From 3ad64fb397cb7f430c3a149d167fa6232f0b13c5 Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Fri, 6 May 2022 14:14:46 +0000 Subject: [PATCH] proxy protocol: optionally auto-detect presence of proxy protocol (#18951) Allows users to opt-in to functionality to auto-detect proxy protocol if present, and skip the filter if it's not present. Signed-off-by: Kevin Dorosh Mirrored from https://github.com/envoyproxy/envoy @ 18c59eaf1b78c5b6bbe4d6ad96009ec3ecd895e1 --- .../proxy_protocol/v3/proxy_protocol.proto | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto b/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto index 1dd001b9..50472e56 100644 --- a/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto +++ b/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto @@ -41,4 +41,21 @@ message ProxyProtocol { // The list of rules to apply to requests. repeated Rule rules = 1; + + // Allow requests through that don't use proxy protocol. Defaults to false. + // + // .. attention:: + // + // This breaks conformance with the specification. + // Only enable if ALL traffic to the listener comes from a trusted source. + // For more information on the security implications of this feature, see + // https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt + // + // .. attention:: + // + // Requests of 12 or fewer bytes that match the proxy protocol v2 signature + // and requests of 6 or fewer bytes that match the proxy protocol v1 + // signature will timeout (Envoy is unable to differentiate these requests + // from incomplete proxy protocol requests). + bool allow_requests_without_proxy_protocol = 2; }