.. _envoy_api_file_envoy/api/v2/listener/listener.proto: Listener components =================== Listener :ref:`configuration overview ` .. _envoy_api_msg_listener.Filter: listener.Filter --------------- `[listener.Filter proto] `_ .. code-block:: json { "name": "...", "config": "{...}" } .. _envoy_api_field_listener.Filter.name: name (`string `_, *REQUIRED*) The name of the filter to instantiate. The name must match a supported filter. The built-in filters are: * :ref:`envoy.client_ssl_auth` * :ref:`envoy.echo ` * :ref:`envoy.http_connection_manager ` * :ref:`envoy.mongo_proxy ` * :ref:`envoy.ratelimit ` * :ref:`envoy.redis_proxy ` * :ref:`envoy.tcp_proxy ` .. _envoy_api_field_listener.Filter.config: config (`Struct `_) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation. .. _envoy_api_msg_listener.FilterChainMatch: listener.FilterChainMatch ------------------------- `[listener.FilterChainMatch proto] `_ Specifies the match criteria for selecting a specific filter chain for a listener. In order for a filter chain to be selected, *ALL* of its criteria must be fulfilled by the incoming connection, properties of which are set by the networking stack and/or listener filters. The following order applies: 1. Destination port. 2. Destination IP address. 3. Server name (e.g. SNI for TLS protocol), 4. Transport protocol. 5. Application protocols (e.g. ALPN for TLS protocol). 6. Source type (e.g. any, local or external network). For criteria that allow ranges or wildcards, the most specific value in any of the configured filter chains that matches the incoming connection is going to be used (e.g. for SNI ``www.example.com`` the most specific match would be ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter chain without ``server_names`` requirements). .. code-block:: json { "destination_port": "{...}", "prefix_ranges": [], "source_type": "...", "server_names": [], "transport_protocol": "...", "application_protocols": [] } .. _envoy_api_field_listener.FilterChainMatch.destination_port: destination_port (`UInt32Value `_) Optional destination port to consider when use_original_dst is set on the listener in determining a filter chain match. .. _envoy_api_field_listener.FilterChainMatch.prefix_ranges: prefix_ranges (:ref:`core.CidrRange `) If non-empty, an IP address and prefix length to match addresses when the listener is bound to 0.0.0.0/:: or when use_original_dst is specified. .. _envoy_api_field_listener.FilterChainMatch.source_type: source_type (:ref:`listener.FilterChainMatch.ConnectionSourceType `) Specifies the connection source IP match type. Can be any, local or external network. .. _envoy_api_field_listener.FilterChainMatch.server_names: server_names (`string `_) If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining a filter chain match. Those values will be compared against the server names of a new connection, when detected by one of the listener filters. The server name will be matched against all wildcard domains, i.e. ``www.example.com`` will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. .. attention:: See the :ref:`FAQ entry ` on how to configure SNI for more information. .. _envoy_api_field_listener.FilterChainMatch.transport_protocol: transport_protocol (`string `_) If non-empty, a transport protocol to consider when determining a filter chain match. This value will be compared against the transport protocol of a new connection, when it's detected by one of the listener filters. Suggested values include: * ``raw_buffer`` - default, used when no transport protocol is detected, * ``tls`` - set by :ref:`envoy.listener.tls_inspector ` when TLS protocol is detected. .. _envoy_api_field_listener.FilterChainMatch.application_protocols: application_protocols (`string `_) If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when determining a filter chain match. Those values will be compared against the application protocols of a new connection, when detected by one of the listener filters. Suggested values include: * ``http/1.1`` - set by :ref:`envoy.listener.tls_inspector `, * ``h2`` - set by :ref:`envoy.listener.tls_inspector ` .. attention:: Currently, only :ref:`TLS Inspector ` provides application protocol detection based on the requested `ALPN `_ values. However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, and matching on values other than ``h2`` is going to lead to a lot of false negatives, unless all connecting clients are known to use ALPN. .. _envoy_api_enum_listener.FilterChainMatch.ConnectionSourceType: Enum listener.FilterChainMatch.ConnectionSourceType --------------------------------------------------- `[listener.FilterChainMatch.ConnectionSourceType proto] `_ .. _envoy_api_enum_value_listener.FilterChainMatch.ConnectionSourceType.ANY: ANY *(DEFAULT)* ⁣Any connection source matches. .. _envoy_api_enum_value_listener.FilterChainMatch.ConnectionSourceType.LOCAL: LOCAL ⁣Match a connection originating from the same host. .. _envoy_api_enum_value_listener.FilterChainMatch.ConnectionSourceType.EXTERNAL: EXTERNAL ⁣Match a connection originating from a different host. .. _envoy_api_msg_listener.FilterChain: listener.FilterChain -------------------- `[listener.FilterChain proto] `_ A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and various other parameters. .. code-block:: json { "filter_chain_match": "{...}", "tls_context": "{...}", "filters": [], "use_proxy_proto": "{...}", "transport_socket": "{...}" } .. _envoy_api_field_listener.FilterChain.filter_chain_match: filter_chain_match (:ref:`listener.FilterChainMatch `) The criteria to use when matching a connection to this filter chain. .. _envoy_api_field_listener.FilterChain.tls_context: tls_context (:ref:`auth.DownstreamTlsContext `) The TLS context for this filter chain. .. _envoy_api_field_listener.FilterChain.filters: filters (:ref:`listener.Filter `) A list of individual network filters that make up the filter chain for connections established with the listener. Order matters as the filters are processed sequentially as connection events happen. Note: If the filter list is empty, the connection will close by default. .. _envoy_api_field_listener.FilterChain.use_proxy_proto: use_proxy_proto (`BoolValue `_) Whether the listener should expect a PROXY protocol V1 header on new connections. If this option is enabled, the listener will assume that that remote address of the connection is the one specified in the header. Some load balancers including the AWS ELB support this option. If the option is absent or set to false, Envoy will use the physical peer address of the connection as the remote address. .. _envoy_api_field_listener.FilterChain.transport_socket: transport_socket (:ref:`core.TransportSocket `) See :ref:`base.TransportSocket` description. .. _envoy_api_msg_listener.ListenerFilter: listener.ListenerFilter ----------------------- `[listener.ListenerFilter proto] `_ .. code-block:: json { "name": "...", "config": "{...}" } .. _envoy_api_field_listener.ListenerFilter.name: name (`string `_, *REQUIRED*) The name of the filter to instantiate. The name must match a supported filter. The built-in filters are: * :ref:`envoy.listener.original_dst ` * :ref:`envoy.listener.tls_inspector ` .. _envoy_api_field_listener.ListenerFilter.config: config (`Struct `_) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation.