External Processing Filter

This extension may be referenced by the qualified name envoy.filters.http.ext_proc

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Warning

This API is work-in-progress and is subject to breaking changes.

External Processing Filter

The External Processing filter allows an external service to act on HTTP traffic in a flexible way. It communicates with an external gRPC service that can use it to do a variety of things with the request and response:

  • Access and modify the HTTP headers on the request, response, or both

  • Access and modify the HTTP request and response bodies

  • Access and modify the dynamic stream metadata

  • Immediately send an HTTP response downstream and terminate other processing

The filter communicates with the server using a gRPC bidirectional stream. After the initial request, the external server is in control over what additional data is sent to it and how it should be processed.

By implementing the protocol specified by the stream, the external server can choose:

  • Whether it receives the response message at all

  • Whether it receives the message body at all, in separate chunks, or as a single buffer

  • Whether subsequent HTTP requests are transmitted synchronously or whether they are sent asynchronously.

All of this together allows a server to process the filter traffic in fairly sophisticated ways. For example:

  • A server may choose to examine all or part of the HTTP message bodies depending on the content of the headers.

  • A server may choose to immediately reject some messages based on their HTTP headers (or other dynamic metadata) and more carefully examine others

  • A server may asynchronously monitor traffic coming through the filter by inspecting headers, bodies, or both, and then decide to switch to a synchronous processing mode, either permanently or temporarily.

The protocol itself is based on a bidirectional gRPC stream. Envoy will send the server ProcessingRequest messages, and the server must reply with ProcessingResponse.

extensions.filters.http.ext_proc.v3alpha.ExternalProcessor

[extensions.filters.http.ext_proc.v3alpha.ExternalProcessor proto]

{
  "grpc_service": "{...}"
}
grpc_service

(config.core.v3.GrpcService) Configuration for the gRPC service that the filter will communicate with. The filter supports both the “Envoy” and “Google” gRPC clients.