// This is heavily derived from // https://lyft.github.io/envoy/docs/configuration/listeners/listeners.html // The v2 gRPC API differences are tagged with [V2-API-DIFF]. syntax = "proto3"; package envoy.api.v2; import "api/address.proto"; import "api/base.proto"; import "api/tls_context.proto"; import "google/api/annotations.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; // The Envoy instance initiates an RPC at startup to discover a list of // listeners. Updates are delivered via streaming from the LDS server and // consist of a complete update of all listeners. Existing connections will be // allowed to drain from listeners that are no longer present. service ListenerDiscoveryService { rpc StreamListeners(stream DiscoveryRequest) returns (stream DiscoveryResponse) { } rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) { option (google.api.http) = { post: "/v2/discovery:listeners" body: "*" }; } } message Filter { // The name of the filter to instantiate. The name must match a supported // filter. string name = 1; // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. google.protobuf.Struct config = 2; message DeprecatedV1 { string type = 1; } DeprecatedV1 deprecated_v1 = 3; } // Specifies the match criteria for selecting a specific filter chain for a // listener [V2-API-DIFF]. message FilterChainMatch { // If non-empty, the SNI domains to consider. May contain a wildcard prefix, // e.g. *.example.com. repeated string sni_domains = 1; // If non-empty, an IP address and prefix length to match addresses when the // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. message CidrRange { string address_prefix = 1; google.protobuf.UInt32Value prefix_len = 2; } repeated CidrRange prefix_ranges = 3; // If non-empty, an IP address and suffix length to match addresses when the // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. string address_suffix = 4; google.protobuf.UInt32Value suffix_len = 5; // The criteria is satisfied if the source IP address of the downstream // connection is contained in at least one of the specified subnets. If the // parameter is not specified or the list is empty, the source IP address is // ignored. repeated CidrRange source_prefix_ranges = 6; // The criteria is satisfied if the source port of the downstream connection // is contained in at least one of the specified ports. If the parameter is // not specified, the source port is ignored. repeated google.protobuf.UInt32Value source_ports = 7; // Optional destination port to consider when use_original_dst is set on the // listener in determining a filter chain match. google.protobuf.UInt32Value destination_port = 8; } // Grouping of FilterChainMatch criteria, DownstreamTlsContext, the actual filter chain // and related parameters. message FilterChain { FilterChainMatch filter_chain_match = 1; DownstreamTlsContext tls_context = 2; // A list of individual network filters that make up the filter chain for // connections established with the listener. Order matters as the filters are // processed sequentially as connection events happen. Note: If the filter // list is empty, the connection will close by default. repeated Filter filters = 3; // Whether the listener should expect a PROXY protocol V1 header on new // connections. If this option is enabled, the listener will assume that that // remote address of the connection is the one specified in the header. Some // load balancers including the AWS ELB support this option. If the option is // absent or set to false, Envoy will use the physical peer address of the // connection as the remote address. google.protobuf.BoolValue use_proxy_proto = 4; // See base.Metadata description. Metadata metadata = 5; } message Listener { // The address that the listener should listen on. UnresolvedAddress address = 1; // A list of filter chains to consider for this listener. The FilterChain with // the most specific FilterChainMatch criteria is used on a connection. The // algorithm works as follows: // 1. If SNI information is presented at connection time, only the // FilterChains matching the SNI are considered. Otherwise, only // FilterChains with no SNI domains are considered. // 2. Of the FilterChains from step 1, the longest prefix match on the // bound destination address is used to select the next set of // FilterChains. This may be one FilterChain or multiple if there is // a tie. // 3. The longest suffix match on the bound destination address is used to // select the FilterChain from step 2 that is used. repeated FilterChain filter_chains = 2; // If a connection is redirected using iptables, the port on which the proxy // receives it might be different from the original destination port. When // this flag is set to true, the listener uses the original destination // address and port during FilterChain matching. Default is false. google.protobuf.BoolValue use_original_dst = 3; // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 4; // See base.Metadata description. Metadata metadata = 5; // The unique name of the listener. If no name is provided, Envoy will generate a // UUID for internal use. The name is used for dynamic listener update and removal // via the LDS APIs. string name = 6; message DeprecatedV1 { // Whether the listener should bind to the port. A listener that doesn’t // bind can only receive connections redirected from other listeners that // set use_original_dst parameter to true. Default is true. // // [V2-API-DIFF] This is deprecated in v2, all Listeners will bind to their // port. An additional filter chain must be created for every original // destination port this listener may redirect to in v2, with the original // port specified in the FilterChainMatch destination_port field. google.protobuf.BoolValue bind_to_port = 1; } DeprecatedV1 deprecated_v1 = 7; }