When configuring extensions by using plugins or callouts for ext-proc-based
backend services, you can specify the request and connection attributes to
forward to those services. This page describes the supported attributes and
specifies which ones are available for each extension type.
By configuring extensions to forward specific attributes, you can achieve the following:
- Make dynamic routing decisions.
- Enrich request headers with client information.
- Implement custom security policies based on client location or TLS parameters.
- Generate detailed custom logs.
You can specify attributes with the forwardAttributes field in the YAML
configuration for plugin and callout extensions. For example, for traffic
extensions, see Configure a traffic extension.
Specifying attributes with forwardAttributes is supported for authorization,
route, and traffic extensions implemented by using the
ext_proc
protocol on regional Application Load Balancers.
The following table lists the attributes and the extensions that support them:
| Attribute | Description | Extensions |
|---|---|---|
request.origin |
The value of the origin header in a request for Cross-Origin Resource Sharing (CORS) use cases. | traffic |
request.method |
The HTTP request method, such as GET or
POST. |
authorization, edge, route, traffic |
request.mcp_method |
The HTTP request method, such as GET or
POST. |
authorization |
request.host |
A convenience equivalent to request.headers['host']. |
authorization, edge, route, traffic |
request.path |
The requested HTTP URL path. | authorization, edge, route, traffic |
request.query |
The HTTP URL query, in the format name1=value&name2=value2,
as it appears in the first line of the HTTP request. No decoding is
performed. |
authorization, edge, route, traffic |
request.scheme |
The HTTP URL scheme, such as HTTP or
HTTPS. Values for this attribute are in lowercase. |
authorization, edge, route, traffic |
request.backend_service_name |
The backend service to which the request is forwarded. | authorization, traffic |
request.backend_service_project_number |
When using Shared VPC, the project number of the backend service to which the request is forwarded. | authorization, traffic |
request.mcp_param |
The MCP parameter. | authorization |
source.ip |
The client's IP address. | edge, route, traffic |
source.port |
The client's source port. | edge, route, traffic |
source.client_region |
The country or region associated with the client's IP address.
The value is a Unicode CLDR region code, such as US
or FR. For most countries, these codes correspond
directly to ISO-3166-2 codes. |
edge, traffic |
source.client_region_subdivision |
The subdivision (for example, a province or state) of the country
associated with the client's IP address. This is a Unicode CLDR
subdivision ID, such as USCA or CAON. These
Unicode codes are derived from the subdivisions defined by the
ISO-3166-2 standard. |
edge |
source.client_city |
The name of the city from which the request originated, for
example, Mountain View for Mountain View, California.
There is no canonical list of valid values for this variable.
City names can contain US-ASCII letters, numbers, spaces, and the
following characters: !#$%&'*+-.^_`|~. |
edge |
source.client_city_lat_long |
The latitude and longitude of the city from which the request
originated—for example, 37.386051,-122.083851
for a request from Mountain View. |
edge |
connection.client_encrypted |
The value is true if the connection between the
client and the load balancer is encrypted
(by using HTTPS, HTTP/2, or
HTTP/3); otherwise, it is false. |
traffic |
connection.protocol |
The HTTP protocol used for communication between the client and
the load balancer. It can be one of HTTP/1.0,
HTTP/1.1, HTTP/2,
or HTTP/3. |
traffic |
destination.ip |
The IP address of the load balancer that the client connects to.
This value can be useful when multiple load balancers share
common backends. This is the same as the last IP address in the
X-Forwarded-For header. |
traffic |
destination.port |
The destination port number that the client connects to. | traffic |
connection.sni |
Server Name Indication (as defined in RFC 6066), if provided by the client during the TLS or QUIC handshake. The hostname is converted to lowercase and any trailing dot is removed. | authorization, edge, traffic |
connection.tls_version |
The TLS version negotiated between the client and the load
balancer during the SSL handshake. Possible values include:
TLSv1, TLSv1.1, TLSv1.2,
and TLSv1.3. If the client connects using QUIC
instead of TLS, the value is QUIC. |
edge, traffic |
connection.sha256_peer_certificate_digest |
The hexadecimal-encoded SHA256 hash of the peer certificate in the downstream TLS connection, if present. | authorization, edge, traffic |
connection.tls_cipher_suite |
The cipher suite negotiated during the TLS handshake. The value
is four hexadecimal digits defined by the IANA TLS Cipher Suite
Registry—for example, 009C for
TLS_RSA_WITH_AES_128_GCM_SHA256. This value is empty
for QUIC and unencrypted client connections. |
traffic |
connection.tls_ja3_fingerprint |
The JA3 TLS/SSL fingerprint if the client connects using
HTTPS, HTTP/2, or HTTP/3. |
traffic |
connection.tls_ja4_fingerprint |
The JA4 TLS/SSL fingerprint if the client connects using HTTPS,
HTTP/2, or HTTP/3. |
edge, traffic |
connection.client_cert_present |
The value is true if the client provided a
certificate during the TLS handshake; otherwise, false. |
authorization, traffic |
connection.client_cert_chain_verified |
The value is true if the client certificate chain is
verified against a configured TrustStore; otherwise,
it is false. |
authorization, traffic |
connection.client_cert_error |
Predefined strings representing error conditions. For more information about the error strings, see mTLS client validation modes. | authorization, traffic |
connection.client_cert_serial_number |
The serial number of the client certificate. If the serial number
is longer than 50 bytes, the client_cert_error is set
to client_cert_serial_number_exceeded_size_limit,
and the serial number is set to an empty string. |
authorization, traffic |
connection.client_cert_spiffe_id |
The SPIFFE ID from the Subject Alternative Name (SAN) field. If
the value is not valid or exceeds 2048 bytes, the SPIFFE ID is
set to an empty string. If the SPIFFE ID is longer than 2048
bytes, the client_cert_error is set to
client_cert_spiffe_id_exceeded_size_limit. |
authorization, traffic |
connection.client_cert_uri_sans |
A comma-separated, Base64-encoded list of the SAN extensions of
type URI. The SAN extensions are extracted from the
client certificate. The SPIFFE ID is not included in the
client_cert_uri_sans field. If
client_cert_uri_sans is longer than 512 bytes, the
client_cert_error is set to
client_cert_uri_sans_exceeded_size_limit, and the
comma-separated list is set to an empty string. |
authorization, traffic |
connection.client_cert_dnsname_sans |
A comma-separated, Base64-encoded list of the SAN extensions of
type DNSName. The SAN extensions are extracted from
the client certificate. If client_cert_dnsname_sans
is longer than 512 bytes, the client_cert_error is
set to client_cert_dnsname_sans_exceeded_size_limit,
and the comma-separated list is set to an empty string. |
authorization, traffic |
connection.client_cert_valid_not_before |
The timestamp (RFC 3339 date string format) before which the
client certificate is not valid—for example,
2022-07-01T18:05:09+00:00.
|
authorization, traffic |
connection.client_cert_valid_not_after |
The timestamp (in the RFC 3339 date string format) after which
the client certificate is not valid—for example,
2022-07-01T18:05:09+00:00.
|
authorization, traffic |
connection.client_cert_issuer_dn |
The Base64-encoded DER encoding of the full Issuer
field from the certificate. If client_cert_issuer_dn
is longer than 512 bytes, the string
client_cert_issuer_dn_exceeded_size_limit is added
to client_cert_error, and
client_cert_issuer_dn is set to an empty string. |
authorization, traffic |
connection.client_cert_subject_dn |
The Base64-encoded DER encoding of the full Subject
field from the certificate. If client_cert_subject_dn
is longer than 512 bytes, the string
client_cert_subject_dn_exceeded_size_limit is added
to client_cert_error, and
client_cert_subject_dn is set to an empty string. |
authorization, traffic |
connection.client_cert_leaf |
The client leaf certificate for an established mTLS connection
where the certificate passed validation. Certificate encoding is
compliant with RFC 9440. This means the binary DER certificate
is Base64-encoded and delimited with colons on either side. If
client_cert_leaf exceeds 16 KB unencoded, the
string client_cert_validated_leaf_exceeded_size_limit
is added to client_cert_error, and
client_cert_leaf is set to an empty string. |
authorization, traffic |
connection.client_cert_chain |
The comma-delimited list of certificates, in standard TLS order,
of the client certificate chain for an established mTLS
connection where the client certificate passed validation, not
including the leaf certificate. Certificate encoding is compliant
with RFC 9440. If the combined size of
client_cert_leaf and client_cert_chain
before Base64 encoding exceeds 16 KB, the string
client_cert_validated_chain_exceeded_size_limit is
added to client_cert_error, and
client_cert_chain is set to an empty string. |
authorization, traffic |