Listener configuration

Listener configuration overview

config.listener.v3.Listener

[config.listener.v3.Listener proto]

{
  "name": "...",
  "address": "{...}",
  "filter_chains": [],
  "default_filter_chain": "{...}",
  "per_connection_buffer_limit_bytes": "{...}",
  "metadata": "{...}",
  "drain_type": "...",
  "listener_filters": [],
  "listener_filters_timeout": "{...}",
  "continue_on_listener_filters_timeout": "...",
  "transparent": "{...}",
  "freebind": "{...}",
  "socket_options": [],
  "tcp_fast_open_queue_length": "{...}",
  "traffic_direction": "...",
  "udp_listener_config": "{...}",
  "api_listener": "{...}",
  "connection_balance_config": "{...}",
  "reuse_port": "...",
  "access_log": [],
  "tcp_backlog_size": "{...}"
}
name

(string) The unique name by which this listener is known. If no name is provided, Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically updated or removed via LDS a unique name must be provided.

address

(config.core.v3.Address, REQUIRED) The address that the listener should listen on. In general, the address must be unique, though that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on Linux as the actual port will be allocated by the OS.

filter_chains

(config.listener.v3.FilterChain) A list of filter chains to consider for this listener. The FilterChain with the most specific FilterChainMatch criteria is used on a connection.

Example using SNI for filter chain selection can be found in the FAQ entry.

default_filter_chain

(config.listener.v3.FilterChain) The default filter chain if none of the filter chain matches. If no default filter chain is supplied, the connection will be closed. The filter chain match is ignored in this field.

per_connection_buffer_limit_bytes

(UInt32Value) Soft limit on size of the listener’s new connection read and write buffers. If unspecified, an implementation defined default is applied (1MiB).

Attention

This field should be configured in the presence of untrusted downstreams.

Example configuration for untrusted environments:

per_connection_buffer_limit_bytes: 32768.0
metadata

(config.core.v3.Metadata) Listener metadata.

drain_type

(config.listener.v3.Listener.DrainType) The type of draining to perform at a listener-wide level.

listener_filters

(config.listener.v3.ListenerFilter) Listener filters have the opportunity to manipulate and augment the connection metadata that is used in connection filter chain matching, for example. These filters are run before any in filter_chains. Order matters as the filters are processed sequentially right after a socket has been accepted by the listener, and before a connection is created. UDP Listener filters can be specified when the protocol in the listener socket address in protocol is UDP. UDP listeners currently support a single filter.

listener_filters_timeout

(Duration) The timeout to wait for all listener filters to complete operation. If the timeout is reached, the accepted socket is closed without a connection being created unless continue_on_listener_filters_timeout is set to true. Specify 0 to disable the timeout. If not specified, a default timeout of 15s is used.

continue_on_listener_filters_timeout

(bool) Whether a connection should be created when listener filters timeout. Default is false.

Attention

Some listener filters, such as Proxy Protocol filter, should not be used with this option. It will cause unexpected behavior when a connection is created.

transparent

(BoolValue) Whether the listener should be set as a transparent socket. When this flag is set to true, connections can be redirected to the listener using an iptables TPROXY target, in which case the original source and destination addresses and ports are preserved on accepted connections. This flag should be used in combination with an original_dst listener filter to mark the connections’ local addresses as “restored.” This can be used to hand off each redirected connection to another listener associated with the connection’s destination address. Direct connections to the socket without using TPROXY cannot be distinguished from connections redirected using TPROXY and are therefore treated as if they were redirected. When this flag is set to false, the listener’s socket is explicitly reset as non-transparent. Setting this flag requires Envoy to run with the CAP_NET_ADMIN capability. When this flag is not set (default), the socket is not modified, i.e. the transparent option is neither set nor reset.

freebind

(BoolValue) Whether the listener should set the IP_FREEBIND socket option. When this flag is set to true, listeners can be bound to an IP address that is not configured on the system running Envoy. When this flag is set to false, the option IP_FREEBIND is disabled on the socket. When this flag is not set (default), the socket is not modified, i.e. the option is neither enabled nor disabled.

socket_options

(config.core.v3.SocketOption) Additional socket options that may not be present in Envoy source code or precompiled binaries.

tcp_fast_open_queue_length

(UInt32Value) Whether the listener should accept TCP Fast Open (TFO) connections. When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on the socket, with a queue length of the specified size (see details in RFC7413). When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. When this flag is not set (default), the socket is not modified, i.e. the option is neither enabled nor disabled.

On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable TCP_FASTOPEN. See ip-sysctl.txt.

On macOS, only values of 0, 1, and unset are valid; other values may result in an error. To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter.

traffic_direction

(config.core.v3.TrafficDirection) Specifies the intended direction of the traffic relative to the local Envoy.

udp_listener_config

(config.listener.v3.UdpListenerConfig) If the protocol in the listener socket address in protocol is UDP, this field specifies the actual udp listener to create, i.e. udp_listener_name = “raw_udp_listener” for creating a packet-oriented UDP listener. If not present, treat it as “raw_udp_listener”.

api_listener

(config.listener.v3.ApiListener) Used to represent an API listener, which is used in non-proxy clients. The type of API exposed to the non-proxy application depends on the type of API listener. When this field is set, no other field except for name should be set.

Note

Currently only one ApiListener can be installed; and it can only be done via bootstrap config, not LDS.

connection_balance_config

(config.listener.v3.Listener.ConnectionBalanceConfig) The listener’s connection balancer configuration, currently only applicable to TCP listeners. If no configuration is specified, Envoy will not attempt to balance active connections between worker threads.

reuse_port

(bool) When this flag is set to true, listeners set the SO_REUSEPORT socket option and create one socket for each worker thread. This makes inbound connections distribute among worker threads roughly evenly in cases where there are a high number of connections. When this flag is set to false, all worker threads share one socket.

Before Linux v4.19-rc1, new TCP connections may be rejected during hot restart (see 3rd paragraph in ‘soreuseport’ commit message). This issue was fixed by tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket.

access_log

(config.accesslog.v3.AccessLog) Configuration for access logs emitted by this listener.

tcp_backlog_size

(UInt32Value) The maximum length a tcp listener’s pending connections queue can grow to. If no value is provided net.core.somaxconn will be used on Linux and 128 otherwise.

config.listener.v3.Listener.ConnectionBalanceConfig

[config.listener.v3.Listener.ConnectionBalanceConfig proto]

Configuration for listener connection balancing.

{
  "exact_balance": "{...}"
}
exact_balance

(config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance, REQUIRED) If specified, the listener will use the exact connection balancer.

config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance

[config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance proto]

A connection balancer implementation that does exact balancing. This means that a lock is held during balancing so that connection counts are nearly exactly balanced between worker threads. This is “nearly” exact in the sense that a connection might close in parallel thus making the counts incorrect, but this should be rectified on the next accept. This balancer sacrifices accept throughput for accuracy and should be used when there are a small number of connections that rarely cycle (e.g., service mesh gRPC egress).

{}

Enum config.listener.v3.Listener.DrainType

[config.listener.v3.Listener.DrainType proto]

DEFAULT

(DEFAULT) ⁣Drain in response to calling /healthcheck/fail admin endpoint (along with the health check filter), listener removal/modification, and hot restart.

MODIFY_ONLY

⁣Drain in response to listener removal/modification and hot restart. This setting does not include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress and egress listeners.