From c460ae3d26336fed6bd16a7ed6326e7a0f246b3f Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Mon, 11 Jul 2022 15:04:53 +0000
Subject: [PATCH] Adding direct connect support. (#21942)

Creates a transport socket for HTP/1.1 proxy support.

With the combination of the transport socket, and a filter putting the proxy stream info in place this will

redirect TCP connections to the proxy IP address
prefix TLS connections with cleartext CONECT headers to the destination host, and strip CONNECT response
change cleartext HTTP/1.1 to send fully qualified URLs
Risk Level: medium (intended as a no op but it does have data plane refactory)
Testing: new unit, integration tests
Docs Changes: n/a

Part of envoyproxy/envoy-mobile#1622

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

Mirrored from https://github.com/envoyproxy/envoy @ 095f4ca336d3d705e629b207fb2cbbc22d29db8f
---
 BUILD                                         |  1 +
 .../transport_sockets/http_11_proxy/v3/BUILD  | 12 +++++++
 .../v3/upstream_http_11_connect.proto         | 36 +++++++++++++++++++
 versioning/BUILD                              |  1 +
 4 files changed, 50 insertions(+)
 create mode 100644 envoy/extensions/transport_sockets/http_11_proxy/v3/BUILD
 create mode 100644 envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto

diff --git a/BUILD b/BUILD
index 7099a7ab..b9370c57 100644
--- a/BUILD
+++ b/BUILD
@@ -254,6 +254,7 @@ proto_library(
         "//envoy/extensions/stat_sinks/graphite_statsd/v3:pkg",
         "//envoy/extensions/stat_sinks/wasm/v3:pkg",
         "//envoy/extensions/transport_sockets/alts/v3:pkg",
+        "//envoy/extensions/transport_sockets/http_11_proxy/v3:pkg",
         "//envoy/extensions/transport_sockets/internal_upstream/v3:pkg",
         "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",
diff --git a/envoy/extensions/transport_sockets/http_11_proxy/v3/BUILD b/envoy/extensions/transport_sockets/http_11_proxy/v3/BUILD
new file mode 100644
index 00000000..1c1a6f6b
--- /dev/null
+++ b/envoy/extensions/transport_sockets/http_11_proxy/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto b/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto
new file mode 100644
index 00000000..99c2e451
--- /dev/null
+++ b/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto
@@ -0,0 +1,36 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.http_11_proxy.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.http_11_proxy.v3";
+option java_outer_classname = "UpstreamHttp11ConnectProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/http_11_proxy/v3;http_11_proxyv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Upstream HTTP/1.1 Proxy]
+// [#extension: envoy.transport_sockets.http_11_proxy]
+
+// Configuration for HTTP/1.1 proxy transport sockets.
+// This is intended for use in Envoy Mobile, though may eventually be extended
+// for upstream Envoy use.
+// If this transport socket is configured, and an intermediate filter adds the
+// stream info necessary for proxying to the stream info (as the test filter
+// does :repo:`here <test/integration/filters/header_to_proxy_filter.cc>`) then
+//
+// * Upstream connections will be directed to the specified proxy address rather
+//   than the host's address
+// * Upstream TLS connections will have a raw HTTP/1.1 CONNECT header prefaced
+//   to the payload, and 200 response stripped (if less than 200 bytes)
+// * Plaintext HTTP/1.1 connections will be sent with a fully qualified URL.
+//
+// This transport socket is not compatible with HTTP/3, plaintext HTTP/2, or raw TCP.
+message Http11ProxyUpstreamTransport {
+  // The underlying transport socket being wrapped.
+  config.core.v3.TransportSocket transport_socket = 1 [(validate.rules).message = {required: true}];
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index da23a1e7..a873cfc2 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -196,6 +196,7 @@ proto_library(
         "//envoy/extensions/stat_sinks/graphite_statsd/v3:pkg",
         "//envoy/extensions/stat_sinks/wasm/v3:pkg",
         "//envoy/extensions/transport_sockets/alts/v3:pkg",
+        "//envoy/extensions/transport_sockets/http_11_proxy/v3:pkg",
         "//envoy/extensions/transport_sockets/internal_upstream/v3:pkg",
         "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",