Listener components
Listener configuration overview
listener.Filter
{
"name": "...",
"config": "{...}"
}
name
(string, REQUIRED) The name of the filter to instantiate. The name must match a supported filter. The built-in filters are:
- envoy.client_ssl_auth
- envoy.echo
- envoy.http_connection_manager
- envoy.mongo_proxy
- envoy.ratelimit
- envoy.redis_proxy
- envoy.tcp_proxy
config
(Struct) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation.
listener.FilterChainMatch
[listener.FilterChainMatch proto]
Specifies the match criteria for selecting a specific filter chain for a listener.
In order for a filter chain to be selected, ALL of its criteria must be fulfilled by the incoming connection, properties of which are set by the networking stack and/or listener filters.
The following order applies:
- Destination port.
- Destination IP address.
- Server name (e.g. SNI for TLS protocol),
- Transport protocol.
- Application protocols (e.g. ALPN for TLS protocol).
- Source type (e.g. any, local or external network).
For criteria that allow ranges or wildcards, the most specific value in any of the configured filter chains that matches the incoming connection is going to be used (e.g. for SNI www.example.com
the most specific match would be www.example.com
, then *.example.com
, then *.com
, then any filter chain without server_names
requirements).
{
"destination_port": "{...}",
"prefix_ranges": [],
"source_type": "...",
"server_names": [],
"transport_protocol": "...",
"application_protocols": []
}
destination_port
(UInt32Value) Optional destination port to consider when use_original_dst is set on the listener in determining a filter chain match.
prefix_ranges
(core.CidrRange) If non-empty, an IP address and prefix length to match addresses when the listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
source_type
(listener.FilterChainMatch.ConnectionSourceType) Specifies the connection source IP match type. Can be any, local or external network.
server_names
(string) If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining a filter chain match. Those values will be compared against the server names of a new connection, when detected by one of the listener filters.
The server name will be matched against all wildcard domains, i.e. www.example.com
will be first matched against www.example.com
, then *.example.com
, then *.com
.
Note that partial wildcards are not supported, and values like *w.example.com
are invalid.
Attention
See the FAQ entry on how to configure SNI for more information.
transport_protocol
(string) If non-empty, a transport protocol to consider when determining a filter chain match. This value will be compared against the transport protocol of a new connection, when it’s detected by one of the listener filters.
Suggested values include:
raw_buffer
- default, used when no transport protocol is detected,tls
- set by envoy.listener.tls_inspector when TLS protocol is detected.
application_protocols
(string) If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when determining a filter chain match. Those values will be compared against the application protocols of a new connection, when detected by one of the listener filters.
Suggested values include:
http/1.1
- set by envoy.listener.tls_inspector,h2
- set by envoy.listener.tls_inspector
Attention
Currently, only TLS Inspector provides application protocol detection based on the requested ALPN values.
However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, and matching on values other than h2
is going to lead to a lot of false negatives, unless all connecting clients are known to use ALPN.
Enum listener.FilterChainMatch.ConnectionSourceType
[listener.FilterChainMatch.ConnectionSourceType proto]
ANY
(DEFAULT) Any connection source matches.
LOCAL
Match a connection originating from the same host.
EXTERNAL
Match a connection originating from a different host.
listener.FilterChain
A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and various other parameters.
{
"filter_chain_match": "{...}",
"tls_context": "{...}",
"filters": [],
"use_proxy_proto": "{...}",
"transport_socket": "{...}"
}
filter_chain_match
(listener.FilterChainMatch) The criteria to use when matching a connection to this filter chain.
tls_context
(auth.DownstreamTlsContext) The TLS context for this filter chain.
filters
(listener.Filter) A list of individual network filters that make up the filter chain for connections established with the listener. Order matters as the filters are processed sequentially as connection events happen. Note: If the filter list is empty, the connection will close by default.
use_proxy_proto
(BoolValue) Whether the listener should expect a PROXY protocol V1 header on new connections. If this option is enabled, the listener will assume that that remote address of the connection is the one specified in the header. Some load balancers including the AWS ELB support this option. If the option is absent or set to false, Envoy will use the physical peer address of the connection as the remote address.
transport_socket
(core.TransportSocket) See base.TransportSocket description.
listener.ListenerFilter
[listener.ListenerFilter proto]
{
"name": "...",
"config": "{...}"
}
name
(string, REQUIRED) The name of the filter to instantiate. The name must match a supported filter. The built-in filters are:
config
(Struct) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation.