TCP Proxy (proto)

This extension has the qualified name envoy.filters.network.tcp_proxy

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

TCP Proxy configuration overview.

extensions.filters.network.tcp_proxy.v3.TcpProxy

[extensions.filters.network.tcp_proxy.v3.TcpProxy proto]

{
  "stat_prefix": ...,
  "cluster": ...,
  "weighted_clusters": {...},
  "on_demand": {...},
  "metadata_match": {...},
  "idle_timeout": {...},
  "access_log": [],
  "max_connect_attempts": {...},
  "hash_policy": [],
  "tunneling_config": {...},
  "max_downstream_connection_duration": {...},
  "access_log_flush_interval": {...},
  "flush_access_log_on_connected": ...,
  "access_log_options": {...}
}
stat_prefix

(string, REQUIRED) The prefix to use when emitting statistics.

cluster

(string) The upstream cluster to connect to.

Precisely one of cluster, weighted_clusters must be set.

weighted_clusters

(extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster) Multiple upstream clusters can be specified for a given route. The request is routed to one of the upstream clusters based on weights assigned to each cluster.

Precisely one of cluster, weighted_clusters must be set.

on_demand

(extensions.filters.network.tcp_proxy.v3.TcpProxy.OnDemand) The on demand policy for the upstream cluster. It applies to both TcpProxy.cluster and TcpProxy.weighted_clusters.

metadata_match

(config.core.v3.Metadata) Optional endpoint metadata match criteria. Only endpoints in the upstream cluster with metadata matching that set in metadata_match will be considered. The filter name should be specified as envoy.lb.

idle_timeout

(Duration) The idle timeout for connections managed by the TCP proxy filter. The idle timeout is defined as the period in which there are no bytes sent or received on either the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set to 0s, the timeout will be disabled. It is possible to dynamically override this configuration by setting a per-connection filter state object for the key envoy.tcp_proxy.per_connection_idle_timeout_ms.

Warning

Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP FIN packets, etc.

access_log

(repeated config.accesslog.v3.AccessLog) Configuration for access logs emitted by the this tcp_proxy.

max_connect_attempts

(UInt32Value) The maximum number of unsuccessful connection attempts that will be made before giving up. If the parameter is not specified, 1 connection attempt will be made.

hash_policy

(repeated type.v3.HashPolicy) Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based load balancing algorithms will select a host randomly. Currently the number of hash policies is limited to 1.

tunneling_config

(extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig) If set, this configures tunneling, e.g. configuration options to tunnel TCP payload over HTTP CONNECT. If this message is absent, the payload will be proxied upstream as per usual. It is possible to dynamically override this configuration and disable tunneling per connection, by setting a per-connection filter state object for the key envoy.tcp_proxy.disable_tunneling.

max_downstream_connection_duration

(Duration) The maximum duration of a connection. The duration is defined as the period since a connection was established. If not set, there is no max duration. When max_downstream_connection_duration is reached the connection will be closed. Duration must be at least 1ms.

access_log_flush_interval

(Duration) .. attention:: This field is deprecated in favor of access_log_flush_interval. Note that if both this field and access_log_flush_interval are specified, the former (deprecated field) is ignored.

flush_access_log_on_connected

(bool) .. attention:: This field is deprecated in favor of flush_access_log_on_connected. Note that if both this field and flush_access_log_on_connected are specified, the former (deprecated field) is ignored.

access_log_options

(extensions.filters.network.tcp_proxy.v3.TcpProxy.TcpAccessLogOptions) Additional access log options for TCP Proxy.

extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster

[extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster proto]

Allows for specification of multiple upstream clusters along with weights that indicate the percentage of traffic to be forwarded to each cluster. The router selects an upstream cluster based on these weights.

{
  "clusters": []
}
clusters

(repeated extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight, REQUIRED) Specifies one or more upstream clusters associated with the route.

extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight

[extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight proto]

{
  "name": ...,
  "weight": ...,
  "metadata_match": {...}
}
name

(string, REQUIRED) Name of the upstream cluster.

weight

(uint32) When a request matches the route, the choice of an upstream cluster is determined by its weight. The sum of weights across all entries in the clusters array determines the total weight.

metadata_match

(config.core.v3.Metadata) Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in the upstream cluster with metadata matching what is set in this field will be considered for load balancing. Note that this will be merged with what’s provided in TcpProxy.metadata_match, with values here taking precedence. The filter name should be specified as envoy.lb.

extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig

[extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig proto]

Configuration for tunneling TCP over other transports or application layers. Tunneling is supported over both HTTP/1.1 and HTTP/2. Upstream protocol is determined by the cluster configuration.

{
  "hostname": ...,
  "use_post": ...,
  "headers_to_add": [],
  "propagate_response_headers": ...,
  "post_path": ...,
  "propagate_response_trailers": ...
}
hostname

(string, REQUIRED) The hostname to send in the synthesized CONNECT headers to the upstream proxy. This field evaluates command operators if set, otherwise returns hostname as is.

Example: dynamically set hostname using downstream SNI

tunneling_config:
  hostname: "%REQUESTED_SERVER_NAME%:443"

Example: dynamically set hostname using dynamic metadata

tunneling_config:
  hostname: "%DYNAMIC_METADATA(tunnel:address)%"
use_post

(bool) Use POST method instead of CONNECT method to tunnel the TCP stream. The ‘protocol: bytestream’ header is also NOT set for HTTP/2 to comply with the spec.

The upstream proxy is expected to convert POST payload as raw TCP.

headers_to_add

(repeated config.core.v3.HeaderValueOption) Additional request headers to upstream proxy. This is mainly used to trigger upstream to convert POST requests back to CONNECT requests.

Neither :-prefixed pseudo-headers nor the Host: header can be overridden.

propagate_response_headers

(bool) Save the response headers to the downstream info filter state for consumption by the network filters. The filter state key is envoy.tcp_proxy.propagate_response_headers.

post_path

(string) The path used with POST method. Default path is /. If post path is specified and use_post field isn’t true, it will be rejected.

propagate_response_trailers

(bool) Save the response trailers to the downstream info filter state for consumption by the network filters. The filter state key is envoy.tcp_proxy.propagate_response_trailers.

extensions.filters.network.tcp_proxy.v3.TcpProxy.OnDemand

[extensions.filters.network.tcp_proxy.v3.TcpProxy.OnDemand proto]

{
  "odcds_config": {...}
}
odcds_config

(config.core.v3.ConfigSource) An optional configuration for on-demand cluster discovery service. If not specified, the on-demand cluster discovery will be disabled. When it’s specified, the filter will pause a request to an unknown cluster and will begin a cluster discovery process. When the discovery is finished (successfully or not), the request will be resumed.

extensions.filters.network.tcp_proxy.v3.TcpProxy.TcpAccessLogOptions

[extensions.filters.network.tcp_proxy.v3.TcpProxy.TcpAccessLogOptions proto]

{
  "access_log_flush_interval": {...},
  "flush_access_log_on_connected": ...
}
access_log_flush_interval

(Duration) The interval to flush access log. The TCP proxy will flush only one access log when the connection is closed by default. If this field is set, the TCP proxy will flush access log periodically with the specified interval. The interval must be at least 1ms.

flush_access_log_on_connected

(bool) If set to true, access log will be flushed when the TCP proxy has successfully established a connection with the upstream. If the connection failed, the access log will not be flushed.