Route Filters

Page last updated:

The open-source Spring Cloud Gateway project includes a number of built-in filters for use in Gateway routes. Spring Cloud Gateway for VMware Tanzu provides a number of custom filters in addition to those included in the OSS project.

Filters Included In Spring Cloud Gateway OSS

Filters in Spring Cloud Gateway OSS can be used in Spring Cloud Gateway for VMware Tanzu. Spring Cloud Gateway OSS includes a number of factories for the GatewayFilter that is used to create filters for routes. For a complete list of these GatewayFilter factories, see the Spring Cloud Gateway OSS documentation.

Filters Added In Spring Cloud Gateway for VMware Tanzu

See the following sections for information about the custom filters added in Spring Cloud Gateway for VMware Tanzu.

Filters for Use with Single Sign-On for VMware Tanzu

Spring Cloud Gateway for VMware Tanzu adds a number of filters for use with the Single Sign-On for VMware Tanzu tile. For information about these filters, see Using Single Sign-On for VMware Tanzu in Route Configuration.

Limiting User Requests With the RateLimit Filter

The RateLimit filter limits the number of requests allowed from a given user to an app’s route within the specified time interval.

When adding a route to a Gateway service instance, you can add the RateLimit filter by including it in the list of filters in the JSON object for the route. For example, when binding an app called “cook” to a Gateway service instance, you can add a route for the app and use the RateLimit filter to limit users to one request every 10 seconds:

$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["RateLimit=1,10s"] } ] }'

Validate Client Certificate With the ClientCertificateHeader Filter

The ClientCertificateHeader filter validates the client SSL certificate used to make a request to an app through the Gateway. You can also use this filter to validate the Common Name (CN) of the client SSL certificate and to validate the certificate’s fingerprint.

Note: This filter relies on Ops Manager to recognize a client certificate’s Certificate Authority (CA).

When adding a route to a Gateway service instance, you can add the ClientCertificateHeader filter by including it in the list of filters in the JSON object for the route. For example, when binding an app called “cook” to a Gateway service instance, you can add a route for the app and use the ClientCertificateHeader filter to validate the client certificate and require a CN of *.example.com:

$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["ClientCertificateHeader=*.example.com"] } ] }'

To validate the client SSL certificate’s fingerprint, add the name of the hash used for the fingerprint, and the fingerprint value, after the CN, using the following format:

[CN],[HASH]:[FINGERPRINT]

where:

  • [CN] is the Common Name
  • [HASH] is the hash used for the fingerprint, either sha-1 or sha-256
  • [FINGERPRINT] is the fingerprint value

The following example uses the ClientCertificateHeader filter to ensure that a client certificate uses a CN of *.example.com and a SHA-1 fingerprint of aa:bb:00:99:

$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99"] } ] }'

The fingerprint value is not case-sensitive, and the colon character : is not required to separate hexidecimal digits in a fingerprint. The following example works the same as the previous example:

$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["ClientCertificateHeader=*.example.com,sha-1:AABB0099"] } ] }'