Dynamic forward proxy

The following is a complete configuration that configures both the dynamic forward proxy HTTP filter as well as the dynamic forward proxy cluster. Both filter and cluster must be configured together and point to the same DNS cache parameters for Envoy to operate as an HTTP dynamic forward proxy.

This filter supports host rewrite via the virtual host’s typed_per_filter_config or the route’s typed_per_filter_config. This can be used to rewrite the host header with the provided value before DNS lookup, thus allowing to route traffic to the rewritten host when forwarding. See the example below within the configured routes.

Warning

Servers operating dynamic forward proxy in environments where either client or destination are untrusted are subject to confused deputy attacks. For example, a client may attempt to use the dynamic forward capability to access a port on the server’s localhost, link-local addresses, Cloud-provider metadata server or the private network in which the proxy is operating. Similarly, an untrusted network endpoint might establish DNS records that point to any of the forementioned locations. Dynamic forward proxy servers should be protected by network firewalls, default-deny RBAC and other restrictions on container or kernel networking; the details are setup specific. Please consider carefully auditing the dynamic forward proxy server’s networking configuration with the understanding that any address reachable from the proxy is potentially accessible by untrusted clients.

Note

Configuring a transport_socket with name envoy.transport_sockets.tls on the cluster with trusted_ca certificates instructs Envoy to use TLS when connecting to upstream hosts and verify the certificate chain. Additionally, Envoy will automatically perform SAN verification for the resolved host name as well as specify the host name via SNI.

Dynamic forward proxy uses circuit breakers built in to the DNS cache with the configuration of DNS cache circuit breakers.

admin:
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/force-host-rewrite"
                route:
                  cluster: dynamic_forward_proxy_cluster
                typed_per_filter_config:
                  envoy.filters.http.dynamic_forward_proxy:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
                    host_rewrite_literal: www.example.org
              - match:
                  prefix: "/"
                route:
                  cluster: dynamic_forward_proxy_cluster
          http_filters:
          - name: envoy.filters.http.dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
              dns_cache_config:
                name: dynamic_forward_proxy_cache_config
                dns_lookup_family: V4_ONLY
                typed_dns_resolver_config:
                  name: envoy.network.dns_resolver.cares
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
                    resolvers:
                    - socket_address:
                        address: "8.8.8.8"
                        port_value: 53
                    dns_resolver_options:
                      use_tcp_for_dns_lookups: true
                      no_default_search_domain: true
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dynamic_forward_proxy_cluster
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
          typed_dns_resolver_config:
            name: envoy.network.dns_resolver.cares
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
              resolvers:
              - socket_address:
                  address: "8.8.8.8"
                  port_value: 53
              dns_resolver_options:
                use_tcp_for_dns_lookups: true
                no_default_search_domain: true
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          validation_context:
            trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}

Above example is using typed config CaresDnsResolverConfig. To use AppleDnsResolverConfig (iOS/macOS only), follow below example:

typed_dns_resolver_config:
  name: envoy.network.dns_resolver.apple
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig

Statistics

The dynamic forward proxy DNS cache outputs statistics in the dns_cache.<dns_cache_name>.* namespace.

Name

Type

Description

dns_query_attempt

Counter

Number of DNS query attempts.

dns_query_success

Counter

Number of DNS query successes.

dns_query_failure

Counter

Number of DNS query failures.

dns_query_timeout

Counter

Number of DNS query timeouts.

host_address_changed

Counter

Number of DNS queries that resulted in a host address change.

host_added

Counter

Number of hosts that have been added to the cache.

host_removed

Counter

Number of hosts that have been removed from the cache.

num_hosts

Gauge

Number of hosts that are currently in the cache.

dns_rq_pending_overflow

Counter

Number of dns pending request overflow.

The dynamic forward proxy DNS cache circuit breakers outputs statistics in the dns_cache.<dns_cache_name>.circuit_breakers* namespace.

Name

Type

Description

rq_pending_open

Gauge

Whether the requests circuit breaker is closed (0) or open (1)

rq_pending_remaining

Gauge

Number of remaining requests until the circuit breaker opens