|
|
|
// This is heavily derived from
|
|
|
|
// https://lyft.github.io/envoy/docs/configuration/listeners/listeners.html
|
|
|
|
// The v2 gRPC API differences are tagged with [V2-API-DIFF].
|
|
|
|
|
|
|
|
syntax = "proto3";
|
|
|
|
|
|
|
|
package envoy.api.v2;
|
|
|
|
|
|
|
|
import "api/address.proto";
|
|
|
|
import "api/base.proto";
|
|
|
|
import "api/tls_context.proto";
|
|
|
|
|
|
|
|
import "google/api/annotations.proto";
|
|
|
|
import "google/protobuf/struct.proto";
|
|
|
|
import "google/protobuf/wrappers.proto";
|
|
|
|
|
|
|
|
// The Envoy instance initiates an RPC at startup to discover a list of
|
|
|
|
// listeners. Updates are delivered via streaming from the LDS server and
|
|
|
|
// consist of a complete update of all listeners. Existing connections will be
|
|
|
|
// allowed to drain from listeners that are no longer present.
|
|
|
|
service ListenerDiscoveryService {
|
|
|
|
rpc StreamListeners(ListenerDiscoveryRequest) returns
|
|
|
|
(stream ListenerDiscoverResponse) {}
|
|
|
|
|
|
|
|
rpc FetchListeners(ListenerDiscoveryRequest)
|
|
|
|
returns (ListenerDiscoverResponse) {
|
|
|
|
option (google.api.http) = {
|
|
|
|
post: "/v2/discovery:listeners"
|
|
|
|
body: "*"
|
|
|
|
};
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
message ListenerDiscoveryRequest {
|
|
|
|
Node node = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
message ListenerDiscoverResponse {
|
|
|
|
repeated Listener listeners = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
message Filter {
|
|
|
|
// The type of filter to instantiate. Most filters implement a specific type,
|
|
|
|
// though it is theoretically possible for a filter to be written such that it
|
|
|
|
// can operate in multiple modes. Supported types are read, write, and both.
|
|
|
|
enum Type {
|
|
|
|
BOTH = 0;
|
|
|
|
READ = 1;
|
|
|
|
WRITE = 2;
|
|
|
|
}
|
|
|
|
Type type = 1;
|
|
|
|
// The name of the filter to instantiate. The name must match a supported
|
|
|
|
// filter.
|
|
|
|
string name = 2;
|
|
|
|
// Filter specific configuration which depends on the filter being
|
|
|
|
// instantiated. See the supported filters for further documentation.
|
|
|
|
google.protobuf.Struct config = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Specifies the match criteria for selecting a specific filter chain for a
|
|
|
|
// listener [V2-API-DIFF].
|
|
|
|
message FilterChainMatch {
|
|
|
|
// If non-empty, the SNI domains to consider. May contain a wildcard prefix,
|
|
|
|
// e.g. *.example.com.
|
|
|
|
repeated string sni_domains = 1;
|
|
|
|
|
|
|
|
// If non-empty, an IP address and prefix length to match addresses when the
|
|
|
|
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
|
|
|
|
message CidrRange {
|
|
|
|
string address_prefix = 1;
|
|
|
|
google.protobuf.UInt32Value prefix_len = 2;
|
|
|
|
}
|
|
|
|
repeated CidrRange prefix_ranges = 3;
|
|
|
|
|
|
|
|
// If non-empty, an IP address and suffix length to match addresses when the
|
|
|
|
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
|
|
|
|
string address_suffix = 4;
|
|
|
|
google.protobuf.UInt32Value suffix_len = 5;
|
|
|
|
|
|
|
|
// The criteria is satisfied if the source IP address of the downstream
|
|
|
|
// connection is contained in at least one of the specified subnets. If the
|
|
|
|
// parameter is not specified or the list is empty, the source IP address is
|
|
|
|
// ignored.
|
|
|
|
repeated CidrRange source_prefix_ranges = 6;
|
|
|
|
|
|
|
|
// The criteria is satisfied if the source port of the downstream connection
|
|
|
|
// is contained in at least one of the specified ports. If the parameter is
|
|
|
|
// not specified, the source port is ignored.
|
|
|
|
repeated google.protobuf.UInt32Value source_ports = 7;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Grouping of FilterChainMatch criteria, DownstreamTlsContext, the actual filter chain
|
|
|
|
// and related parameters.
|
|
|
|
message FilterChain {
|
|
|
|
FilterChainMatch filter_chain_match = 1;
|
|
|
|
DownstreamTlsContext tls_context = 2;
|
|
|
|
// A list of individual network filters that make up the filter chain for
|
|
|
|
// connections established with the listener. Order matters as the filters are
|
|
|
|
// processed sequentially as connection events happen. Note: If the filter
|
|
|
|
// list is empty, the connection will close by default.
|
|
|
|
repeated Filter filter_chain = 3;
|
|
|
|
|
|
|
|
// Whether the listener should expect a PROXY protocol V1 header on new
|
|
|
|
// connections. If this option is enabled, the listener will assume that that
|
|
|
|
// remote address of the connection is the one specified in the header. Some
|
|
|
|
// load balancers including the AWS ELB support this option. If the option is
|
|
|
|
// absent or set to false, Envoy will use the physical peer address of the
|
|
|
|
// connection as the remote address.
|
|
|
|
google.protobuf.BoolValue use_proxy_proto = 4;
|
|
|
|
|
|
|
|
// See base.Metadata description.
|
|
|
|
Metadata metadata = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
message Listener {
|
|
|
|
// The address that the listener should listen on.
|
|
|
|
UnresolvedAddress address = 1;
|
|
|
|
|
|
|
|
// A list of filter chains to consider for this listener. The FilterChain with
|
|
|
|
// the most specific FilterChainMatch criteria is used on a connection. The
|
|
|
|
// algorithm works as follows:
|
|
|
|
// 1. If SNI information is presented at connection time, only the
|
|
|
|
// FilterChains matching the SNI are considered. Otherwise, only
|
|
|
|
// FilterChains with no SNI domains are considered.
|
|
|
|
// 2. Of the FilterChains from step 1, the longest prefix match on the
|
|
|
|
// bound destination address is used to select the next set of
|
|
|
|
// FilterChains. This may be one FilterChain or multiple if there is
|
|
|
|
// a tie.
|
|
|
|
// 3. The longest suffix match on the bound destination address is used to
|
|
|
|
// select the FilterChain from step 2 that is used.
|
|
|
|
repeated FilterChain filter_chains = 2;
|
|
|
|
|
|
|
|
// If a connection is redirected using iptables, the port on which the proxy
|
|
|
|
// receives it might be different from the original destination port. When
|
|
|
|
// this flag is set to true, the listener uses the original destination
|
|
|
|
// address and port during FilterChain matching. Default is false.
|
|
|
|
google.protobuf.BoolValue use_original_dst = 3;
|
|
|
|
|
|
|
|
// Soft limit on size of the listener’s new connection read and write buffers.
|
|
|
|
// If unspecified, an implementation defined default is applied (1MiB).
|
|
|
|
google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 4;
|
|
|
|
|
|
|
|
// See base.Metadata description.
|
|
|
|
Metadata metadata = 5;
|
|
|
|
}
|