For matching values in the header that might be somewhere in the middle of the header, the present option is to use Regex in the form .Search-Pattern.. This can cause catastrophic backtracking as described in #7728
As a solution, I have introduced another header match type called contains which is based on absl::StrContains().
Risk Level: Low
Testing: Unit tests are included and manual testing was performed.
Fixes#12590
Signed-off-by: Shivanshu Goswami <shigoswami@ebay.com>
Mirrored from https://github.com/envoyproxy/envoy @ e322daaf0ca70fd3fcb1c1405830c73395510d93
This was added for gRPC server support, but we've decided to use resource names instead to explicitly request the listeners we want by name. This is more in-line with the new naming scheme described in the "xDS Transport Next Steps" design.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 05cbb309b828dc86737c51fd2c79d30e48e397a4
This PR implements a new retry back off strategy that uses values from response headers like Retry-After or X-RateLimit-Reset (the headers are configurable) to decide the back off interval before retrying a request.
Signed-off-by: Martin Matusiak <numerodix@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ bd2b989c578b2472faaff44902573e5b187f671f
This implements a host_rewrite_path option for rewriting the Host header based on path. See rational in the linked issue.
Note: the regex is executed on the path with query/fragment stripped. This is analogues to what regex_rewrite option is doing.
Risk Level: Low
Testing: added unit tests
Docs Changes: document the new option in proto file
Release Notes: added to current.rst
Fixes#12430
Signed-off-by: Petr Pchelko <ppchelko@wikimedia.org>
Mirrored from https://github.com/envoyproxy/envoy @ 374dca7905fc048be74169a7655d0462606555ad
Modified dynamic_metadata action to now accept an optional default
value for instances where no value is queried from the dynamic metadata.
Signed-off-by: Clara Andrew-Wani <candrewwani@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3afa3b50eacfa39fa5b3518b05b03689dc56ef42
Extend hashing via header to support regex substitution.
This is useful when you need to hash on a transformation
of a header value (e.g.: extract a part of `:path`).
Fixes#11811
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 73fc620a34135a16070083f3c94b93d074f6e59f
Provides a way to specify dynamic rate limit override in the rate limit descriptor from static value or from dynamic metadata. New type, RateLimitUnit was created to share across config protocol and rate limit service protocol. A PR for the reference implementation of the rate limit service will follow after the API changes are discussed and accepted.
Signed-off-by: Petr Pchelko <ppchelko@wikimedia.org>
Mirrored from https://github.com/envoyproxy/envoy @ 7ea1f24bd53522408d9bc55316dff9ed1701bc73
Modifies ratelimit filter to be able to use information
from the dynamic metadata as one of its actions.
Signed-off-by: Clara Andrew-Wani <candrewwani@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 471e2394b79d2b5b13a270626738d4807a51e34a
This PR proposes to rename the RetryPolicy field num_retries to max_retries.
This parameter exists in two places: 1) the RetryPolicy message in the route configuration and 2) the header x-envoy-max-retries. The naming inconsistency is a UX papercut. max_retries feels like right name for what this field is for ie. the maximum number of retries that are permitted.
There is also a stripped down RetryPolicy message which is used by RemoteDataSource which has a num_retries field. I'm including a matching rename of that for consistency.
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: Martin Matusiak <numerodix@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 286ca92afa3eaa586ad60fe20d4f5541e77b5d5e
Resolves#10124 indirectly by adding an extra config flag to RequestHeaders through which it is possible for descriptors to be sent on a partial match.
Signed-off-by: Rohan Seth <rohan.seth@salesforce.com>
Mirrored from https://github.com/envoyproxy/envoy @ 77e436f9eb39863a4a425bbca9026c86740b36cd
Support deprecating an enum stanza as a whole by "option deprecated = true;"
Risk Level: low
Testing: Added test case; manually verified the generated config removes the deprecated enum
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: pengg <pengg@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ dbb67aa4968e7ecffaff25c1723675de569b5c59
Description: router: Create InternalRedirectPolicy to capture all internal redirect related options and extend it with pluggable predicates similar to retry plugins. The previous_routes and whitelisted_routes predicate allow creating a DAG of routes for internal redirects. Each node in the DAG is a route. whitelisted_routes defines the edges of each node. previous_routes serves as visited status keeper for each of the edge. This prevents infinite loop, while allowing loop to exist in the DAG.
Risk Level: Medium
Testing: Unit tests. Integration tests.
Docs Changes: Updated HCM architecture overview page. Added toctree for the predicates.
Release Notes: Updated version history.
Signed-off-by: pengg <pengg@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1ce010929d4d283fce977bc65558da71ffe6bf7c
Un-hiding CONNECT docs and config, now that it is implemented.
Risk Level: low (docs only)
Testing: in prior PRs
Docs Changes: yes
Release Notes: yes
Fixes#1630 and #1451
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ c07e5c84437124921df24b001c93802f6bc39c1c
Deprecates GoogleRE2.max_program_size field so that client does not need to check this.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: Included in PR
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 10125161be0d0a759c3ffb02ddcdf8abc0bc6060
Split out from #10623
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 09bf9a1ff75879986da876d0e3248630c959cf73
Fuzzing catches more fields tripping on ASSERT(valid())
* JWT Authn filter has HTTP header name/value strings: forward_payload_header, name, value
* Route components: request_headers_to_remove
* health_check.proto: host, path, authority, and request_headers_to_remove
Test-only:
* utility fuzz test was running findQueryStringStart on a HeaderString. Fuzz inputs were not validated.
Fixes:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21323https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21623
Signed-off-by: Asra Ali <asraa@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 167df8c4554073d5115316ac36dd97088c3e6d93
This patch performs a major version freeze and bump by modifying
package_version_status, using the tooling developed in #10636.
Specifically:
v2 APIs are frozen (except for where they are the latest in their
package history and still active)
v3 APIs are transitioned to be active
Candidate v4alpha APIs are generated (not used by Envoy yet)
Fixes#10355
Risk level: medium (entire API's files are modified, visually verified
to ensure things look sane, all tests pass)
Testing: CI
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 549164c42cae84b59154ca4c36009e408aa10b52
data-plane-api(CircleCI)