|
|
|
syntax = "proto3";
|
|
|
|
|
|
|
|
package envoy.api.v2;
|
|
|
|
|
|
|
|
import "google/protobuf/wrappers.proto";
|
|
|
|
|
|
|
|
message DataSource {
|
|
|
|
oneof specifier {
|
|
|
|
string filename = 1;
|
|
|
|
bytes inline = 2;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
message TlsParameters {
|
|
|
|
enum TlsProtocol {
|
|
|
|
TLS_AUTO = 0;
|
|
|
|
TLSv1_0 = 1;
|
|
|
|
TLSv1_1 = 2;
|
|
|
|
TLSv1_2 = 3;
|
|
|
|
TLSv1_3 = 4;
|
|
|
|
}
|
|
|
|
// Allowed TLS protocols.
|
|
|
|
TlsProtocol tls_minimum_protocol_version = 1;
|
|
|
|
TlsProtocol tls_maximum_protocol_version = 2;
|
|
|
|
|
|
|
|
// If specified, the TLS listener will only support the specified cipher list.
|
|
|
|
repeated string cipher_suites = 3;
|
|
|
|
|
|
|
|
// If specified, the TLS connection will only support the specified ECDH
|
|
|
|
// curves. If not specified, the default curves (X25519, P-256) will be used.
|
|
|
|
repeated string ecdh_curves = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may
|
|
|
|
// be loaded from either.
|
|
|
|
message TlsCertificate {
|
|
|
|
DataSource certificate_chain = 1;
|
|
|
|
DataSource private_key = 2;
|
|
|
|
DataSource password = 3;
|
|
|
|
DataSource ocsp_staple = 4;
|
|
|
|
repeated DataSource signed_certificate_timestamp = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
message CertificateValidationContext {
|
|
|
|
// TLS certificate data containing certificate authority certificates to use
|
|
|
|
// in verifying a presented certificate. If not specified and a certificate is
|
|
|
|
// presented it will not be verified.
|
|
|
|
DataSource trusted_ca = 1;
|
|
|
|
|
|
|
|
// If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of
|
|
|
|
// the presented certificate.
|
|
|
|
repeated string verify_certificate_hash = 2;
|
|
|
|
|
|
|
|
// If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
|
|
|
|
// the Subject Public Key Information (SPKI) of the presented certificate.
|
|
|
|
// This is the same format as used in HTTP Public Key Pinning.
|
|
|
|
repeated string verify_spki_sha256 = 3;
|
|
|
|
|
|
|
|
// An optional list of subject alt names. If specified, Envoy will verify that
|
|
|
|
// the certificate’s subject alt name matches one of the specified values.
|
|
|
|
repeated string verify_subject_alt_name = 4;
|
|
|
|
|
|
|
|
// Must present a signed time-stamped OCSP response.
|
|
|
|
google.protobuf.BoolValue require_ocsp_staple = 5;
|
|
|
|
|
|
|
|
// Must present signed certificate time-stamp.
|
|
|
|
google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
|
|
|
|
}
|
|
|
|
|
|
|
|
// TLS context shared by both client and server TLS contexts.
|
|
|
|
message CommonTlsContext {
|
|
|
|
// TLS protocol versions, cipher suites etc.
|
|
|
|
TlsParameters tls_params = 1;
|
|
|
|
|
|
|
|
// Multiple TLS certificates can be associated with the same context,
|
|
|
|
// e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF].
|
|
|
|
repeated TlsCertificate tls_certificates = 2;
|
|
|
|
|
|
|
|
// How to validate peer certificates.
|
|
|
|
CertificateValidationContext validation_context = 3;
|
|
|
|
|
|
|
|
// Protocols to negotiate over ALPN
|
|
|
|
repeated string alpn_protocols = 4;
|
|
|
|
|
|
|
|
// These fields are deprecated and only are used during the interim v1 -> v2
|
|
|
|
// transition period for internal purposes. They should not be used outside of
|
|
|
|
// the Envoy binary.
|
|
|
|
message DeprecatedV1 {
|
|
|
|
string alt_alpn_protocols = 1;
|
|
|
|
}
|
|
|
|
DeprecatedV1 deprecated_v1 = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
message UpstreamTlsContext {
|
|
|
|
CommonTlsContext common_tls_context = 1;
|
|
|
|
|
|
|
|
// SNI string to use when creating TLS backend connections.
|
|
|
|
string sni = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// [V2-API-DIFF] This has been reworked to support alternative modes of
|
|
|
|
// certificate/key delivery, for consistency with the upstream TLS context and
|
|
|
|
// to segregate the client/server aspects of the TLS context.
|
|
|
|
message DownstreamTlsContext {
|
|
|
|
CommonTlsContext common_tls_context = 1;
|
|
|
|
|
|
|
|
// If specified, Envoy will reject connections without a valid client
|
|
|
|
// certificate.
|
|
|
|
google.protobuf.BoolValue require_client_certificate = 2;
|
|
|
|
|
|
|
|
// If specified, Envoy will reject connections without a valid and matching SNI.
|
|
|
|
google.protobuf.BoolValue require_sni = 3;
|
|
|
|
}
|