NET-6821 Disable Terminating Gateway Auto Host Header Rewrite (#20802)

* disable terminating gateway auto host rewrite * add changelog * clean up unneeded additional snapshot fields * add new field to docs * squash * fix test
8 months ago · 262f435800
12 changed files with 226 additions and 143 deletions
--- a/.changelog/20802.txt
+++ b/.changelog/20802.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level
+```
--- a/agent/catalog_endpoint_test.go
+++ b/agent/catalog_endpoint_test.go
@ -1938,11 +1938,12 @@ func TestCatalog_GatewayServices_Terminating(t *testing.T) {
 					SNI:      "my-domain",
 				},
 				{
-					Name:     "*",
-					CAFile:   "ca.crt",
-					CertFile: "client.crt",
-					KeyFile:  "client.key",
-					SNI:      "my-alt-domain",
+					Name:                   "*",
+					CAFile:                 "ca.crt",
+					CertFile:               "client.crt",
+					KeyFile:                "client.key",
+					SNI:                    "my-alt-domain",
+					DisableAutoHostRewrite: true,
 				},
 			},
 		},
@ -1965,23 +1966,25 @@ func TestCatalog_GatewayServices_Terminating(t *testing.T) {

 		expect := structs.GatewayServices{
 			{
-				Service:     structs.NewServiceName("api", nil),
-				Gateway:     structs.NewServiceName("terminating", nil),
-				GatewayKind: structs.ServiceKindTerminatingGateway,
-				CAFile:      "api/ca.crt",
-				CertFile:    "api/client.crt",
-				KeyFile:     "api/client.key",
-				SNI:         "my-domain",
+				Service:         structs.NewServiceName("api", nil),
+				Gateway:         structs.NewServiceName("terminating", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				CAFile:          "api/ca.crt",
+				CertFile:        "api/client.crt",
+				KeyFile:         "api/client.key",
+				SNI:             "my-domain",
+				AutoHostRewrite: true,
 			},
 			{
-				Service:      structs.NewServiceName("redis", nil),
-				Gateway:      structs.NewServiceName("terminating", nil),
-				GatewayKind:  structs.ServiceKindTerminatingGateway,
-				CAFile:       "ca.crt",
-				CertFile:     "client.crt",
-				KeyFile:      "client.key",
-				SNI:          "my-alt-domain",
-				FromWildcard: true,
+				Service:         structs.NewServiceName("redis", nil),
+				Gateway:         structs.NewServiceName("terminating", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				CAFile:          "ca.crt",
+				CertFile:        "client.crt",
+				KeyFile:         "client.key",
+				SNI:             "my-alt-domain",
+				FromWildcard:    true,
+				AutoHostRewrite: false,
 			},
 		}

--- a/agent/consul/catalog_endpoint_test.go
+++ b/agent/consul/catalog_endpoint_test.go
@ -3187,33 +3187,36 @@ func TestCatalog_GatewayServices_TerminatingGateway(t *testing.T) {

 		expect := structs.GatewayServices{
 			{
-				Service:     structs.NewServiceName("api", nil),
-				Gateway:     structs.NewServiceName("gateway", nil),
-				GatewayKind: structs.ServiceKindTerminatingGateway,
-				CAFile:      "api/ca.crt",
-				CertFile:    "api/client.crt",
-				KeyFile:     "api/client.key",
-				SNI:         "my-domain",
-				ServiceKind: structs.GatewayServiceKindService,
+				Service:         structs.NewServiceName("api", nil),
+				Gateway:         structs.NewServiceName("gateway", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				CAFile:          "api/ca.crt",
+				CertFile:        "api/client.crt",
+				KeyFile:         "api/client.key",
+				SNI:             "my-domain",
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
-				Service:     structs.NewServiceName("db", nil),
-				Gateway:     structs.NewServiceName("gateway", nil),
-				GatewayKind: structs.ServiceKindTerminatingGateway,
-				CAFile:      "",
-				CertFile:    "",
-				KeyFile:     "",
-				ServiceKind: structs.GatewayServiceKindService,
+				Service:         structs.NewServiceName("db", nil),
+				Gateway:         structs.NewServiceName("gateway", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				CAFile:          "",
+				CertFile:        "",
+				KeyFile:         "",
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
-				Service:      structs.NewServiceName("redis", nil),
-				Gateway:      structs.NewServiceName("gateway", nil),
-				GatewayKind:  structs.ServiceKindTerminatingGateway,
-				CAFile:       "ca.crt",
-				CertFile:     "client.crt",
-				KeyFile:      "client.key",
-				SNI:          "my-alt-domain",
-				FromWildcard: true,
+				Service:         structs.NewServiceName("redis", nil),
+				Gateway:         structs.NewServiceName("gateway", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				CAFile:          "ca.crt",
+				CertFile:        "client.crt",
+				KeyFile:         "client.key",
+				SNI:             "my-alt-domain",
+				FromWildcard:    true,
+				AutoHostRewrite: true,
 			},
 		}

@ -3345,10 +3348,11 @@ func TestCatalog_GatewayServices_BothGateways(t *testing.T) {

 		expect := structs.GatewayServices{
 			{
-				Service:     structs.NewServiceName("api", nil),
-				Gateway:     structs.NewServiceName("gateway", nil),
-				GatewayKind: structs.ServiceKindTerminatingGateway,
-				ServiceKind: structs.GatewayServiceKindService,
+				Service:         structs.NewServiceName("api", nil),
+				Gateway:         structs.NewServiceName("gateway", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		}

@ -3568,16 +3572,18 @@ service "gateway" {

 		expect := structs.GatewayServices{
 			{
-				Service:     structs.NewServiceName("db", nil),
-				Gateway:     structs.NewServiceName("gateway", nil),
-				GatewayKind: structs.ServiceKindTerminatingGateway,
-				ServiceKind: structs.GatewayServiceKindService,
+				Service:         structs.NewServiceName("db", nil),
+				Gateway:         structs.NewServiceName("gateway", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
-				Service:     structs.NewServiceName("db_replica", nil),
-				Gateway:     structs.NewServiceName("gateway", nil),
-				GatewayKind: structs.ServiceKindTerminatingGateway,
-				ServiceKind: structs.GatewayServiceKindUnknown,
+				Service:         structs.NewServiceName("db_replica", nil),
+				Gateway:         structs.NewServiceName("gateway", nil),
+				GatewayKind:     structs.ServiceKindTerminatingGateway,
+				ServiceKind:     structs.GatewayServiceKindUnknown,
+				AutoHostRewrite: true,
 			},
 		}

--- a/agent/consul/internal_endpoint_test.go
+++ b/agent/consul/internal_endpoint_test.go
@ -1217,10 +1217,11 @@ func TestInternal_GatewayServiceDump_Terminating(t *testing.T) {
 				},
 			},
 			GatewayService: &structs.GatewayService{
-				Gateway:     structs.NewServiceName("terminating-gateway", nil),
-				Service:     structs.NewServiceName("db", nil),
-				GatewayKind: "terminating-gateway",
-				ServiceKind: structs.GatewayServiceKindService,
+				Gateway:         structs.NewServiceName("terminating-gateway", nil),
+				Service:         structs.NewServiceName("db", nil),
+				GatewayKind:     "terminating-gateway",
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		},
 		{
@ -1251,21 +1252,23 @@ func TestInternal_GatewayServiceDump_Terminating(t *testing.T) {
 				},
 			},
 			GatewayService: &structs.GatewayService{
-				Gateway:     structs.NewServiceName("terminating-gateway", nil),
-				Service:     structs.NewServiceName("db", nil),
-				GatewayKind: "terminating-gateway",
-				ServiceKind: structs.GatewayServiceKindService,
+				Gateway:         structs.NewServiceName("terminating-gateway", nil),
+				Service:         structs.NewServiceName("db", nil),
+				GatewayKind:     "terminating-gateway",
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		},
 		{
 			// Only GatewayService should be returned when linked service isn't registered
 			GatewayService: &structs.GatewayService{
-				Gateway:     structs.NewServiceName("terminating-gateway", nil),
-				Service:     structs.NewServiceName("redis", nil),
-				GatewayKind: "terminating-gateway",
-				CAFile:      "/etc/certs/ca.pem",
-				CertFile:    "/etc/certs/cert.pem",
-				KeyFile:     "/etc/certs/key.pem",
+				Gateway:         structs.NewServiceName("terminating-gateway", nil),
+				Service:         structs.NewServiceName("redis", nil),
+				GatewayKind:     "terminating-gateway",
+				CAFile:          "/etc/certs/ca.pem",
+				CertFile:        "/etc/certs/cert.pem",
+				KeyFile:         "/etc/certs/key.pem",
+				AutoHostRewrite: true,
 			},
 		},
 	}
--- a/agent/consul/state/catalog.go
+++ b/agent/consul/state/catalog.go
@ -3757,14 +3757,15 @@ func terminatingConfigGatewayServices(
 			return false, nil, fmt.Errorf("failed to get gateway service kind for service %s: %v", svc.Name, err)
 		}
 		mapping := &structs.GatewayService{
-			Gateway:     gateway,
-			Service:     structs.NewServiceName(svc.Name, &svc.EnterpriseMeta),
-			GatewayKind: structs.ServiceKindTerminatingGateway,
-			KeyFile:     svc.KeyFile,
-			CertFile:    svc.CertFile,
-			CAFile:      svc.CAFile,
-			SNI:         svc.SNI,
-			ServiceKind: kind,
+			Gateway:         gateway,
+			Service:         structs.NewServiceName(svc.Name, &svc.EnterpriseMeta),
+			GatewayKind:     structs.ServiceKindTerminatingGateway,
+			KeyFile:         svc.KeyFile,
+			CertFile:        svc.CertFile,
+			CAFile:          svc.CAFile,
+			SNI:             svc.SNI,
+			ServiceKind:     kind,
+			AutoHostRewrite: !svc.DisableAutoHostRewrite,
 		}

 		gatewayServices = append(gatewayServices, mapping)
--- a/agent/consul/state/catalog_test.go
+++ b/agent/consul/state/catalog_test.go
@ -5197,7 +5197,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 21,
 				ModifyIndex: 21,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 		{
 			Service:     structs.NewServiceName("db", nil),
@ -5207,7 +5208,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 21,
 				ModifyIndex: 21,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5241,7 +5243,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 21,
 				ModifyIndex: 21,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 		{
 			Service:     structs.NewServiceName("db", nil),
@ -5251,7 +5254,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 21,
 				ModifyIndex: 21,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5302,7 +5306,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 22,
 				ModifyIndex: 22,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 		{
 			Service:     structs.NewServiceName("db", nil),
@ -5312,7 +5317,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 22,
 				ModifyIndex: 22,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5340,7 +5346,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 22,
 				ModifyIndex: 22,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 		{
 			Service:     structs.NewServiceName("db", nil),
@ -5350,7 +5357,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 22,
 				ModifyIndex: 22,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 		{
 			Service:      structs.NewServiceName("redis", nil),
@ -5365,7 +5373,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 23,
 				ModifyIndex: 23,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5393,7 +5402,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 22,
 				ModifyIndex: 22,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 		{
 			Service:     structs.NewServiceName("db", nil),
@ -5403,7 +5413,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 22,
 				ModifyIndex: 22,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5435,7 +5446,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 25,
 				ModifyIndex: 25,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5467,6 +5479,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 26,
 				ModifyIndex: 26,
 			},
+			AutoHostRewrite: true,
 		},
 		{
 			Service:      structs.NewServiceName("db", nil),
@ -5477,6 +5490,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 26,
 				ModifyIndex: 26,
 			},
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -5504,6 +5518,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 26,
 				ModifyIndex: 26,
 			},
+			AutoHostRewrite: true,
 		},
 		{
 			Service:      structs.NewServiceName("db", nil),
@ -5514,6 +5529,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 26,
 				ModifyIndex: 26,
 			},
+			AutoHostRewrite: true,
 		},
 		{
 			Service:      structs.NewServiceName("destination1", nil),
@ -5525,6 +5541,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) {
 				CreateIndex: 27,
 				ModifyIndex: 27,
 			},
+			AutoHostRewrite: true,
 		},
 	}
 	assert.ElementsMatch(t, expectWildcardIncludesDest, out)
@ -6018,7 +6035,8 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) {
 				CreateIndex: 19,
 				ModifyIndex: 19,
 			},
-			ServiceKind: structs.GatewayServiceKindService,
+			ServiceKind:     structs.GatewayServiceKindService,
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -6040,6 +6058,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) {
 				CreateIndex: 20,
 				ModifyIndex: 20,
 			},
+			AutoHostRewrite: true,
 		},
 		{
 			Service:      structs.NewServiceName("db", nil),
@ -6050,6 +6069,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) {
 				CreateIndex: 20,
 				ModifyIndex: 20,
 			},
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -6077,6 +6097,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) {
 				CreateIndex: 19,
 				ModifyIndex: 20,
 			},
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -6097,6 +6118,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) {
 				CreateIndex: 20,
 				ModifyIndex: 20,
 			},
+			AutoHostRewrite: true,
 		},
 	}
 	assert.Equal(t, expect, out)
@ -7016,6 +7038,7 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 		// Read everything back.
 		ws = memdb.NewWatchSet()
 		idx, out, err := s.DumpGatewayServices(ws)
+		fmt.Println(out)
 		assert.Nil(t, err)
 		assert.Equal(t, idx, uint64(21))
 		assert.Len(t, out, 2)
@ -7033,7 +7056,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
 				Service:     structs.NewServiceName("db", nil),
@ -7043,7 +7067,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		}
 		assert.Equal(t, expect, out)
@ -7077,6 +7102,7 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 		assert.False(t, watchFired(ws))

 		idx, out, err := s.DumpGatewayServices(ws)
+		fmt.Println(out)
 		assert.Nil(t, err)
 		assert.Equal(t, idx, uint64(21))
 		assert.Len(t, out, 2)
@ -7094,7 +7120,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
 				Service:     structs.NewServiceName("db", nil),
@ -7104,7 +7131,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		}
 		assert.Equal(t, expect, out)
@ -7134,7 +7162,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
 				Service:     structs.NewServiceName("db", nil),
@ -7144,7 +7173,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
 				Service:      structs.NewServiceName("redis", nil),
@ -7159,7 +7189,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 22,
 					ModifyIndex: 22,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		}
 		assert.Equal(t, expect, out)
@ -7189,7 +7220,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
 				Service:     structs.NewServiceName("db", nil),
@ -7199,7 +7231,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 21,
 					ModifyIndex: 21,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		}
 		assert.Equal(t, expect, out)
@ -7233,7 +7266,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 24,
 					ModifyIndex: 24,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 		}
 		assert.Equal(t, expect, out)
@ -7291,7 +7325,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) {
 					CreateIndex: 24,
 					ModifyIndex: 24,
 				},
-				ServiceKind: structs.GatewayServiceKindService,
+				ServiceKind:     structs.GatewayServiceKindService,
+				AutoHostRewrite: true,
 			},
 			{
 				Service:     structs.NewServiceName("api", nil),
--- a/agent/consul/state/config_entry_test.go
+++ b/agent/consul/state/config_entry_test.go
@ -772,6 +772,7 @@ func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) {
 					CreateIndex: 8,
 					ModifyIndex: 8,
 				},
+				AutoHostRewrite: true,
 			},
 		}
 		require.Equal(t, expected, gatewayServices)
@ -819,6 +820,7 @@ func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) {
 					CreateIndex: 7,
 					ModifyIndex: 7,
 				},
+				AutoHostRewrite: true,
 			},
 		}
 		require.Equal(t, expected, gatewayServices)
@ -843,6 +845,7 @@ func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) {
 					CreateIndex: 7,
 					ModifyIndex: 9,
 				},
+				AutoHostRewrite: true,
 			},
 		}
 		require.Equal(t, expected, gatewayServices)
--- a/agent/proxycfg/testing_terminating_gateway.go
+++ b/agent/proxycfg/testing_terminating_gateway.go
@ -160,20 +160,24 @@ func TestConfigSnapshotTerminatingGateway(t testing.T, populateServices bool, ns

 		tgtwyServices = append(tgtwyServices,
 			&structs.GatewayService{
-				Service: web,
-				CAFile:  "ca.cert.pem",
+				Service:         web,
+				CAFile:          "ca.cert.pem",
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service:  api,
-				CAFile:   "ca.cert.pem",
-				CertFile: "api.cert.pem",
-				KeyFile:  "api.key.pem",
+				Service:         api,
+				CAFile:          "ca.cert.pem",
+				CertFile:        "api.cert.pem",
+				KeyFile:         "api.key.pem",
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service: db,
+				Service:         db,
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service: cache,
+				Service:         cache,
+				AutoHostRewrite: true,
 			},
 		)

@ -359,26 +363,31 @@ func TestConfigSnapshotTerminatingGatewayDestinations(t testing.T, populateDesti
 	if populateDestinations {
 		tgtwyServices = append(tgtwyServices,
 			&structs.GatewayService{
-				Service:     externalIPTCP,
-				ServiceKind: structs.GatewayServiceKindDestination,
+				Service:         externalIPTCP,
+				ServiceKind:     structs.GatewayServiceKindDestination,
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service:     externalHostnameTCP,
-				ServiceKind: structs.GatewayServiceKindDestination,
+				Service:         externalHostnameTCP,
+				ServiceKind:     structs.GatewayServiceKindDestination,
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service:     externalIPHTTP,
-				ServiceKind: structs.GatewayServiceKindDestination,
+				Service:         externalIPHTTP,
+				ServiceKind:     structs.GatewayServiceKindDestination,
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service:     externalHostnameHTTP,
-				ServiceKind: structs.GatewayServiceKindDestination,
+				Service:         externalHostnameHTTP,
+				ServiceKind:     structs.GatewayServiceKindDestination,
+				AutoHostRewrite: true,
 			},
 			&structs.GatewayService{
-				Service:     externalHostnameWithSNI,
-				ServiceKind: structs.GatewayServiceKindDestination,
-				CAFile:      "cert.pem",
-				SNI:         "api.test.com",
+				Service:         externalHostnameWithSNI,
+				ServiceKind:     structs.GatewayServiceKindDestination,
+				CAFile:          "cert.pem",
+				SNI:             "api.test.com",
+				AutoHostRewrite: true,
 			},
 		)

@ -713,16 +722,18 @@ func TestConfigSnapshotTerminatingGatewaySNI(t testing.T) *ConfigSnapshot {
 			Result: &structs.IndexedGatewayServices{
 				Services: []*structs.GatewayService{
 					{
-						Service: structs.NewServiceName("web", nil),
-						CAFile:  "ca.cert.pem",
-						SNI:     "foo.com",
+						Service:         structs.NewServiceName("web", nil),
+						CAFile:          "ca.cert.pem",
+						SNI:             "foo.com",
+						AutoHostRewrite: true,
 					},
 					{
-						Service:  structs.NewServiceName("api", nil),
-						CAFile:   "ca.cert.pem",
-						CertFile: "api.cert.pem",
-						KeyFile:  "api.key.pem",
-						SNI:      "bar.com",
+						Service:         structs.NewServiceName("api", nil),
+						CAFile:          "ca.cert.pem",
+						CertFile:        "api.cert.pem",
+						KeyFile:         "api.key.pem",
+						SNI:             "bar.com",
+						AutoHostRewrite: true,
 					},
 				},
 			},
@ -739,8 +750,9 @@ func TestConfigSnapshotTerminatingGatewayHTTP2(t testing.T) *ConfigSnapshot {
 			Result: &structs.IndexedGatewayServices{
 				Services: []*structs.GatewayService{
 					{
-						Service: web,
-						CAFile:  "ca.cert.pem",
+						Service:         web,
+						CAFile:          "ca.cert.pem",
+						AutoHostRewrite: true,
 					},
 				},
 			},
@ -799,8 +811,9 @@ func TestConfigSnapshotTerminatingGatewaySubsetsHTTP2(t testing.T) *ConfigSnapsh
 			Result: &structs.IndexedGatewayServices{
 				Services: []*structs.GatewayService{
 					{
-						Service: web,
-						CAFile:  "ca.cert.pem",
+						Service:         web,
+						CAFile:          "ca.cert.pem",
+						AutoHostRewrite: true,
 					},
 				},
 			},
--- a/agent/structs/config_entry_gateways.go
+++ b/agent/structs/config_entry_gateways.go
@ -518,6 +518,9 @@ type LinkedService struct {
 	// SNI is the optional name to specify during the TLS handshake with a linked service
 	SNI string `json:",omitempty"`

+	//DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true.
+	DisableAutoHostRewrite bool `json:",omitempty"`
+
 	acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
 }

@ -668,6 +671,7 @@ type GatewayService struct {
 	FromWildcard bool               `json:",omitempty"`
 	ServiceKind  GatewayServiceKind `json:",omitempty"`
 	RaftIndex
+	AutoHostRewrite bool `json:",omitempty"`
 }

 type GatewayServices []*GatewayService
@ -715,14 +719,15 @@ func (g *GatewayService) Clone() *GatewayService {
 		Port:        g.Port,
 		Protocol:    g.Protocol,
 		// See https://github.com/go101/go101/wiki/How-to-efficiently-clone-a-slice%3F
-		Hosts:        append(g.Hosts[:0:0], g.Hosts...),
-		CAFile:       g.CAFile,
-		CertFile:     g.CertFile,
-		KeyFile:      g.KeyFile,
-		SNI:          g.SNI,
-		FromWildcard: g.FromWildcard,
-		RaftIndex:    g.RaftIndex,
-		ServiceKind:  g.ServiceKind,
+		Hosts:           append(g.Hosts[:0:0], g.Hosts...),
+		CAFile:          g.CAFile,
+		CertFile:        g.CertFile,
+		KeyFile:         g.KeyFile,
+		SNI:             g.SNI,
+		FromWildcard:    g.FromWildcard,
+		RaftIndex:       g.RaftIndex,
+		ServiceKind:     g.ServiceKind,
+		AutoHostRewrite: g.AutoHostRewrite,
 	}
 }

--- a/agent/xds/routes.go
+++ b/agent/xds/routes.go
@ -158,11 +158,13 @@ func (s *ResourceGenerator) routesForTerminatingGateway(cfgSnap *proxycfg.Config
 				"error", err,
 			)
 		}
+		service := cfgSnap.TerminatingGateway.GatewayServices[svc]
+		autoHostRewrite := service.AutoHostRewrite
 		if !structs.IsProtocolHTTPLike(cfg.Protocol) {
 			// Routes can only be defined for HTTP services
 			continue
 		}
-		routes, err := s.makeRoutes(cfgSnap, svc, clusterName, true)
+		routes, err := s.makeRoutes(cfgSnap, svc, clusterName, autoHostRewrite)
 		if err != nil {
 			return nil, err
 		}
@ -231,7 +233,7 @@ func (s *ResourceGenerator) makeRoutes(
 	// If there is a service-resolver for this service then also setup routes for each subset
 	for name := range resolver.Subsets {
 		clusterName = connect.ServiceSNI(svc.Name, name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
-		route, err := makeNamedDefaultRouteWithLB(clusterName, lb, resolver.RequestTimeout, true)
+		route, err := makeNamedDefaultRouteWithLB(clusterName, lb, resolver.RequestTimeout, autoHostRewrite)
 		if err != nil {
 			s.Logger.Error("failed to make route", "cluster", clusterName, "error", err)
 			return nil, err
--- a/api/config_entry_gateways.go
+++ b/api/config_entry_gateways.go
@ -195,6 +195,9 @@ type TerminatingGatewayConfigEntry struct {
 type LinkedService struct {
 	// Referencing other partitions is not supported.

+	//DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true.
+	DisableAutoHostRewrite bool `json:",omitempty"`
+
 	// Namespace is where the service is registered.
 	Namespace string `json:",omitempty"`

--- a/website/content/docs/connect/config-entries/terminating-gateway.mdx
+++ b/website/content/docs/connect/config-entries/terminating-gateway.mdx
@ -679,6 +679,12 @@ spec:
          `An optional hostname or domain name to specify during the TLS handshake. This option will also configure [strict SAN matching](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-certificatevalidationcontext-match-typed-subject-alt-names), which requires
            the external services to have certificates with SANs, not having which will result in \`CERTIFICATE_VERIFY_FAILED\` error.`,
        },
+        {
+          name: 'DisableAutoHostRewrite',
+          type: 'bool: ""',
+          description:
+            'When set to true, Terminating Gateway will not modify the incoming requests host header for this service.',
+        },
      ],
    },
  ]}