diff --git a/BUILD b/BUILD index bde7ff38..554d3fde 100644 --- a/BUILD +++ b/BUILD @@ -244,6 +244,8 @@ proto_library( "//envoy/extensions/formatter/cel/v3:pkg", "//envoy/extensions/formatter/metadata/v3:pkg", "//envoy/extensions/formatter/req_without_query/v3:pkg", + "//envoy/extensions/geoip_providers/common/v3:pkg", + "//envoy/extensions/geoip_providers/maxmind/v3:pkg", "//envoy/extensions/health_check/event_sinks/file/v3:pkg", "//envoy/extensions/health_checkers/redis/v3:pkg", "//envoy/extensions/health_checkers/thrift/v3:pkg", diff --git a/envoy/extensions/filters/http/geoip/v3/geoip.proto b/envoy/extensions/filters/http/geoip/v3/geoip.proto index dfab28e0..4ef26a82 100644 --- a/envoy/extensions/filters/http/geoip/v3/geoip.proto +++ b/envoy/extensions/filters/http/geoip/v3/geoip.proto @@ -21,52 +21,6 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // [#extension: envoy.filters.http.geoip] message Geoip { - // The set of geolocation headers to add to request. If any of the configured headers is present - // in the incoming request, it will be overridden by Geoip filter. - // [#next-free-field: 10] - message GeolocationHeadersToAdd { - // If set, the header will be used to populate the country ISO code associated with the IP address. - string country = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the header will be used to populate the city associated with the IP address. - string city = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the header will be used to populate the region ISO code associated with the IP address. - string region = 3 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the header will be used to populate the ASN associated with the IP address. - string asn = 4 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g. VPN, public proxy etc) - // and header will be populated with the check result. Header value will be set to either "true" or "false" depending on the check result. - string is_anon = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the IP address will be checked if it belongs to a VPN and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. - string anon_vpn = 6 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the IP address will be checked if it belongs to a hosting provider and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. - string anon_hosting = 7 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the IP address will be checked if it belongs to a TOR exit node and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. - string anon_tor = 8 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // If set, the IP address will be checked if it belongs to a public proxy and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. - string anon_proxy = 9 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - } - message XffConfig { // The number of additional ingress proxy hops from the right side of the // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when @@ -82,9 +36,10 @@ message Geoip { // [#next-free-field: 2] XffConfig xff_config = 1; - // Configuration for geolocation headers to add to request. - GeolocationHeadersToAdd geo_headers_to_add = 2 [(validate.rules).message = {required: true}]; - - // Geolocation provider specific configuration. + // Geoip driver specific configuration which depends on the driver being instantiated. + // See the geoip drivers for examples: + // + // - :ref:`MaxMindConfig ` + // [#extension-category: envoy.geoip_providers] config.core.v3.TypedExtensionConfig provider = 3 [(validate.rules).message = {required: true}]; } diff --git a/envoy/extensions/geoip_providers/common/v3/BUILD b/envoy/extensions/geoip_providers/common/v3/BUILD new file mode 100644 index 00000000..ee92fb65 --- /dev/null +++ b/envoy/extensions/geoip_providers/common/v3/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"], +) diff --git a/envoy/extensions/geoip_providers/common/v3/common.proto b/envoy/extensions/geoip_providers/common/v3/common.proto new file mode 100644 index 00000000..91a9126c --- /dev/null +++ b/envoy/extensions/geoip_providers/common/v3/common.proto @@ -0,0 +1,68 @@ +syntax = "proto3"; + +package envoy.extensions.geoip_providers.common.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.geoip_providers.common.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/common/v3;commonv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common Geolocation Provider Configuration] +// Common geolocation provider :ref:`configuration overview `. +// Common configuration shared across geolocation providers. + +message CommonGeoipProviderConfig { + // The set of geolocation headers to add to request. If any of the configured headers is present + // in the incoming request, it will be overridden by the :ref:`Geoip filter `. + // [#next-free-field: 10] + message GeolocationHeadersToAdd { + // If set, the header will be used to populate the country ISO code associated with the IP address. + string country = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the city associated with the IP address. + string city = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the region ISO code associated with the IP address. + // The least specific subdivision will be selected as region value. + string region = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the ASN associated with the IP address. + string asn = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g. VPN, public proxy etc) + // and header will be populated with the check result. Header value will be set to either "true" or "false" depending on the check result. + string is_anon = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a VPN and header will be populated with the check result. + // Header value will be set to either "true" or "false" depending on the check result. + string anon_vpn = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a hosting provider and header will be populated with the check result. + // Header value will be set to either "true" or "false" depending on the check result. + string anon_hosting = 7 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a TOR exit node and header will be populated with the check result. + // Header value will be set to either "true" or "false" depending on the check result. + string anon_tor = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a public proxy and header will be populated with the check result. + // Header value will be set to either "true" or "false" depending on the check result. + string anon_proxy = 9 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + } + + // Configuration for geolocation headers to add to request. + GeolocationHeadersToAdd geo_headers_to_add = 1 [(validate.rules).message = {required: true}]; +} diff --git a/envoy/extensions/geoip_providers/maxmind/v3/BUILD b/envoy/extensions/geoip_providers/maxmind/v3/BUILD new file mode 100644 index 00000000..082f67d1 --- /dev/null +++ b/envoy/extensions/geoip_providers/maxmind/v3/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/extensions/geoip_providers/common/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + "@com_github_cncf_udpa//xds/annotations/v3:pkg", + ], +) diff --git a/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto b/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto new file mode 100644 index 00000000..3fc7f7c1 --- /dev/null +++ b/envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto @@ -0,0 +1,42 @@ +syntax = "proto3"; + +package envoy.extensions.geoip_providers.maxmind.v3; + +import "envoy/extensions/geoip_providers/common/v3/common.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.geoip_providers.maxmind.v3"; +option java_outer_classname = "MaxmindProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/maxmind/v3;maxmindv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: MaxMind Geolocation Provider] +// MaxMind geolocation provider :ref:`configuration overview `. +// At least one geolocation database path :ref:`city_db_path `, +// :ref:`isp_db_path ` or +// :ref:`anon_db_path ` must be configured. +// [#extension: envoy.geoip_providers.maxmind] + +message MaxMindConfig { + // Full file path to the Maxmind city database, e.g. /etc/GeoLite2-City.mmdb. + // Database file is expected to have .mmdb extension. + string city_db_path = 1 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the Maxmind ASN database, e.g. /etc/GeoLite2-ASN.mmdb. + // Database file is expected to have .mmdb extension. + string isp_db_path = 2 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the Maxmind anonymous IP database, e.g. /etc/GeoIP2-Anonymous-IP.mmdb. + // Database file is expected to have .mmdb extension. + string anon_db_path = 3 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Common provider configuration that specifies which geolocation headers will be populated with geolocation data. + common.v3.CommonGeoipProviderConfig common_provider_config = 4 + [(validate.rules).message = {required: true}]; +} diff --git a/versioning/BUILD b/versioning/BUILD index aebd1017..43de328f 100644 --- a/versioning/BUILD +++ b/versioning/BUILD @@ -182,6 +182,8 @@ proto_library( "//envoy/extensions/formatter/cel/v3:pkg", "//envoy/extensions/formatter/metadata/v3:pkg", "//envoy/extensions/formatter/req_without_query/v3:pkg", + "//envoy/extensions/geoip_providers/common/v3:pkg", + "//envoy/extensions/geoip_providers/maxmind/v3:pkg", "//envoy/extensions/health_check/event_sinks/file/v3:pkg", "//envoy/extensions/health_checkers/redis/v3:pkg", "//envoy/extensions/health_checkers/thrift/v3:pkg",