diff --git a/envoy/api/v2/listener/listener.proto b/envoy/api/v2/listener/listener.proto index 0fbffc7b..311ba3ea 100644 --- a/envoy/api/v2/listener/listener.proto +++ b/envoy/api/v2/listener/listener.proto @@ -63,23 +63,13 @@ message Filter { // of the configured filter chains that matches the incoming connection is going // to be used (e.g. for SNI ``www.example.com`` the most specific match would be // ``www.example.com``, then ``*.example.com``, then any filter chain without -// ``sni_domains`` requirements). +// ``server_names`` requirements). +// +// [#comment: Implemented rules are kept in the preference order, with deprecated fields +// listed at the end, because that's how we want to list them in the docs. // // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] message FilterChainMatch { - // If non-empty, the SNI domain names to consider. May contain a wildcard prefix for - // the bottom-level domain of a domain name, e.g. ``*.example.com``. - // - // Note that ``foo.example.com`` will be matched by ``foo.example.com`` - // and ``*.example.com`` SNI domain names, but **not** by ``*foo.example.com``, - // ``*oo.example.com``, ``*example.com``, ``*.com`` or ``*``. - // - // .. attention:: - // - // See the :ref:`FAQ entry ` on how to configure SNI for more - // information. - repeated string sni_domains = 1; - // If non-empty, an IP address and prefix length to match addresses when the // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. // [#not-implemented-hide:] @@ -111,6 +101,23 @@ message FilterChainMatch { // [#not-implemented-hide:] google.protobuf.UInt32Value destination_port = 8; + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new connection, + // when detected by one of the listener filters. + // + // The values may contain a wildcard prefix for the bottom-level domain of a domain name, + // e.g. ``*.example.com``. + // + // Note that ``foo.example.com`` will be matched by ``foo.example.com`` and ``*.example.com`` + // server names, but **not** by ``*foo.example.com``, ``*oo.example.com``, ``*example.com``, + // ``*.com`` or ``*``. + // + // .. attention:: + // + // See the :ref:`FAQ entry ` on how to configure SNI for more + // information. + repeated string server_names = 11; + // If non-empty, a transport protocol to consider when determining a filter chain match. // This value will be compared against the transport protocol of a new connection, when // it's detected by one of the listener filters. @@ -122,9 +129,9 @@ message FilterChainMatch { // when TLS protocol is detected. string transport_protocol = 9; - // If non-empty, a list of application protocols to consider when determining a filter chain - // match. Those values will be compared against the application protocols of a new connection, - // when detected by one of the listener filters. + // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when + // determining a filter chain match. Those values will be compared against the application protocols + // of a new connection, when detected by one of the listener filters. // // Suggested values include: // @@ -141,6 +148,22 @@ message FilterChainMatch { // and matching on values other than ``h2`` is going to lead to a lot of false negatives, // unless all connecting clients are known to use ALPN. repeated string application_protocols = 10; + + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new connection, + // when detected by one of the listener filters. + // + // The values may contain a wildcard prefix for the bottom-level domain of a domain name, + // e.g. ``*.example.com``. + // + // Note that ``foo.example.com`` will be matched by ``foo.example.com`` and ``*.example.com`` + // server names, but **not** by ``*foo.example.com``, ``*oo.example.com``, ``*example.com``, + // ``*.com`` or ``*``. + // + // .. attention:: + // + // Deprecated. Use :ref:`server_names ` instead. + repeated string sni_domains = 1 [deprecated = true]; } // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and