The router filter implements HTTP forwarding. It will be used in almost all HTTP proxy scenarios that Envoy is deployed for. The filter’s main job is to follow the instructions specified in the configured route table. In addition to forwarding and redirection, the filter also handles retry, statistics, etc.
- v2 API reference
- This filter should be configured with the name envoy.router.
HTTP headers (consumed)¶
The router consumes and sets various HTTP headers both on the egress/request path as well as on the ingress/response path. They are documented in this section.
If a route config retry policy or a virtual host retry policy is in place, Envoy will default to retrying one time unless explicitly specified. The number of retries can be explicitly set in the virtual host retry config, the route retry config, or by using this header. If this header is used, its value takes precedence over the number of retries set in either retry policy. If a retry policy is not configured and x-envoy-retry-on or x-envoy-retry-grpc-on headers are not specified, Envoy will not retry a failed request.
A few notes on how Envoy does retries:
- The route timeout (set via x-envoy-upstream-rq-timeout-ms or the route configuration) includes all retries. Thus if the request timeout is set to 3s, and the first request attempt takes 2.7s, the retry (including back-off) has .3s to complete. This is by design to avoid an exponential retry/timeout explosion.
- Envoy uses a fully jittered exponential back-off algorithm for retries with a default base interval of 25ms. Given a base interval B and retry number N, the back-off for the retry is in the range \(\big[0, (2^N-1)B\big)\). For example, given the default interval, the first retry will be delayed randomly by 0-24ms, the 2nd by 0-74ms, the 3rd by 0-174ms, and so on. The interval is capped at a maximum interval, which defaults to 10 times the base interval (250ms). The default base interval (and therefore the maximum interval) can be manipulated by setting the upstream.base_retry_backoff_ms runtime parameter. The back-off intervals can also be modified by configuring the retry policy’s retry back-off.
- If max retries is set both by header as well as in the route configuration, the maximum value is taken when determining the max retries to use for the request.
Setting this header on egress requests will cause Envoy to attempt to retry failed requests (number of retries defaults to 1 and can be controlled by x-envoy-max-retries header or the route config retry policy or the virtual host retry policy). The value to which the x-envoy-retry-on header is set indicates the retry policy. One or more policies can be specified using a ‘,’ delimited list. The supported policies are:
Envoy will attempt a retry if the upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout). (Includes connect-failure and refused-stream)
- NOTE: Envoy will not retry when a request exceeds x-envoy-upstream-rq-timeout-ms (resulting in a 504 error code). Use x-envoy-upstream-rq-per-try-timeout-ms if you want to retry when individual attempts take too long. x-envoy-upstream-rq-timeout-ms is an outer time limit for a request, including any retries that take place.
- This policy is similar to the 5xx policy but will only retry requests that result in a 502, 503, or 504.
Envoy will attempt a retry if a request is failed because of a connection failure to the upstream server (connect timeout, etc.). (Included in 5xx)
Envoy will attempt a retry if the upstream server responds with a retriable 4xx response code. Currently, the only response code in this category is 409.
- NOTE: Be careful turning on this retry type. There are certain cases where a 409 can indicate that an optimistic locking revision needs to be updated. Thus, the caller should not retry and needs to read then attempt another write. If a retry happens in this type of case it will always fail with another 409.
- Envoy will attempt a retry if the upstream server resets the stream with a REFUSED_STREAM error code. This reset type indicates that a request is safe to retry. (Included in 5xx)
- Envoy will attempt a retry if the upstream server responds with any response code matching one defined in either the retry policy or in the x-envoy-retriable-status-codes header.
By default, Envoy will not perform retries unless you’ve configured them per above.
Setting this header on egress requests will cause Envoy to attempt to retry failed requests (number of retries defaults to 1, and can be controlled by x-envoy-max-retries header or the route config retry policy) or the virtual host retry policy. gRPC retries are currently only supported for gRPC status codes in response headers. gRPC status codes in trailers will not trigger retry logic. One or more policies can be specified using a ‘,’ delimited list. The supported policies are:
- Envoy will attempt a retry if the gRPC status code in the response headers is “cancelled” (1)
- Envoy will attempt a retry if the gRPC status code in the response headers is “deadline-exceeded” (4)
- Envoy will attempt to retry if the gRPC status code in the response headers is “internal” (13)
- Envoy will attempt a retry if the gRPC status code in the response headers is “resource-exhausted” (8)
- Envoy will attempt a retry if the gRPC status code in the response headers is “unavailable” (14)
As with the x-envoy-retry-grpc-on header, the number of retries can be controlled via the x-envoy-max-retries header
By default, Envoy will not perform retries unless you’ve configured them per above.
Setting this header informs Envoy about what status codes should be considered retriable when used in conjunction with the retriable-status-code retry policy. When the corresponding retry policy is set, the list of retriable status codes will be considered retriable in addition to the status codes enabled for retry through other retry policies.
The list is a comma delimited list of integers: “409” would cause 409 to be considered retriable, while “504,409” would consider both 504 and 409 retriable.
This header will only be honored for requests from internal clients.
Setting this header on egress requests will cause Envoy to emit upstream response code/timing statistics to a dual stat tree. This can be useful for application level categories that Envoy doesn’t know about. The output tree is documented here.
This should not be confused with alt_stat_name which is specified while defining the cluster and when provided specifies an alternative name for the cluster at the root of the statistic tree.
If an upstream host sets this header, the router will use it to generate canary specific statistics. The output tree is documented here.
Setting this header on egress requests will cause Envoy to set a 204 response code (instead of 504) in the event of a request timeout. The actual value of the header is ignored; only its presence is considered. See also x-envoy-upstream-rq-timeout-ms.
Setting this header on egress requests will cause Envoy to set a per try timeout on routed requests. This timeout must be <= the global route timeout (see x-envoy-upstream-rq-timeout-ms) or it is ignored. This allows a caller to set a tight per try timeout to allow for retries while maintaining a reasonable overall timeout.
Setting this header on egress requests will cause Envoy to use a request hedging strategy in the case of a per try timeout. This overrides the value set in the route configuration. This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight.
The value of the header should be “true” or “false”, and is ignored if invalid.
If the upstream host returns this header (set to any value), Envoy will immediately assume the upstream host has failed active health checking (if the cluster has been configured for active health checking). This can be used to fast fail an upstream host via standard data plane processing without waiting for the next health check interval. The host can become healthy again via standard active health checks. See the health checking overview for more information.
If this header is set by upstream, Envoy will not retry. Currently the value of the header is not looked at, only its presence.
If this header is set by upstream, Envoy will not retry. Currently the value of the header is not looked at, only its presence. This header is set by rate limit filter when the request is rate limited.
If this header is present on ingress requests, its value will override any locally defined operation (span) name on the server span generated by the tracing mechanism. Similarly, if this header is present on an egress response, its value will override any locally defined operation (span) name on the client span.
HTTP headers (set)¶
The router sets various HTTP headers both on the egress/request path as well as on the ingress/response path. They are documented in this section.
Sent to the upstream to indicate which attempt the current request is in a series of retries. The value will be “1” on the initial request, incrementing by one for each retry. Only set if the include_attempt_count_header flag is set to true.
This is the time in milliseconds the router expects the request to be completed. Envoy sets this header so that the upstream host receiving the request can make decisions based on the request timeout, e.g., early exit. This is set on internal requests and is either taken from the x-envoy-upstream-rq-timeout-ms header or the route timeout, in that order.
Contains the time in milliseconds spent by the upstream host processing the request. This is useful if the client wants to determine service time compared to network latency. This header is set on responses.
If the route utilizes prefix_rewrite, Envoy will put the original path header in this header. This can be useful for logging and debugging.
The router outputs many statistics in the cluster namespace (depending on the cluster specified in the chosen route). See here for more information.
The router filter outputs statistics in the http.<stat_prefix>. namespace. The stat prefix comes from the owning HTTP connection manager.
|no_route||Counter||Total requests that had no route and resulted in a 404|
|no_cluster||Counter||Total requests in which the target cluster did not exist and resulted in a 404|
|rq_redirect||Counter||Total requests that resulted in a redirect response|
|rq_direct_response||Counter||Total requests that resulted in a direct response|
|rq_total||Counter||Total routed requests|
|rq_reset_after_downstream_response_started||Counter||Total requests that were reset after downstream response had started.|
Virtual cluster statistics are output in the vhost.<virtual host name>.vcluster.<virtual cluster name>. namespace and include the following statistics:
|upstream_rq_<*xx>||Counter||Aggregate HTTP response codes (e.g., 2xx, 3xx, etc.)|
|upstream_rq_<*>||Counter||Specific HTTP response codes (e.g., 201, 302, etc.)|
|upstream_rq_time||Histogram||Request time milliseconds|
The router filter supports the following runtime settings:
- Base exponential retry back-off time. See here and x-envoy-max-retries for more information. Defaults to 25ms. The default maximum retry back-off time is 10 times this value.
- upstream.maintenance_mode.<cluster name>
- % of requests that will result in an immediate 503 response. This overrides any routing behavior for requests that would have been destined for <cluster name>. This can be used for load shedding, failure injection, etc. Defaults to disabled.
- % of requests that are eligible for retry. This configuration is checked before any other retry configuration and can be used to fully disable retries across all Envoys if needed.