Dynamic forward proxy cluster configuration (proto)


[extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig proto]

Configuration for the dynamic forward proxy cluster. See the architecture overview for more information.

This extension has the qualified name envoy.clusters.dynamic_forward_proxy


This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.


This extension extends and can be used with the following extension category:

  "dns_cache_config": {...},
  "allow_insecure_cluster_options": ...,
  "allow_coalesced_connections": ...

(extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig, REQUIRED) The DNS cache configuration that the cluster will attach to. Note this configuration must match that of associated dynamic forward proxy HTTP filter configuration.


(bool) If true allow the cluster configuration to disable the auto_sni and auto_san_validation options in the cluster’s upstream_http_protocol_options


(bool) If true allow HTTP/2 and HTTP/3 connections to be reused for requests to different origins than the connection was initially created for. This will only happen when the resolved address for the new connection matches the peer address of the connection and the TLS certificate is also valid for the new hostname. For example, if a connection has previously been established to foo.example.com at IP with a certificate that is valid for *.example.com, then this connection could be used for requests to bar.example.com if that also resolved to


By design, this feature will maximize reuse of connections. This means that instead opening a new connection when an existing connection reaches the maximum number of concurrent streams, requests will instead be sent to the existing connection.


The coalesced connections might be to upstreams that would not be otherwise selected by Envoy. See the section Connection Reuse in RFC 7540