SXG
This filter should be configured with the type URL
type.googleapis.com/envoy.extensions.filters.http.sxg.v3alpha.SXG
.
Attention
The SXG filter is experimental and is currently under active development.
This filter generates a Signed HTTP Exchange (SXG) package from a downstream web application. It uses libsxg to perform the SXG packaging and signing, setting the Content-Type
header to application/signed-exchange;v=b3
and response body with the generated SXG document.
The SXG filter is only included in contrib images
Transaction flow:
check accept request header for whether client can accept SXG and set a flag.
x-envoy-client-can-accept-sxg
(or the header defined inclient_can_accept_sxg_header
) will be set on the requestIf
x-envoy-should-encode-sxg
(or the header defined inshould_encode_sxg_header
) is present in the response headers set a flagIf both flags are set, buffer response body until stream end and then replace response body with generated the SXG
If there is an error generating the SXG package we fall back to the original HTML.
For more information on Signed HTTP Exchanges see this doc.
Note
These features are only supported on Linux amd64.
Example configuration
The following is an example configuring the filter.
cbor_url: "/.sxg/cert.cbor"
validity_url: "/.sxg/validity.msg"
certificate:
name: certificate
sds_config:
path: "/etc/envoy/sxg-certificate.yaml"
private_key:
name: private_key
sds_config:
path: "/etc/envoy/sxg-private-key.yaml"
duration: 432000s
mi_record_size: 1024
client_can_accept_sxg_header: "x-custom-accept-sxg"
should_encode_sxg_header: "x-custom-should-encode"
header_prefix_filters:
- "x-foo-"
- "x-bar-"
Notes
Instructions for generating a self-signed certificate and private key for testing can be found here
Statistics
The SXG filter outputs statistics in the <stat_prefix>.sxg.
namespace.
Name |
Type |
Description |
---|---|---|
total_client_can_accept_sxg |
Counter |
Total requests where client passes valid Accept header for SXG documents. |
total_should_sign |
Counter |
Total requests where downstream passes back header indicating Envoy should encocde document. |
total_exceeded_max_payload_size |
Counter |
Total requests where response from downstream is to large. |
total_signed_attempts |
Counter |
Total requests where SXG encoding is attempted. |
total_signed_succeeded |
Counter |
Total requests where SXG encoding succeeds. |
total_signed_failed |
Counter |
Total requests where SXG encoding fails. |