[READ ONLY MIRROR] Envoy REST/proto API definitions and documentation. (grpc依赖)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

98 lines
3.2 KiB

syntax = "proto3";
package envoy.api.v2;
import "google/protobuf/wrappers.proto";
message DataSource {
oneof specifier {
google.protobuf.StringValue filename = 1;
google.protobuf.BytesValue inline = 2;
}
}
message TlsParameters {
enum TlsProtocol {
TLS_AUTO = 0;
TLSv1_0 = 1;
TLSv1_1 = 2;
TLSv1_2 = 3;
TLSv1_3 = 4;
}
// Allowed TLS protocols.
TlsProtocol tls_minimum_protocol_version = 1;
TlsProtocol tls_maximum_protocol_version = 2;
// If specified, the TLS listener will only support the specified cipher list.
repeated google.protobuf.StringValue cipher_suites = 3;
// If specified, the TLS connection will only support the specified ECDH
// curves. If not specified, the default curves (X25519, P-256) will be used.
repeated google.protobuf.StringValue ecdh_curves = 4;
}
// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may
// be loaded from either.
message TlsCertificate {
DataSource cert_chain = 1;
DataSource private_key = 2;
DataSource ocsp_staple = 3;
repeated DataSource signed_certificate_timestamp = 4;
}
message CertificateValidationContext {
// TLS certificate data containing certificate authority certificates to use
// in verifying a presented certificate. If not specified and a certificate is
// presented it will not be verified.
DataSource ca_cert = 1;
// If specified, Envoy will verify (pin) the hash of the presented
// certificate.
repeated google.protobuf.StringValue verify_certificate_hash = 2;
// An optional list of subject alt names. If specified, Envoy will verify that
// the certificate’s subject alt name matches one of the specified values.
repeated google.protobuf.StringValue verify_subject_alt_name = 3;
// Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 4;
// Must present signed certificate time-stamp.
google.protobuf.BoolValue require_signed_certificate_timestamp = 5;
}
message UpstreamTlsContext {
// TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1;
// Client certificate to present to backend.
TlsCertificate client_certificate = 2;
// SNI string to use when creating TLS backend connections.
google.protobuf.StringValue sni = 3;
// Protocols to negotiate over ALPN
repeated google.protobuf.StringValue alpn_protocols = 4;
// How to validate the backend certificate.
CertificateValidationContext server_validation_context = 5;
}
// [V2-API-DIFF] This has been reworked to support alternative modes of
// certificate/key delivery, for consistency with the upstream TLS context and
// to segregate the client/server aspects of the TLS context.
message DownstreamTlsContext {
// TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1;
// Multiple TLS certificates can be associated with the same context, e.g. to
// allow both RSA and ECDSA certificates for the same SNI [V2-API-DIFF].
repeated TlsCertificate tls_certificates = 2;
// Supplies the list of ALPN protocols that the listener should expose.
repeated google.protobuf.StringValue alpn_protocols = 3;
// How to validate the client certificate.
CertificateValidationContext client_validation_context = 4;
}