TCP Proxy

This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

This extension may be referenced by the qualified name envoy.filters.network.tcp_proxy

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

TCP Proxy configuration overview.

extensions.filters.network.tcp_proxy.v3.TcpProxy

[extensions.filters.network.tcp_proxy.v3.TcpProxy proto]

{
  "stat_prefix": "...",
  "cluster": "...",
  "weighted_clusters": "{...}",
  "metadata_match": "{...}",
  "idle_timeout": "{...}",
  "access_log": [],
  "max_connect_attempts": "{...}",
  "hash_policy": [],
  "tunneling_config": "{...}",
  "max_downstream_connection_duration": "{...}"
}
stat_prefix

(string, REQUIRED) The prefix to use when emitting statistics.

cluster

(string) The upstream cluster to connect to.

Precisely one of cluster, weighted_clusters must be set.

weighted_clusters

(extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster) Multiple upstream clusters can be specified for a given route. The request is routed to one of the upstream clusters based on weights assigned to each cluster.

Precisely one of cluster, weighted_clusters must be set.

metadata_match

(config.core.v3.Metadata) Optional endpoint metadata match criteria. Only endpoints in the upstream cluster with metadata matching that set in metadata_match will be considered. The filter name should be specified as envoy.lb.

idle_timeout

(Duration) The idle timeout for connections managed by the TCP proxy filter. The idle timeout is defined as the period in which there are no bytes sent or received on either the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set to 0s, the timeout will be disabled.

Warning

Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP FIN packets, etc.

access_log

(repeated config.accesslog.v3.AccessLog) Configuration for access logs emitted by the this tcp_proxy.

max_connect_attempts

(UInt32Value) The maximum number of unsuccessful connection attempts that will be made before giving up. If the parameter is not specified, 1 connection attempt will be made.

hash_policy

(repeated type.v3.HashPolicy) Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based load balancing algorithms will select a host randomly. Currently the number of hash policies is limited to 1.

tunneling_config

(extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig) If set, this configures tunneling, e.g. configuration options to tunnel TCP payload over HTTP CONNECT. If this message is absent, the payload will be proxied upstream as per usual.

max_downstream_connection_duration

(Duration) The maximum duration of a connection. The duration is defined as the period since a connection was established. If not set, there is no max duration. When max_downstream_connection_duration is reached the connection will be closed. Duration must be at least 1ms.

extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster

[extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster proto]

Allows for specification of multiple upstream clusters along with weights that indicate the percentage of traffic to be forwarded to each cluster. The router selects an upstream cluster based on these weights.

{
  "clusters": []
}
clusters

(repeated extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight, REQUIRED) Specifies one or more upstream clusters associated with the route.

extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight

[extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight proto]

{
  "name": "...",
  "weight": "...",
  "metadata_match": "{...}"
}
name

(string, REQUIRED) Name of the upstream cluster.

weight

(uint32) When a request matches the route, the choice of an upstream cluster is determined by its weight. The sum of weights across all entries in the clusters array determines the total weight.

metadata_match

(config.core.v3.Metadata) Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in the upstream cluster with metadata matching what is set in this field will be considered for load balancing. Note that this will be merged with what’s provided in TcpProxy.metadata_match, with values here taking precedence. The filter name should be specified as envoy.lb.

extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig

[extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig proto]

Configuration for tunneling TCP over other transports or application layers. Tunneling is supported over both HTTP/1.1 and HTTP/2. Upstream protocol is determined by the cluster configuration.

{
  "hostname": "...",
  "use_post": "...",
  "headers_to_add": []
}
hostname

(string, REQUIRED) The hostname to send in the synthesized CONNECT headers to the upstream proxy.

use_post

(bool) Use POST method instead of CONNECT method to tunnel the TCP stream. The ‘protocol: bytestream’ header is also NOT set for HTTP/2 to comply with the spec.

The upstream proxy is expected to convert POST payload as raw TCP.

headers_to_add

(repeated config.core.v3.HeaderValueOption) Additional request headers to upstream proxy. This is mainly used to trigger upstream to convert POST requests back to CONNECT requests.

Neither :-prefixed pseudo-headers nor the Host: header can be overridden.