Dynamic forward proxy¶
Attention
HTTP dynamic forward proxy support should be considered alpha and not production ready.
- HTTP dynamic forward proxy architecture overview
- v2 API reference
- This filter should be configured with the name envoy.filters.http.dynamic_forward_proxy
The following is a complete configuration that configures both the dynamic forward proxy HTTP filter as well as the dynamic forward proxy cluster. Both filter and cluster must be configured together and point to the same DNS cache parameters for Envoy to operate as an HTTP dynamic forward proxy.
Note
The HTTP connection manager allow_absolute_url parameter has been set to true to allow Envoy to proxy absolute HTTP URLs.
Attention
While configuring a tls_context on the cluster with trusted_ca certificates instructs Envoy to use TLS when connecting to upstream hosts and verify the certificate chain, currently it is not possible to configure per-host TLS configuration parameters including SNI, subject alt name verification, etc. This will be added in a future change. This means that the following configuration will not fully validate TLS certificates. Use with care until full support for per-host validation is implemented.
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
stat_prefix: ingress_http
http_protocol_options:
allow_absolute_url: true
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: dynamic_forward_proxy_cluster
http_filters:
- name: envoy.filters.http.dynamic_forward_proxy
config:
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
- name: envoy.router
clusters:
- name: dynamic_forward_proxy_cluster
connect_timeout: 1s
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
tls_context:
common_tls_context:
validation_context:
trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}
Statistics¶
The dynamic forward proxy DNS cache outputs statistics in the dns_cache.<dns_cache_name>.* namespace.
| Name | Type | Description |
|---|---|---|
| dns_query_attempt | Counter | Number of DNS query attempts. |
| dns_query_success | Counter | Number of DNS query successes. |
| dns_query_failure | Counter | Number of DNS query failures. |
| host_address_changed | Counter | Number of DNS queries that resulted in a host address change. |
| host_added | Counter | Number of hosts that have been added to the cache. |
| host_removed | Counter | Number of hosts that have been removed from the cache. |
| num_hosts | Gauge | Number of hosts that are currently in the cache. |