Route Filters
Page last updated:
The open-source Spring Cloud Gateway project includes a number of built-in filters for use in Gateway routes. Spring Cloud Gateway for VMware Tanzu provides a number of custom filters in addition to those included in the OSS project.
Filters Included In Spring Cloud Gateway OSS
Filters in Spring Cloud Gateway OSS can be used in Spring Cloud Gateway for VMware Tanzu. Spring Cloud Gateway OSS includes a number of factories for the GatewayFilter
that is used to create filters for routes. For a complete list of these GatewayFilter
factories, see the Spring Cloud Gateway OSS documentation.
Filters Added In Spring Cloud Gateway for VMware Tanzu
See the following sections for information about the custom filters added in Spring Cloud Gateway for VMware Tanzu.
Filters for Use with Single Sign-On for VMware Tanzu
Spring Cloud Gateway for VMware Tanzu adds a number of filters for use with the Single Sign-On for VMware Tanzu tile. For information about these filters, see Using Single Sign-On for VMware Tanzu in Route Configuration.
Limiting Requests With the RateLimit Filter
The RateLimit
filter limits the number of requests allowed to an app’s route within the specified time interval.
When adding a route to a Gateway service instance, you can add the RateLimit
filter by including it in the list of filters
in the JSON object for the route. For example, when binding an app called “cook” to a Gateway service instance, you can add a route for the app and use the RateLimit
filter to allow only one request every 10 seconds:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["RateLimit=1,10s"] } ] }'
Validate Client Certificate With the ClientCertificateHeader Filter
The ClientCertificateHeader
filter validates the client SSL certificate used to make a request to an app through the Gateway. You can also use this filter to validate the Common Name (CN) of the client SSL certificate and to validate the certificate’s fingerprint.
Note: This filter relies on Ops Manager to recognize a client certificate’s Certificate Authority (CA).
When adding a route to a Gateway service instance, you can add the ClientCertificateHeader
filter by including it in the list of filters
in the JSON object for the route. For example, when binding an app called “cook” to a Gateway service instance, you can add a route for the app and use the ClientCertificateHeader
filter to validate the client certificate and require a CN of *.example.com
:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["ClientCertificateHeader=*.example.com"] } ] }'
To validate the client SSL certificate’s fingerprint, add the name of the hash used for the fingerprint, and the fingerprint value, after the CN, using the following format:
[CN],[HASH]:[FINGERPRINT]
where:
[CN]
is the Common Name[HASH]
is the hash used for the fingerprint, eithersha-1
orsha-256
[FINGERPRINT]
is the fingerprint value
The following example uses the ClientCertificateHeader
filter to ensure that a client certificate uses a CN of *.example.com
and a SHA-1 fingerprint of aa:bb:00:99
:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99"] } ] }'
The fingerprint value is not case-sensitive, and the colon character :
is not required to separate hexidecimal digits in a fingerprint. The following example works the same as the previous example:
$ cf bind-service cook my-gateway -c '{ "routes": [ { "path": "/cook/**", "filters": ["ClientCertificateHeader=*.example.com,sha-1:AABB0099"] } ] }'