group (16), internal (15), not (15), request (15), balancing (15), regional (14), using (14), use (14), are (13), empty (13), value (13), hybrid (13), zonal (13), cross (12), external (12), management (12), you (11), can (11), following (11), mtls (11), variables (11), ssl (11), add (11), other (10), values (10), https (10), maps (10), managed (10), information (9), client_cert_error (9), rfc (9), address (9), must (9), service (9), buckets (9), traffic (9), architecture (8), base64 (8), added (8), list (8), field (8), from (8), proxy (8), response (8), thumb (7), this (7), than (7), bytes (7), true (7), based (7), map (7), names (7), create (7), target (7), storage (7), negs (7), internet (7), capabilities (7), resources (6), more (6), connection (6), encoded (6), longer (6), valid (6), when (6), port (6), tcp (6), backendservices (6), headername (6), headervalue (6), backend_service_1 (6), health (6), serverless (6), premises (6), shared (6), vpc (6), run (6), code (5), policies (5), configure (5), services (5), comma (5), certificates (5), example (5), san (5), connects (5), between (5), only (5), network (5), forwarding (5), troubleshooting (5), metrics (5), redirect (5), português (4), español (4), support (4), see (4), down (4), last (4), otherwise (4), content (4), used (4), before (4), encoding (4), client_cert_leaf (4), passed (4), 512 (4), separated (4), extensions (4), spiffe (4), number (4), error (4), provided (4), during (4), handshake (4), time (4), these (4), forwarded (4), include (4), quic (4), tlsv1 (4), same (4), protocol (4), appear (4), defaultservice (4), matcher1 (4), priority (4), replace (4), how (4), gcloud (4), compute (4), curly (4), braces (4), check (4), tools (4), ipv6 (4), rules (4), view (4), logs (4), monitor (4), troubleshoot (4), terraform (4), examples (4), samples (3), sample (3), need (3), exceeds (3), client_cert_chain (3), validation (3), client_cert_subject_dn (3), client_cert_issuer_dn (3), client_cert_uri_sans (3), serial (3), fingerprint (3), strings (3), false (3), variable (3), mutual (3), data (3), origin (3), server (3), server_port (3), multiple (3), server_ip_address (3), client_port (3), next (3), client_ip_address (3), per (3), hosts (3), yaml (3), file (3), edit (3), regions (3), console (3), host (3), hop (3), authorization (3), work (3), guides (3), networking (3), connectivity (3), frontend (3), explore (3), tutorials (3), connected (3), networks (3), directory (3), registration (3), distribution (3), udp (3), migrate (3), classic (3), 한국어 (2), 日本語 (2), עברית (2), brasil (2), italiano (2), indonesia (2), français (2), américa (2), latina (2), deutsch (2), english (2), sign (2), third (2), terms (2), site (2), about (2), youtube (2), started (2), pricing (2), products (2), understand (2), missing (2), updated (2), 2026 (2), utc (2), page (2), licensed (2), under (2), license (2), send (2), feedback (2), limitations (2), size (2), delimited (2), order (2), chain (2), established (2), where (2), leaf (2), compliant (2), 9440 (2), full (2), subject (2), timestamp (2), date (2), format (2), which (2), 2022 (2), 01t18 (2), 3339 (2), client_cert_dnsname_sans (2), type (2), extracted (2), 2048 (2), conditions (2), configured (2), has (2), description (2), additional (2), geographic (2), estimates (2), provides (2), source (2), origin_request_header (2), parameters (2), cipher (2), suite (2), negotiated (2), defined (2), version (2), instead (2), lowercase (2), trailing (2), removed (2), common (2), resource (2), one (2), round (2), trip (2), smoothed (2), parameter (2), rtt (2), includes (2), resolves (2), note (2), hostrules (2), pathmatcher (2), pathmatchers (2), routerules (2), matchrules (2), prefixmatch (2), highest (2), routeaction (2), weightedbackendservices (2), backendservice (2), weight (2), 100 (2), headeraction (2), requestheaderstoadd (2), client_region (2), responseheaderstoadd (2), responseheaderstoremove (2), prefix (2), shows (2), url_map_name (2), path (2), matcher (2), cli (2), follows (2), whitespace (2), two (2), opening (2), single (2), brace (2), closing (2), blank (2), definition (2), 7230 (2), have (2), properties (2), reserved (2), authority (2), proxies (2), begin (2), user (2), specify (2), adds (2), requests (2), your (2), fail (2), update (2), transformations (2), latency (2), responses (2), documentation (2), sdk (2), languages (2), frameworks (2), infrastructure (2), costs (2), usage (2), access (2), security (2), observability (2), monitoring (2), migration (2), industry (2), solutions (2), distributed (2), multicloud (2), databases (2), analytics (2), pipelines (2), hosting (2), development (2), logging (2), pools (2), tags (2), checks (2), optimizations (2), workload (2), identity (2), failover (2), protocols (2), concepts (2), pool (2), convert (2), capacity (2), over (2), web (2), routing (2), app (2), engine (2), functions (2), constraints (2), product (2), reference (2), technology (2), areas (2), close (2), subscribe, newsletter, our, decade, climate, action, join, manage, cookies, privacy, tech, twitter, events, blog, engage, training, certification, center, getting, github, system, status, release, notes, community, forums, contact, sales, marketplace, all, easy, easytounderstand, solved, problem, solvedmyproblem, otherup, hard, hardtounderstand, incorrect, incorrectinformationorsamplecode, missingtheinformationsamplesineed, otherdown, tell, except, noted, details, java, registered, trademark, oracle, its, affiliates, developers, apache, creative, commons, attribution, apply, combined, client_cert_validated_chain_exceeded_size_limit, standard, including, unencoded, client_cert_validated_leaf_exceeded_size_limit, binary, der, without, line, breaks, spaces, characters, outside, alphabet, colons, either, side, client_cert_subject_dn_exceeded_size_limit, client_cert_issuer_dn_exceeded_size_limit, issuer, after, client_cert_valid_not_after, client_cert_valid_not_before, client_cert_dnsname_sans_exceeded_size_limit, dnsname, client_cert_uri_sans_exceeded_size_limit, uri, included, client_cert_spiffe_id_exceeded_size_limit, alternative, client_cert_spiffe_id, client_cert_serial_number_exceeded_size_limit, client_cert_serial_number, sha, 256, client_cert_sha256_fingerprint, predefined, representing, modes, verified, against, truststore, client_cert_chain_verified, client_cert_present, available, targethttpsproxy, updates, improve, accuracy, reflect, political, changes, even, original, contains, location, locations, contained, packets, received, does, expands, determine, their, ja4, tls_ja4_fingerprint, ja3, tls_ja3_fingerprint, four, hex, digits, tls_rsa_with_aes_128_gcm_sha256, unencrypted, connections, 009c, iana, registry, tls_cipher_suite, possible, tls_version, indication, hostname, converted, any, dot, 6066, tls_sni_hostname, destination, useful, share, reflects, sharing, cors, cases, communication, client_protocol, encrypted, client_encrypted, usually, unless, been, tampered, estimated, transmission, milliseconds, srtt, measured, stack, algorithm, deals, variations, anomalies, may, occur, measurements, 2988, client_rtt_msec, incoming, also, will, replaced, new, retained, placeholder, behaviors, requesteheaderstoremove, requestheaderstoremove, enter, section, leading, insignificant, allow, interprets, enclosed, expand, complete, allowed, rejected, obsolete, forms, disallowed, case, insensitive, encodes, once, both, special, keywords, modify, envoy, recommend, don, interfere, myhost, accordance, stored, caches, propagated, 2616, upgrade, trailer, transfer, keep, alive, amz, gfe, goog, enable, configuration, sets, returning, probes, requires, specific, packet, might, makes, components, necessary, latest, well, however, important, let, depending, detects, describes, save, categorize, preferences, stay, organized, collections, home, clean, setup, audit, operate, maintain, quota, units, subnets, endpoint, groups, dns, firewall, draining, advanced, customize, post, quantum, authenticated, private, encryption, self, secure, switch, deploy, hub, spoke, party, appliances, hops, affinity, weighted, passthrough, testing, optimize, deliver, published, domain, faster, performance, improved, protection, multi, best, practices, high, availability, rewrite, query, roll, back, project, bucket, organization, policy, iam, roles, permissions, get, feature, comparison, model, choose, discover, start, free, skip, main,
Text of the page (random words):
tion load balancing and connected networks explore tutorials set up load balancer as next hop with tags deploy a hub and spoke network set up a load balancer with internal ipv6 only backends monitor and troubleshoot view logs and metrics troubleshooting protocol forwarding overview set up protocol forwarding switch between a target instance and a backend service secure ssl certificates overview use self managed ssl certificates use google managed ssl certificates encryption to the backends troubleshooting ssl policies overview use ssl policies mutual tls frontend mtls overview set up frontend mtls with user provided certificates set up frontend mtls with a private ca backend mtls overview set up backend authenticated tls set up backend mtls backend mtls with managed workload identity overview set up backend mtls using managed workload identity post quantum tls authorization policies overview set up authorization policies customize load balancer advanced load balancing optimizations backend buckets backend services connection draining firewall rules forwarding rules health checks overview use health checks internal dns names ipv6 network endpoint groups overview hybrid connectivity negs internet negs serverless negs zonal negs overview set up zonal negs proxy only subnets tags target pools target proxies url maps overview use url maps url map size and quota units operate and maintain audit logging information health check logging information clean up a load balancer setup ai and ml application development application hosting compute data analytics and pipelines databases distributed hybrid and multicloud industry solutions migration networking observability and monitoring security storage access and resources management costs and usage management infrastructure as code sdk languages frameworks and tools home documentation networking load balancing guides send feedback create custom headers in url maps stay organized with collections save and categorize content based on your preferences this page describes how custom headers work in url maps used by regional internal application load balancers and cross region internal application load balancers custom request and response headers let you specify additional headers that the load balancer can add to http s requests and responses depending on the information that the load balancer detects these headers can include the following information latency to the client parameters of the tls connection important global external application load balancers support header transformations in the url map as well as in the backend service however the regional internal application load balancers and cross region internal application load balancers only support header transformations in url maps before you begin if necessary update to the latest version of the google cloud cli gcloud components update how custom headers work custom headers work as follows when the load balancer makes a request to the backend the load balancer adds request headers the load balancer adds custom request headers only to the client requests not to the health check probes if your backend requires a specific header for authorization that is missing from the health check packet the health check might fail the load balancer sets response headers before returning a response to the client to enable custom headers for regional internal application load balancers and cross region internal application load balancers you specify a list of header names and header values in the url map configuration file header names must have the following properties the header name must be a valid http header field name definition per rfc 7230 the header name must not be x user ip the header name must not begin with x google x goog x gfe or x amz the following hop by hop headers must not be used keep alive transfer encoding te connection trailer and upgrade in accordance with rfc 2616 these headers are not stored by caches or propagated by the target proxies the header name must not be host or authority both host and authority are special keywords reserved by google cloud you can t modify these headers for envoy based load balancers instead we recommend that you create other custom headers for example myhost so that you don t interfere with the reserved header names a header name must not appear more than once in the list of headers header names are case insensitive when header names are passed to an http 2 backend the http 2 protocol encodes header names as lowercase header values must have the following properties the header value must be a valid http header field definition per rfc 7230 with obsolete forms disallowed the header value can t be blank blank headers are rejected the header value can include one or more variables enclosed by curly braces that expand to values that the load balancer provides for a complete list of variables allowed in the header value see variables that can appear in the header value in header values leading whitespace and trailing whitespace are insignificant and are not passed to the backend to allow for curly braces in header values the load balancer interprets two opening curly braces as a single opening brace and two closing curly braces as a single closing brace add request or response headers to add request or response headers use the gcloud cli to edit the url map as follows note if you are using the google cloud console to add the request and response headers in the url map you need to enter the host address in the hosts field and the path matcher section of the following yaml in the path matcher field regional gcloud compute url maps edit url_map_name region region following is a sample yaml file that shows you how to use variables in custom headers defaultservice regions region backendservices backend_service_1 name regional lb map region region region hostrules hosts pathmatcher matcher1 pathmatchers defaultservice regions region backendservices backend_service_1 name matcher1 routerules matchrules prefixmatch prefix priority priority 0 is highest routeaction weightedbackendservices backendservice regions region backendservices backend_service_1 weight 100 headeraction requestheaderstoadd headername x header 1 client region headervalue client_region headername x header 2 client ip port headervalue client_ip_address client_port replace true requestheaderstoremove header 3 name responseheaderstoadd headername x header 4 server ip port headervalue server_ip_address server_port replace true responseheaderstoremove header 5 name header 6 name cross region gcloud compute url maps edit url_map_name global following is a sample yaml file that shows you how to use variables in custom headers defaultservice global backendservices backend_service_1 name global lb map hostrules hosts pathmatcher matcher1 pathmatchers defaultservice global backendservices backend_service_1 name matcher1 routerules matchrules prefixmatch prefix priority priority 0 is highest routeaction weightedbackendservices backendservice global backendservices backend_service_1 weight 100 headeraction requestheaderstoadd headername x header 1 client region headervalue client_region headername x header 2 client ip port headervalue client_ip_address client_port replace true requesteheaderstoremove header 3 name responseheaderstoadd headername x header 4 server ip port headervalue server_ip_address server_port replace true responseheaderstoremove header 5 name header 6 name note the following behaviors if a response header with custom variables resolves to an empty string it is removed if a request header with custom variables resolves to an empty string it is retained with an empty string placeholder if a custom request header includes a custom variable and an incoming client request also includes the same header the client request header value will be replaced with the new value provided by the load balancer s custom header variables that can appear in the header value the following variables can appear in custom header values variable description client_rtt_msec estimated round trip transmission time between the load balancer and the http s client in milliseconds this is the smoothed round trip time srtt parameter measured by the load balancer s tcp stack per rfc 2988 smoothed rtt is an algorithm that deals with variations and anomalies that may occur in rtt measurements client_ip_address the client s ip address this is usually the same as the client ip address that is the next to last address in the x forwarded for header unless the client is using a proxy or the x forwarded for header has been tampered with client_port the client s source port client_encrypted true if the connection between the client and the load balancer is encrypted using https http 2 or http 3 otherwise false client_protocol the http protocol used for communication between the client and the load balancer one of http 1 0 http 1 1 http 2 or http 3 origin_request_header reflects the value of the origin header in the request for cross origin resource sharing cors use cases server_ip_address the ip address of the load balancer that the client connects to this can be useful when multiple load balancers share common backends this is the same as the last ip address in the x forwarded for header server_port the destination port number that the client connects to tls_sni_hostname server name indication as defined in rfc 6066 if provided by the client during the tls or quic handshake the hostname is converted to lowercase and with any trailing dot removed tls_version tls version negotiated between client and load balancer during the ssl handshake possible values include tlsv1 tlsv1 1 tlsv1 2 and tlsv1 3 if the client connects using quic instead of tls the value is quic tls_cipher_suite cipher suite negotiated during the tls handshake the value is four hex digits defined by the iana tls cipher suite registry for example 009c for tls_rsa_with_aes_128_gcm_sha256 this value is empty for quic and for unencrypted client connections tls_ja3_fingerprint ja3 tls ssl fingerprint if the client connects using https http 2 or http 3 tls_ja4_fingerprint ja4 tls ssl fingerprint if the client connects using https http 2 or http 3 the load balancer expands variables to empty strings when it can t determine their values for example tls parameters when tls is not in use the origin_request_header when the request does not include an origin header geographic values are estimates based on the client s ip address from time to time google updates the data that provides these values in order to improve accuracy and to reflect geographic and political changes even if the original x forwarded for header contains valid location information google estimates client locations by using the source ip address information contained in packets received by the load balancer mutual tls custom headers the following additional header variables are available if mutual tls mtls is configured on the load balancer s targethttpsproxy variable description client_cert_present true if the client has provided a certificate during the tls handshake otherwise false client_cert_chain_verified true if the client certificate chain is verified against a configured truststore otherwise false client_cert_error predefined strings representing the error conditions for more information about the error strings see mtls client validation modes client_cert_sha256_fingerprint base64 encoded sha 256 fingerprint of the client certificate client_cert_serial_number the serial number of the client certificate if the serial number is longer than 50 bytes the string client_cert_serial_number_exceeded_size_limit is added to client_cert_error and the serial number is set to an empty string client_cert_spiffe_id the spiffe id from the subject alternative name san field if the value is not valid or exceeds 2048 bytes the spiffe id is set to an empty string if the spiffe id is longer than 2048 bytes the string client_cert_spiffe_id_exceeded_size_limit is added to client_cert_error client_cert_uri_sans comma separated base64 encoded list of the san extensions of type uri the san extensions are extracted from the client certificate the spiffe id is not included in the client_cert_uri_sans field if the client_cert_uri_sans is longer than 512 bytes the string client_cert_uri_sans_exceeded_size_limit is added to client_cert_error and the comma separated list is set to an empty string client_cert_dnsname_sans comma separated base64 encoded list of the san extensions of type dnsname the san extensions are extracted from the client certificate if the client_cert_dnsname_sans is longer than 512 bytes the string client_cert_dnsname_sans_exceeded_size_limit is added to client_cert_error and the comma separated list is set to an empty string client_cert_valid_not_before timestamp rfc 3339 date string format before which the client certificate is not valid for example 2022 07 01t18 05 09 00 00 client_cert_valid_not_after timestamp rfc 3339 date string format after which the client certificate is not valid for example 2022 07 01t18 05 09 00 00 client_cert_issuer_dn base64 encoded full issuer field from the certificate if the client_cert_issuer_dn is longer than 512 bytes the string client_cert_issuer_dn_exceeded_size_limit is added to client_cert_error and client_cert_issuer_dn is set to an empty string client_cert_subject_dn base64 encoded full subject field from the certificate if the client_cert_subject_dn is longer than 512 bytes the string client_cert_subject_dn_exceeded_size_limit is added to client_cert_error and client_cert_subject_dn is set to an empty string client_cert_leaf the client leaf certificate for an established mtls connection where the certificate passed validation certificate encoding is compliant with rfc 9440 the binary der certificate is encoded using base64 without line breaks spaces or other characters outside the base64 alphabet and delimited with colons on either side if client_cert_leaf exceeds 16 kb unencoded the string client_cert_validated_leaf_exceeded_size_limit is added to client_cert_error and client_cert_leaf is set to an empty string client_cert_chain the comma delimited list of certificates in standard tls order of the client certificate chain for an established mtls connection where the client certificate passed validation not including the leaf certificate certificate encoding is compliant with rfc 9440 if the combined size of client_cert_leaf and client_cert_chain before base64 encoding exceeds 16 kb the string client_cert_validated_chain_exceeded_size_limit is added to client_cert_error and client_cert_chain is set to an empty string limitations the following limitations apply you can t configure custom headers on backend services used by regional internal application load balancers and cross region internal application load balancers send feedback except as otherwise noted the content of this page is licensed un...
|