TLS Inspector¶
TLS Inspector listener filter allows detecting whether the transport appears to be TLS or plaintext, and if it is TLS, it detects the Server Name Indication and/or Application-Layer Protocol Negotiation from the client. This can be used to select a FilterChain via the server_names and/or application_protocols of a FilterChainMatch.
This filter may be configured with the name envoy.filters.listener.tls_inspector or type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector as the type_url.
Example¶
A sample filter configuration could be:
listener_filters:
- name: "envoy.filters.listener.tls_inspector"
Or by specifying the type_url of the typed_config:
listener_filters:
- name: "tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
Statistics¶
This filter has a statistics tree rooted at tls_inspector with the following statistics:
Name |
Type |
Description |
---|---|---|
connection_closed |
Counter |
Total connections closed |
client_hello_too_large |
Counter |
Total unreasonably large Client Hello received |
read_error |
Counter |
Total read errors |
tls_found |
Counter |
Total number of times TLS was found |
tls_not_found |
Counter |
Total number of times TLS was not found |
alpn_found |
Counter |
Total number of times Application-Layer Protocol Negotiation was successful |
alpn_not_found |
Counter |
Total number of times Application-Layer Protocol Negotiation has failed |
sni_found |
Counter |
Total number of times Server Name Indication was found |
sni_not_found |
Counter |
Total number of times Server Name Indication was not found |