SNI dynamic forward proxy
Attention
SNI dynamic forward proxy support should be considered alpha and not production ready.
Through the combination of TLS inspector listener filter, this network filter and the dynamic forward proxy cluster, Envoy supports SNI based dynamic forward proxy. The implementation works just like the HTTP dynamic forward proxy, but using the value in SNI as target host instead.
The following is a complete configuration that configures both this filter as well as the dynamic forward proxy cluster. Both filter and cluster must be configured together and point to the same DNS cache parameters for Envoy to operate as an SNI dynamic forward proxy.
Note
The following config doesn’t terminate TLS in listener, so there is no need to configure TLS context in cluster. The TLS handshake is passed through by Envoy.
admin:
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
listener_filters:
- name: envoy.filters.listener.tls_inspector
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filters:
- name: envoy.filters.network.sni_dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
port_value: 443
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
- name: envoy.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp
cluster: dynamic_forward_proxy_cluster
clusters:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
Dynamic host and port selection
By default, the SNI dynamic forward proxy uses the SNI as target host, but it can be
dynamically set by other network filters on a per-connection basis by setting a per-connection
state object under the key envoy.upstream.dynamic_host
. Additionally, the SNI dynamic forward
proxy uses the default port filter configuration as target port, but it can by dynamically set,
by setting a per-connection state object under the key envoy.upstream.dynamic_port
. If these
objects are set, they take precedence over the SNI value and default port. In case that the overrided
port is out of the valid port range, the overriding value will be ignored and the default port
configured will be used. See the implementation for the details.