Proxy Protocol Filter (proto)

This extension has the qualified name envoy.filters.listener.proxy_protocol

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

PROXY protocol listener filter.

extensions.filters.listener.proxy_protocol.v3.ProxyProtocol

[extensions.filters.listener.proxy_protocol.v3.ProxyProtocol proto]

{
  "rules": [],
  "allow_requests_without_proxy_protocol": ...,
  "pass_through_tlvs": {...}
}
rules

(repeated extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.Rule) The list of rules to apply to requests.

allow_requests_without_proxy_protocol

(bool) Allow requests through that don’t use proxy protocol. Defaults to false.

Attention

This breaks conformance with the specification. Only enable if ALL traffic to the listener comes from a trusted source. For more information on the security implications of this feature, see https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt

Attention

Requests of 12 or fewer bytes that match the proxy protocol v2 signature and requests of 6 or fewer bytes that match the proxy protocol v1 signature will timeout (Envoy is unable to differentiate these requests from incomplete proxy protocol requests).

pass_through_tlvs

(config.core.v3.ProxyProtocolPassThroughTLVs) This config controls which TLVs can be passed to filter state if it is Proxy Protocol V2 header. If there is no setting for this field, no TLVs will be passed through.

Note

If this is configured, you likely also want to set core.v3.ProxyProtocolConfig.pass_through_tlvs, which controls pass-through for the upstream.

extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.KeyValuePair

[extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.KeyValuePair proto]

{
  "metadata_namespace": ...,
  "key": ...
}
metadata_namespace

(string) The namespace — if this is empty, the filter’s namespace will be used.

key

(string, REQUIRED) The key to use within the namespace.

extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.Rule

[extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.Rule proto]

A Rule defines what metadata to apply when a header is present or missing.

{
  "tlv_type": ...,
  "on_tlv_present": {...}
}
tlv_type

(uint32) The type that triggers the rule - required TLV type is defined as uint8_t in proxy protocol. See the spec for details.

on_tlv_present

(extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.KeyValuePair) If the TLV type is present, apply this metadata KeyValuePair.