HTTP connection manager (proto)
This extension has the qualified name envoy.filters.network.http_connection_manager
Note
This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.
Tip
This extension extends and can be used with the following extension category:
This extension must be configured with one of the following type URLs:
HTTP connection manager configuration overview.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager proto]
{
"codec_type": ...,
"stat_prefix": ...,
"rds": {...},
"route_config": {...},
"scoped_routes": {...},
"http_filters": [],
"add_user_agent": {...},
"tracing": {...},
"common_http_protocol_options": {...},
"http_protocol_options": {...},
"http2_protocol_options": {...},
"server_name": ...,
"server_header_transformation": ...,
"scheme_header_transformation": {...},
"max_request_headers_kb": {...},
"stream_idle_timeout": {...},
"request_timeout": {...},
"request_headers_timeout": {...},
"drain_timeout": {...},
"delayed_close_timeout": {...},
"access_log": [],
"access_log_flush_interval": {...},
"flush_access_log_on_new_request": ...,
"access_log_options": {...},
"use_remote_address": {...},
"xff_num_trusted_hops": ...,
"original_ip_detection_extensions": [],
"early_header_mutation_extensions": [],
"internal_address_config": {...},
"skip_xff_append": ...,
"via": ...,
"generate_request_id": {...},
"preserve_external_request_id": ...,
"always_set_request_id_in_response": ...,
"forward_client_cert_details": ...,
"set_current_client_cert_details": {...},
"proxy_100_continue": ...,
"upgrade_configs": [],
"normalize_path": {...},
"merge_slashes": ...,
"path_with_escaped_slashes_action": ...,
"request_id_extension": {...},
"local_reply_config": {...},
"strip_matching_host_port": ...,
"strip_any_host_port": ...,
"stream_error_on_invalid_http_message": {...},
"strip_trailing_host_dot": ...,
"proxy_status_config": {...},
"append_x_forwarded_port": ...,
"append_local_overload": ...,
"add_proxy_protocol_connection_state": {...}
}
- codec_type
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType) Supplies the type of codec that the connection manager should use.
- stat_prefix
(string, REQUIRED) The human readable prefix to use when emitting statistics for the connection manager. See the statistics documentation for more information.
- rds
(extensions.filters.network.http_connection_manager.v3.Rds) The connection manager’s route table will be dynamically loaded via the RDS API.
Precisely one of rds, route_config, scoped_routes must be set.
- route_config
(config.route.v3.RouteConfiguration) The route table for the connection manager is static and is specified in this property.
Precisely one of rds, route_config, scoped_routes must be set.
- scoped_routes
(extensions.filters.network.http_connection_manager.v3.ScopedRoutes) A route table will be dynamically assigned to each request based on request attributes (e.g., the value of a header). The “routing scopes” (i.e., route tables) and “scope keys” are specified in this message.
Precisely one of rds, route_config, scoped_routes must be set.
- http_filters
(repeated extensions.filters.network.http_connection_manager.v3.HttpFilter) A list of individual HTTP filters that make up the filter chain for requests made to the connection manager. Order matters as the filters are processed sequentially as request events happen.
- add_user_agent
(BoolValue) Whether the connection manager manipulates the :path and x-envoy-downstream-service-cluster headers. See the linked documentation for more information. Defaults to false.
- tracing
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing) Presence of the object defines whether the connection manager emits tracing data to the configured tracing provider.
- common_http_protocol_options
(config.core.v3.HttpProtocolOptions) Additional settings for HTTP requests handled by the connection manager. These will be applicable to both HTTP1 and HTTP2 requests.
Attention
This field should be configured in the presence of untrusted downstreams.
Example configuration for untrusted environments:
common_http_protocol_options: headers_with_underscores_action: REJECT_REQUEST idle_timeout: 900s
- http_protocol_options
(config.core.v3.Http1ProtocolOptions) Additional HTTP/1 settings that are passed to the HTTP/1 codec.
- http2_protocol_options
(config.core.v3.Http2ProtocolOptions) Additional HTTP/2 settings that are passed directly to the HTTP/2 codec.
Attention
This field should be configured in the presence of untrusted downstreams.
Example configuration for untrusted environments:
http2_protocol_options: initial_connection_window_size: 1048576.0 initial_stream_window_size: 65536.0 max_concurrent_streams: 100.0
- server_name
(string) An optional override that the connection manager will write to the server header in responses. If not set, the default is
envoy
.
- server_header_transformation
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation) Defines the action to be applied to the Server header on the response path. By default, Envoy will overwrite the header with the value specified in server_name.
- scheme_header_transformation
(config.core.v3.SchemeHeaderTransformation) Allows for explicit transformation of the :scheme header on the request path. If not set, Envoy’s default scheme handling applies.
- max_request_headers_kb
(UInt32Value) The maximum request headers size for incoming connections. If unconfigured, the default max request headers allowed is 60 KiB. Requests that exceed this limit will receive a 431 response.
- stream_idle_timeout
(Duration) The stream idle timeout for connections managed by the connection manager. If not specified, this defaults to 5 minutes. The default value was selected so as not to interfere with any smaller configured timeouts that may have existed in configurations prior to the introduction of this feature, while introducing robustness to TCP connections that terminate without a FIN.
This idle timeout applies to new streams and is overridable by the route-level idle_timeout. Even on a stream in which the override applies, prior to receipt of the initial request headers, the stream_idle_timeout applies. Each time an encode/decode event for headers or data is processed for the stream, the timer will be reset. If the timeout fires, the stream is terminated with a 408 Request Timeout error code if no upstream response header has been received, otherwise a stream reset occurs.
This timeout also specifies the amount of time that Envoy will wait for the peer to open enough window to write any remaining stream data once the entirety of stream data (local end stream is true) has been buffered pending available window. In other words, this timeout defends against a peer that does not release enough window to completely write the stream, even though all data has been proxied within available flow control windows. If the timeout is hit in this case, the tx_flush_timeout counter will be incremented. Note that max_stream_duration does not apply to this corner case.
If the overload action “envoy.overload_actions.reduce_timeouts” is configured, this timeout is scaled according to the value for HTTP_DOWNSTREAM_STREAM_IDLE.
Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due to the granularity of events presented to the connection manager. For example, while receiving very large request headers, it may be the case that there is traffic regularly arriving on the wire while the connection manage is only able to observe the end-of-headers event, hence the stream may still idle timeout.
A value of 0 will completely disable the connection manager stream idle timeout, although per-route idle timeout overrides will continue to apply.
Attention
This field should be configured in the presence of untrusted downstreams.
Example configuration for untrusted environments:
stream_idle_timeout: 300s
- request_timeout
(Duration) The amount of time that Envoy will wait for the entire request to be received. The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent upstream (i.e. all decoding filters have processed the request), OR when the response is initiated. If not specified or set to 0, this timeout is disabled.
Attention
This field should be configured in the presence of untrusted downstreams.
This timeout is not compatible with streaming requests.
Example configuration for untrusted environments:
request_timeout: 300s
- request_headers_timeout
(Duration) The amount of time that Envoy will wait for the request headers to be received. The timer is activated when the first byte of the headers is received, and is disarmed when the last byte of the headers has been received. If not specified or set to 0, this timeout is disabled.
Attention
This field should be configured in the presence of untrusted downstreams.
Example configuration for untrusted environments:
request_headers_timeout: 10s
- drain_timeout
(Duration) The time that Envoy will wait between sending an HTTP/2 “shutdown notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. This is used so that Envoy provides a grace period for new streams that race with the final GOAWAY frame. During this grace period, Envoy will continue to accept new streams. After the grace period, a final GOAWAY frame is sent and Envoy will start refusing new streams. Draining occurs either when a connection hits the idle timeout, when max_connection_duration is reached, or during general server draining. The default grace period is 5000 milliseconds (5 seconds) if this option is not specified.
- delayed_close_timeout
(Duration) The delayed close timeout is for downstream connections managed by the HTTP connection manager. It is defined as a grace period after connection close processing has been locally initiated during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy from the downstream connection) prior to Envoy closing the socket associated with that connection. NOTE: This timeout is enforced even when the socket associated with the downstream connection is pending a flush of the write buffer. However, any progress made writing data to the socket will restart the timer associated with this timeout. This means that the total grace period for a socket in this state will be <total_time_waiting_for_write_buffer_flushes>+<delayed_close_timeout>.
Delaying Envoy’s connection close and giving the peer the opportunity to initiate the close sequence mitigates a race condition that exists when downstream clients do not drain/process data in a connection’s receive buffer after a remote close has been detected via a socket write(). This race leads to such clients failing to process the response code sent by Envoy, which could result in erroneous downstream processing.
If the timeout triggers, Envoy will close the connection’s socket.
The default timeout is 1000 ms if this option is not specified.
Note
To be useful in avoiding the race condition described above, this timeout must be set to at least <max round trip time expected between clients and Envoy>+<100ms to account for a reasonable “worst” case processing time for a full iteration of Envoy’s event loop>.
Warning
A value of 0 will completely disable delayed close processing. When disabled, the downstream connection’s socket will be closed immediately after the write flush is completed or will never close if the write flush does not complete.
- access_log
(repeated config.accesslog.v3.AccessLog) Configuration for HTTP access logs emitted by the connection manager.
- access_log_flush_interval
(Duration) .. attention:: This field is deprecated in favor of access_log_flush_interval. Note that if both this field and access_log_flush_interval are specified, the former (deprecated field) is ignored.
- flush_access_log_on_new_request
(bool) .. attention:: This field is deprecated in favor of flush_access_log_on_new_request. Note that if both this field and flush_access_log_on_new_request are specified, the former (deprecated field) is ignored.
- access_log_options
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.HcmAccessLogOptions) Additional access log options for HTTP connection manager.
- use_remote_address
(BoolValue) If set to true, the connection manager will use the real remote address of the client connection when determining internal versus external origin and manipulating various headers. If set to false or absent, the connection manager will use the x-forwarded-for HTTP header. See the documentation for x-forwarded-for, x-envoy-internal, and x-envoy-external-address for more information.
Attention
This field should be configured in the presence of untrusted downstreams.
Example configuration for untrusted environments:
use_remote_address: true
- xff_num_trusted_hops
(uint32) The number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust when determining the origin client’s IP address. The default is zero if this option is not specified. See the documentation for x-forwarded-for for more information.
- original_ip_detection_extensions
(repeated config.core.v3.TypedExtensionConfig) The configuration for the original IP detection extensions.
When configured the extensions will be called along with the request headers and information about the downstream connection, such as the directly connected address. Each extension will then use these parameters to decide the request’s effective remote address. If an extension fails to detect the original IP address and isn’t configured to reject the request, the HCM will try the remaining extensions until one succeeds or rejects the request. If the request isn’t rejected nor any extension succeeds, the HCM will fallback to using the remote address.
Warning
Extensions cannot be used in conjunction with use_remote_address nor xff_num_trusted_hops.
Tip
This extension category has the following known extensions:
- early_header_mutation_extensions
(repeated config.core.v3.TypedExtensionConfig) The configuration for the early header mutation extensions.
When configured the extensions will be called before any routing, tracing, or any filter processing. Each extension will be applied in the order they are configured. If the same header is mutated by multiple extensions, then the last extension will win.
Tip
This extension category has the following known extensions:
- internal_address_config
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig) Configures what network addresses are considered internal for stats and header sanitation purposes. If unspecified, only RFC1918 IP addresses will be considered internal. See the documentation for x-envoy-internal for more information about internal/external addresses.
Warning
In the next release, no IP addresses will be considered trusted. If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) you will have to manually include those addresses or CIDR ranges like:
cidr_ranges: address_prefix: 10.0.0.0 prefix_len: 8 cidr_ranges: address_prefix: 192.168.0.0 prefix_len: 16 cidr_ranges: address_prefix: 172.16.0.0 prefix_len: 12 cidr_ranges: address_prefix: 127.0.0.1 prefix_len: 32 cidr_ranges: address_prefix: fd00:: prefix_len: 8 cidr_ranges: address_prefix: ::1 prefix_len: 128
- skip_xff_append
(bool) If set, Envoy will not append the remote address to the x-forwarded-for HTTP header. This may be used in conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager has mutated the request headers. While use_remote_address will also suppress XFF addition, it has consequences for logging and other Envoy uses of the remote address, so
skip_xff_append
should be used when only an elision of XFF addition is intended.
- via
(string) Via header value to append to request and response headers. If this is empty, no via header will be appended.
- generate_request_id
(BoolValue) Whether the connection manager will generate the x-request-id header if it does not exist. This defaults to true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature is not desired it can be disabled.
- preserve_external_request_id
(bool) Whether the connection manager will keep the x-request-id header if passed for a request that is edge (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour. This defaults to false.
- always_set_request_id_in_response
(bool) If set, Envoy will always set x-request-id header in response. If this is false or not set, the request ID is returned in responses only if tracing is forced using x-envoy-force-trace header.
- forward_client_cert_details
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails) How to handle the x-forwarded-client-cert (XFCC) HTTP header.
- set_current_client_cert_details
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails) This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that in the x-forwarded-client-cert header,
Hash
is always set, andBy
is always set when the client certificate presents the URI type Subject Alternative Name value.
- proxy_100_continue
(bool) If proxy_100_continue is true, Envoy will proxy incoming “Expect: 100-continue” headers upstream, and forward “100 Continue” responses downstream. If this is false or not set, Envoy will instead strip the “Expect: 100-continue” header, and send a “100 Continue” response itself.
- upgrade_configs
(repeated extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig)
- normalize_path
(BoolValue) Should paths be normalized according to RFC 3986 before any processing of requests by HTTP filters or routing? This affects the upstream
:path
header as well. For paths that fail this check, Envoy will respond with 400 to paths that are malformed. This defaults to false currently but will default true in the future. When not specified, this value may be overridden by the runtime variable http_connection_manager.normalize_path. See Normalization and Comparison for details of normalization. Note that Envoy does not perform case normalization
- merge_slashes
(bool) Determines if adjacent slashes in the path are merged into one before any processing of requests by HTTP filters or routing. This affects the upstream
:path
header as well. Without setting this option, incoming requests with path//dir///file
will not match against route withprefix
match set to/dir
. Defaults tofalse
. Note that slash merging is not part of HTTP spec and is provided for convenience.
- path_with_escaped_slashes_action
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction) Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). The default value can be overridden by the http_connection_manager.path_with_escaped_slashes_action runtime variable. The http_connection_manager.path_with_escaped_slashes_action_sampling runtime variable can be used to apply the action to a portion of all requests.
- request_id_extension
(extensions.filters.network.http_connection_manager.v3.RequestIDExtension) The configuration of the request ID extension. This includes operations such as generation, validation, and associated tracing operations. If empty, the UuidRequestIdConfig default extension is used with default parameters. See the documentation for that extension for details on what it does. Customizing the configuration for the default extension can be achieved by configuring it explicitly here. For example, to disable trace reason packing, the following configuration can be used:
typed_config: "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig pack_trace_reason: false
- local_reply_config
(extensions.filters.network.http_connection_manager.v3.LocalReplyConfig) The configuration to customize local reply returned by Envoy. It can customize status code, body text and response content type. If not specified, status code and text body are hard coded in Envoy, the response content type is plain text.
- strip_matching_host_port
(bool) Determines if the port part should be removed from host/authority header before any processing of request by HTTP filters or routing. The port would be removed only if it is equal to the listener’s local port. This affects the upstream host header unless the method is CONNECT in which case if no filter adds a port the original port will be restored before headers are sent upstream. Without setting this option, incoming requests with host
example:443
will not match against route with domains match set toexample
. Defaults tofalse
. Note that port removal is not part of HTTP spec and is provided for convenience. Only one ofstrip_matching_host_port
orstrip_any_host_port
can be set.
- strip_any_host_port
(bool) Determines if the port part should be removed from host/authority header before any processing of request by HTTP filters or routing. This affects the upstream host header unless the method is CONNECT in which case if no filter adds a port the original port will be restored before headers are sent upstream. Without setting this option, incoming requests with host
example:443
will not match against route with domains match set toexample
. Defaults tofalse
. Note that port removal is not part of HTTP spec and is provided for convenience. Only one ofstrip_matching_host_port
orstrip_any_host_port
can be set.
- stream_error_on_invalid_http_message
(BoolValue) Governs Envoy’s behavior when receiving invalid HTTP from downstream. If this option is false (default), Envoy will err on the conservative side handling HTTP errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. If this option is set to true, Envoy will be more permissive, only resetting the invalid stream in the case of HTTP/2 and leaving the connection open where possible (if the entire request is read for HTTP/1.1) In general this should be true for deployments receiving trusted traffic (L2 Envoys, company-internal mesh) and false when receiving untrusted traffic (edge deployments).
If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are desired, one should use the new HTTP/1 option override_stream_error_on_invalid_http_message or the new HTTP/2 option override_stream_error_on_invalid_http_message
not
the deprecated but similarly named stream_error_on_invalid_http_messaging
- strip_trailing_host_dot
(bool) Determines if trailing dot of the host should be removed from host/authority header before any processing of request by HTTP filters or routing. This affects the upstream host header. Without setting this option, incoming requests with host
example.com.
will not match against route with domains match set toexample.com
. Defaults tofalse
. When the incoming request contains a host/authority header that includes a port number, setting this option will strip a trailing dot, if present, from the host section, leaving the port as is (e.g. host valueexample.com.:443
will be updated toexample.com:443
).
- proxy_status_config
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ProxyStatusConfig) Proxy-Status HTTP response header configuration. If this config is set, the Proxy-Status HTTP response header field is populated. By default, it is not.
- append_x_forwarded_port
(bool) Append the
x-forwarded-port
header with the port value client used to connect to Envoy. It will be ignored if thex-forwarded-port
header has been set by any trusted proxy in front of Envoy.
- append_local_overload
(bool) Append the x-envoy-local-overloaded HTTP header in the scenario where the Overload Manager has been triggered.
- add_proxy_protocol_connection_state
(BoolValue) Whether the HCM will add ProxyProtocolFilterState to the Connection lifetime filter state. Defaults to
true
. This should be set tofalse
in cases where Envoy’s view of the downstream address may not correspond to the actual client address, for example, if there’s another proxy in front of the Envoy.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing
[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing proto]
{
"client_sampling": {...},
"random_sampling": {...},
"overall_sampling": {...},
"verbose": ...,
"max_path_tag_length": {...},
"custom_tags": [],
"provider": {...},
"spawn_upstream_span": {...}
}
- client_sampling
(type.v3.Percent) Target percentage of requests managed by this HTTP connection manager that will be force traced if the x-client-trace-id header is set. This field is a direct analog for the runtime variable ‘tracing.client_enabled’ in the HTTP Connection Manager. Default: 100%
- random_sampling
(type.v3.Percent) Target percentage of requests managed by this HTTP connection manager that will be randomly selected for trace generation, if not requested by the client or not forced. This field is a direct analog for the runtime variable ‘tracing.random_sampling’ in the HTTP Connection Manager. Default: 100%
- overall_sampling
(type.v3.Percent) Target percentage of requests managed by this HTTP connection manager that will be traced after all other sampling checks have been applied (client-directed, force tracing, random sampling). This field functions as an upper limit on the total configured sampling rate. For instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% of client requests with the appropriate headers to be force traced. This field is a direct analog for the runtime variable ‘tracing.global_enabled’ in the HTTP Connection Manager. Default: 100%
- verbose
(bool) Whether to annotate spans with additional data. If true, spans will include logs for stream events.
- max_path_tag_length
(UInt32Value) Maximum length of the request path to extract and include in the HttpUrl tag. Used to truncate lengthy request paths to meet the needs of a tracing backend. Default: 256
- custom_tags
(repeated type.tracing.v3.CustomTag) A list of custom tags with unique tag name to create tags for the active span.
- provider
(config.trace.v3.Tracing.Http) Configuration for an external tracing provider. If not specified, no tracing will be performed.
Attention
Please be aware that
envoy.tracers.opencensus
provider can only be configured once in Envoy lifetime. Any attempts to reconfigure it or to use different configurations for different HCM filters will be rejected. Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes on OpenCensus side.
- spawn_upstream_span
(BoolValue) Create separate tracing span for each upstream request if true. And if this flag is set to true, the tracing provider will assume that Envoy will be independent hop in the trace chain and may set span type to client or server based on this flag. This will deprecate the start_child_span in the router.
Users should set appropriate value based on their tracing provider and actual scenario:
If Envoy is used as sidecar and users want to make the sidecar and its application as only one hop in the trace chain, this flag should be set to false. And please also make sure the start_child_span in the router is not set to true.
If Envoy is used as gateway or independent proxy, or users want to make the sidecar and its application as different hops in the trace chain, this flag should be set to true.
If tracing provider that has explicit requirements on span creation (like SkyWalking), this flag should be set to true.
The default value is false for now for backward compatibility.
Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.OperationName
- INGRESS
(DEFAULT) The HTTP listener is used for ingress/incoming requests.
- EGRESS
The HTTP listener is used for egress/outgoing requests.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig
{
"unix_sockets": ...,
"cidr_ranges": []
}
- unix_sockets
(bool) Whether unix socket addresses should be considered internal.
- cidr_ranges
(repeated config.core.v3.CidrRange) List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 IP addresses will be considered internal.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails
{
"subject": {...},
"cert": ...,
"chain": ...,
"dns": ...,
"uri": ...
}
- subject
(BoolValue) Whether to forward the subject of the client cert. Defaults to false.
- cert
(bool) Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”. Defaults to false.
- chain
(bool) Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”. Defaults to false.
- dns
(bool) Whether to forward the DNS type Subject Alternative Names of the client cert. Defaults to false.
- uri
(bool) Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to false.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig
[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig proto]
The configuration for HTTP upgrades. For each upgrade type desired, an UpgradeConfig must be added.
Warning
The current implementation of upgrade headers does not handle multi-valued upgrade headers. Support for multi-valued headers may be added in the future if needed.
Warning
The current implementation of upgrade headers does not work with HTTP/2 upstreams.
{
"upgrade_type": ...,
"filters": [],
"enabled": {...}
}
- upgrade_type
(string) The case-insensitive name of this upgrade, e.g. “websocket”. For each upgrade type present in upgrade_configs, requests with Upgrade: [upgrade_type] will be proxied upstream.
- filters
(repeated extensions.filters.network.http_connection_manager.v3.HttpFilter) If present, this represents the filter chain which will be created for this type of upgrade. If no filters are present, the filter chain for HTTP connections will be used for this upgrade type.
- enabled
(BoolValue) Determines if upgrades are enabled or disabled by default. Defaults to true. This can be overridden on a per-route basis with cluster as documented in the upgrade documentation.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ProxyStatusConfig
Configures the manner in which the Proxy-Status HTTP response header is populated.
See the [Proxy-Status RFC](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-proxy-status-08).
The Proxy-Status header is a string of the form:
“<server_name>; error=<error_type>; details=<details>”
{
"remove_details": ...,
"remove_connection_termination_details": ...,
"remove_response_flags": ...,
"set_recommended_response_code": ...,
"use_node_id": ...,
"literal_proxy_name": ...
}
- remove_details
(bool) If true, the details field of the Proxy-Status header is not populated with stream_info.response_code_details. This value defaults to
false
, i.e. thedetails
field is populated by default.
- remove_connection_termination_details
(bool) If true, the details field of the Proxy-Status header will not contain connection termination details. This value defaults to
false
, i.e. thedetails
field will contain connection termination details by default.
- remove_response_flags
(bool) If true, the details field of the Proxy-Status header will not contain an enumeration of the Envoy ResponseFlags. This value defaults to
false
, i.e. thedetails
field will contain a list of ResponseFlags by default.
- set_recommended_response_code
(bool) If true, overwrites the existing Status header with the response code recommended by the Proxy-Status spec. This value defaults to
false
, i.e. the HTTP response code is not overwritten.
- use_node_id
(bool) If
use_node_id
is set, Proxy-Status headers will use the Envoy’s node ID as the name of the proxy.The name of the proxy as it appears at the start of the Proxy-Status header.
If neither of these values are set, this value defaults to
server_name
, which itself defaults to “envoy”.Only one of use_node_id, literal_proxy_name may be set.
- literal_proxy_name
(string) If
literal_proxy_name
is set, Proxy-Status headers will use this value as the name of the proxy.The name of the proxy as it appears at the start of the Proxy-Status header.
If neither of these values are set, this value defaults to
server_name
, which itself defaults to “envoy”.Only one of use_node_id, literal_proxy_name may be set.
extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.HcmAccessLogOptions
{
"access_log_flush_interval": {...},
"flush_access_log_on_new_request": ...,
"flush_log_on_tunnel_successfully_established": ...
}
- access_log_flush_interval
(Duration) The interval to flush the above access logs. By default, the HCM will flush exactly one access log on stream close, when the HTTP request is complete. If this field is set, the HCM will flush access logs periodically at the specified interval. This is especially useful in the case of long-lived requests, such as CONNECT and Websockets. Final access logs can be detected via the
requestComplete()
method ofStreamInfo
in access log filters, or through the%DURATION%
substitution string. The interval must be at least 1 millisecond.
- flush_access_log_on_new_request
(bool) If set to true, HCM will flush an access log when a new HTTP request is received, after request headers have been evaluated, before iterating through the HTTP filter chain. This log record, if enabled, does not depend on periodic log records or request completion log. Details related to upstream cluster, such as upstream host, will not be available for this log.
- flush_log_on_tunnel_successfully_established
(bool) If true, the HCM will flush an access log when a tunnel is successfully established. For example, this could be when an upstream has successfully returned 101 Switching Protocols, or when the proxy has returned 200 to a CONNECT request.
Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType
[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType proto]
- AUTO
(DEFAULT) For every new connection, the connection manager will determine which codec to use. This mode supports both ALPN for TLS listeners as well as protocol inference for plaintext listeners. If ALPN data is available, it is preferred, otherwise protocol inference is used. In almost all cases, this is the right option to choose for this setting.
- HTTP1
The connection manager will assume that the client is speaking HTTP/1.1.
- HTTP2
The connection manager will assume that the client is speaking HTTP/2 (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. Prior knowledge is allowed).
Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation
- OVERWRITE
(DEFAULT) Overwrite any Server header with the contents of server_name.
- APPEND_IF_ABSENT
If no Server header is present, append Server server_name If a Server header is present, pass it through.
- PASS_THROUGH
Pass through the value of the server header, and do not append a header if none is present.
Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails
How to handle the x-forwarded-client-cert (XFCC) HTTP header.
- SANITIZE
(DEFAULT) Do not send the XFCC header to the next hop. This is the default value.
- FORWARD_ONLY
When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
- APPEND_FORWARD
When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it.
- SANITIZE_SET
When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
- ALWAYS_FORWARD_ONLY
Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction
Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled.
- IMPLEMENTATION_SPECIFIC_DEFAULT
(DEFAULT) Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the KEEP_UNCHANGED action. NOTE: the implementation may change the default behavior at-will.
- KEEP_UNCHANGED
Keep escaped slashes.
- REJECT_REQUEST
Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. The “httpN.downstream_rq_failed_path_normalization” counter is incremented for each rejected request.
- UNESCAPE_AND_REDIRECT
Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. Redirect occurs after path normalization and merge slashes transformations if they were configured. NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented for each redirected request.
- UNESCAPE_AND_FORWARD
Unescape %2F and %5C sequences. Note: this option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities.
extensions.filters.network.http_connection_manager.v3.LocalReplyConfig
[extensions.filters.network.http_connection_manager.v3.LocalReplyConfig proto]
The configuration to customize local reply returned by Envoy.
{
"mappers": [],
"body_format": {...}
}
- mappers
(repeated extensions.filters.network.http_connection_manager.v3.ResponseMapper) Configuration of list of mappers which allows to filter and change local response. The mappers will be checked by the specified order until one is matched.
- body_format
(config.core.v3.SubstitutionFormatString) The configuration to form response body from the command operators and to specify response content type as one of: plain/text or application/json.
Example one: “plain/text”
body_format
.text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n"
The following response body in “plain/text” format will be generated for a request with local reply body of “upstream connection error”, response_code=503 and path=/foo.
upstream connect error:503:path=/foo
Example two: “application/json”
body_format
.json_format: status: "%RESPONSE_CODE%" message: "%LOCAL_REPLY_BODY%" path: "%REQ(:path)%"
The following response body in “application/json” format would be generated for a request with local reply body of “upstream connection error”, response_code=503 and path=/foo.
{ "status": 503, "message": "upstream connection error", "path": "/foo" }
extensions.filters.network.http_connection_manager.v3.ResponseMapper
[extensions.filters.network.http_connection_manager.v3.ResponseMapper proto]
The configuration to filter and change local response.
{
"filter": {...},
"status_code": {...},
"body": {...},
"body_format_override": {...},
"headers_to_add": []
}
- filter
(config.accesslog.v3.AccessLogFilter, REQUIRED) Filter to determine if this mapper should apply.
- status_code
(UInt32Value) The new response status code if specified.
- body
(config.core.v3.DataSource) The new local reply body text if specified. It will be used in the
%LOCAL_REPLY_BODY%
command operator in thebody_format
.
- body_format_override
(config.core.v3.SubstitutionFormatString) A per mapper
body_format
to override the body_format. It will be used when this mapper is matched.
- headers_to_add
(repeated config.core.v3.HeaderValueOption) HTTP headers to add to a local reply. This allows the response mapper to append, to add or to override headers of any local reply before it is sent to a downstream client.
extensions.filters.network.http_connection_manager.v3.Rds
[extensions.filters.network.http_connection_manager.v3.Rds proto]
{
"config_source": {...},
"route_config_name": ...
}
- config_source
(config.core.v3.ConfigSource, REQUIRED) Configuration source specifier for RDS.
- route_config_name
(string) The name of the route configuration. This name will be passed to the RDS API. This allows an Envoy configuration with multiple HTTP listeners (and associated HTTP connection manager filters) to use different route configurations.
extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList
[extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList proto]
This message is used to work around the limitations with ‘oneof’ and repeated fields.
{
"scoped_route_configurations": []
}
- scoped_route_configurations
(repeated config.route.v3.ScopedRouteConfiguration, REQUIRED)
extensions.filters.network.http_connection_manager.v3.ScopedRoutes
[extensions.filters.network.http_connection_manager.v3.ScopedRoutes proto]
{
"name": ...,
"scope_key_builder": {...},
"rds_config_source": {...},
"scoped_route_configurations_list": {...},
"scoped_rds": {...}
}
- name
(string, REQUIRED) The name assigned to the scoped routing configuration.
- scope_key_builder
(extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder, REQUIRED) The algorithm to use for constructing a scope key for each request.
- rds_config_source
(config.core.v3.ConfigSource) Configuration source specifier for RDS. This config source is used to subscribe to RouteConfiguration resources specified in ScopedRouteConfiguration messages.
- scoped_route_configurations_list
(extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList) The set of routing scopes corresponding to the HCM. A scope is assigned to a request by matching a key constructed from the request’s attributes according to the algorithm specified by the ScopeKeyBuilder in this message.
Precisely one of scoped_route_configurations_list, scoped_rds must be set.
- scoped_rds
(extensions.filters.network.http_connection_manager.v3.ScopedRds) The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS API. A scope is assigned to a request by matching a key constructed from the request’s attributes according to the algorithm specified by the ScopeKeyBuilder in this message.
Precisely one of scoped_route_configurations_list, scoped_rds must be set.
extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder
[extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder proto]
Specifies the mechanism for constructing “scope keys” based on HTTP request attributes. These keys are matched against a set of Key objects assembled from ScopedRouteConfiguration messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via scoped_route_configurations_list.
Upon receiving a request’s headers, the Router will build a key using the algorithm specified by this message. This key will be used to look up the routing table (i.e., the RouteConfiguration) to use for the request.
{
"fragments": []
}
- fragments
(repeated extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder, REQUIRED) The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the fragments of a ScopedRouteConfiguration. A missing fragment during comparison will make the key invalid, i.e., the computed key doesn’t match any key.
extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder
Specifies the mechanism for constructing key fragments which are composed into scope keys.
{
"header_value_extractor": {...}
}
- header_value_extractor
(extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor, REQUIRED) Specifies how a header field’s value should be extracted.
extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor
Specifies how the value of a header should be extracted. The following example maps the structure of a header to the fields in this message.
<0> <1> <-- index
X-Header: a=b;c=d
| || |
| || \----> <element_separator>
| ||
| |\----> <element.separator>
| |
| \----> <element.key>
|
\----> <name>
Each 'a=b' key-value pair constitutes an 'element' of the header field.
{
"name": ...,
"element_separator": ...,
"index": ...,
"element": {...}
}
- name
(string, REQUIRED) The name of the header field to extract the value from.
Note
If the header appears multiple times only the first value is used.
- element_separator
(string) The element separator (e.g., ‘;’ separates ‘a;b;c;d’). Default: empty string. This causes the entirety of the header field to be extracted. If this field is set to an empty string and ‘index’ is used in the oneof below, ‘index’ must be set to 0.
- index
(uint32) Specifies the zero based index of the element to extract. Note Envoy concatenates multiple values of the same header key into a comma separated string, the splitting always happens after the concatenation.
- element
(extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement) Specifies the key value pair to extract the value from.
extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement
Specifies a header field’s key value pair to match on.
{
"separator": ...,
"key": ...
}
- separator
(string, REQUIRED) The separator between key and value (e.g., ‘=’ separates ‘k=v;…’). If an element is an empty string, the element is ignored. If an element contains no separator, the whole element is parsed as key and the fragment value is an empty string. If there are multiple values for a matched key, the first value is returned.
- key
(string, REQUIRED) The key to match on.
extensions.filters.network.http_connection_manager.v3.ScopedRds
[extensions.filters.network.http_connection_manager.v3.ScopedRds proto]
{
"scoped_rds_config_source": {...}
}
- scoped_rds_config_source
(config.core.v3.ConfigSource, REQUIRED) Configuration source specifier for scoped RDS.
extensions.filters.network.http_connection_manager.v3.HttpFilter
[extensions.filters.network.http_connection_manager.v3.HttpFilter proto]
{
"name": ...,
"typed_config": {...},
"config_discovery": {...},
"is_optional": ...,
"disabled": ...
}
- name
(string, REQUIRED) The name of the filter configuration. It also serves as a resource name in ExtensionConfigDS.
- typed_config
(Any) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation.
To support configuring a match tree, use an ExtensionWithMatcher with the desired HTTP filter.
Tip
This extension category has the following known extensions:
The following extensions are available in contrib images only:
Only one of typed_config, config_discovery may be set.
- config_discovery
(config.core.v3.ExtensionConfigSource) Configuration source specifier for an extension configuration discovery service. In case of a failure and without the default configuration, the HTTP listener responds with code 500. Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061).
To support configuring a match tree, use an ExtensionWithMatcher with the desired HTTP filter. This works for both the default filter configuration as well as for filters provided via the API.
Only one of typed_config, config_discovery may be set.
- is_optional
(bool) If true, clients that do not support this filter may ignore the filter but otherwise accept the config. Otherwise, clients that do not support this filter must reject the config.
- disabled
(bool) If true, the filter is disabled by default and must be explicitly enabled by setting per filter configuration in the route configuration. See route based filter chain for more details.
Terminal filters (e.g.
envoy.filters.http.router
) cannot be marked as disabled.
extensions.filters.network.http_connection_manager.v3.RequestIDExtension
[extensions.filters.network.http_connection_manager.v3.RequestIDExtension proto]
{
"typed_config": {...}
}
- typed_config
(Any) Request ID extension specific configuration.
extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager
[extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager proto]
HTTP connection manager for use in Envoy mobile.
This extension has the qualified name envoy.filters.network.envoy_mobile_http_connection_manager
Note
This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.
Tip
This extension extends and can be used with the following extension category:
{
"config": {...}
}
- config
(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager) The configuration for the underlying HttpConnectionManager which will be instantiated for Envoy mobile.