Remove hop headers

Requested by @LucasRoesler - removes headers detailed in HTTP
spec which are not supposed to be forwarded by proxies or
gateways.

Signed-off-by: Alex Ellis <alexellis2@gmail.com>

gateway/handlers/forwarding_proxy.go

@@ -80,6 +80,7 @@ func buildUpstreamRequest(r *http.Request, baseURL string, requestURL string) *h
 	upstreamReq, _ := http.NewRequest(r.Method, url, nil)
 
 	copyHeaders(upstreamReq.Header, &r.Header)
+	deleteHeaders(&upstreamReq.Header, &hopHeaders)
 
 	if len(r.Host) > 0 && upstreamReq.Header.Get("X-Forwarded-Host") == "" {
 		upstreamReq.Header["X-Forwarded-Host"] = []string{r.Host}
@@ -141,6 +142,12 @@ func copyHeaders(destination http.Header, source *http.Header) {
 	}
 }
 
+func deleteHeaders(target *http.Header, exclude *[]string) {
+	for _, h := range *exclude {
+		target.Del(h)
+	}
+}
+
 // SingleHostBaseURLResolver resolves URLs against a single BaseURL
 type SingleHostBaseURLResolver struct {
 	BaseURL string
@@ -208,3 +215,20 @@ func (f FunctionPrefixTrimmingURLPathTransformer) Transform(r *http.Request) str
 
 	return ret
 }
+
+// Hop-by-hop headers. These are removed when sent to the backend.
+// As of RFC 7230, hop-by-hop headers are required to appear in the
+// Connection header field. These are the headers defined by the
+// obsoleted RFC 2616 (section 13.5.1) and are used for backward
+// compatibility.
+var hopHeaders = []string{
+	"Connection",
+	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+	"Keep-Alive",
+	"Proxy-Authenticate",
+	"Proxy-Authorization",
+	"Te",      // canonicalized version of "TE"
+	"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
+	"Transfer-Encoding",
+	"Upgrade",
+}