fix(aibridge): strip proxy headers from bridge requests to fix Bedrock SigV4 signing (#26019)#26054
Open
github-actions[bot] wants to merge 1 commit into
Open
fix(aibridge): strip proxy headers from bridge requests to fix Bedrock SigV4 signing (#26019)#26054github-actions[bot] wants to merge 1 commit into
github-actions[bot] wants to merge 1 commit into
Conversation
…k SigV4 signing (#26019) ## Problem On bridge routes, aibridge acts as a client and originates new outbound requests via the SDK. Proxy headers (`X-Forwarded-For`, `X-Forwarded-Host`, etc.) from the inbound client request were forwarded on the outbound request. The SigV4 signer signs all headers present, so any in-transit modification by an egress proxy (e.g. appending an IP to `X-Forwarded-For`) invalidated the signature, causing AWS Bedrock to reject the request with: > 403: "The request signature we calculated does not match the signature you provided." ## Changes - Strip proxy headers in `PrepareClientHeaders` on bridge routes - Add unit test for proxy header stripping in `client_headers_test.go` - Add integration test that verifies SigV4 signature remains valid after an egress proxy modifies headers in transit - Add integration test that verifies passthrough routes still set forwarded headers correctly Related to internal [Slack thread](https://codercom.slack.com/archives/C096PFVBZKN/p1779919049215969). > 🤖 Generated by Coder Agents, modified and reviewed by @ssncferreira (cherry picked from commit b7635b5)
f0ssel
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #26019
Original PR: #26019 — fix(aibridge): strip proxy headers from bridge requests to fix Bedrock SigV4 signing
Merge commit: b7635b5
Requested by: @dannykopping