http: add CDN-Loop header filter (#13158)

The CdnLoopFilter implements an HTTP filter that detects and prevents CDN loops using the RFC 8586 CDN-Loop header. The filter can be configured with the CDN identifier to look for as well as the number of times the CDN identifier can be seen before responding with an error. Signed-off-by: Justin Mazzola Paluska <justinmp@google.com> Mirrored from https://github.com/envoyproxy/envoy @ c71ec2729cc3c0708223d303e0f24e3bf9a5d0eb
4 years ago · e1192f4473
parent c0b715aedb
commit e1192f4473
4 changed files with 48 additions and 0 deletions
--- a/1
+++ b/1
@ -171,6 +171,7 @@ proto_library(
        "//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
        "//envoy/extensions/filters/http/buffer/v3:pkg",
        "//envoy/extensions/filters/http/cache/v3alpha:pkg",
+        "//envoy/extensions/filters/http/cdn_loop/v3alpha:pkg",
        "//envoy/extensions/filters/http/compressor/v3:pkg",
        "//envoy/extensions/filters/http/cors/v3:pkg",
        "//envoy/extensions/filters/http/csrf/v3:pkg",
--- a/envoy/extensions/filters/http/cdn_loop/v3alpha/BUILD
+++ b/envoy/extensions/filters/http/cdn_loop/v3alpha/BUILD
@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)
--- a/envoy/extensions/filters/http/cdn_loop/v3alpha/cdn_loop.proto
+++ b/envoy/extensions/filters/http/cdn_loop/v3alpha/cdn_loop.proto
@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.cdn_loop.v3alpha;
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.cdn_loop.v3alpha";
+option java_outer_classname = "CdnLoopProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: HTTP CDN-Loop Filter]
+// [#extension: envoy.filters.http.cdn_loop]
+
+// CDN-Loop Header filter config. See the :ref:`configuration overview
+// <config_http_filters_cdn_loop>` for more information.
+message CdnLoopConfig {
+  // The CDN identifier to use for loop checks and to append to the
+  // CDN-Loop header.
+  //
+  // RFC 8586 calls this the cdn-id. The cdn-id can either be a
+  // pseudonym or hostname the CDN is in control of.
+  //
+  // cdn_id must not be empty.
+  string cdn_id = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // The maximum allowed count of cdn_id in the downstream CDN-Loop
+  // request header.
+  //
+  // The default of 0 means a request can transit the CdnLoopFilter
+  // once. A value of 1 means that a request can transit the
+  // CdnLoopFilter twice and so on.
+  uint32 max_allowed_occurrences = 2;
+}
--- a/versioning/BUILD
+++ b/versioning/BUILD
@ -54,6 +54,7 @@ proto_library(
        "//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
        "//envoy/extensions/filters/http/buffer/v3:pkg",
        "//envoy/extensions/filters/http/cache/v3alpha:pkg",
+        "//envoy/extensions/filters/http/cdn_loop/v3alpha:pkg",
        "//envoy/extensions/filters/http/compressor/v3:pkg",
        "//envoy/extensions/filters/http/cors/v3:pkg",
        "//envoy/extensions/filters/http/csrf/v3:pkg",