syntax = "proto3"; package envoy.api.v2; import "api/address.proto"; import "api/base.proto"; import "api/discovery.proto"; import "api/sds.proto"; import "google/api/annotations.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; import "validate/validate.proto"; // [#protodoc-title: Listeners and LDS] // Listener :ref:`configuration overview ` // The Envoy instance initiates an RPC at startup to discover a list of // listeners. Updates are delivered via streaming from the LDS server and // consist of a complete update of all listeners. Existing connections will be // allowed to drain from listeners that are no longer present. service ListenerDiscoveryService { rpc StreamListeners(stream DiscoveryRequest) returns (stream DiscoveryResponse) { } rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) { option (google.api.http) = { post: "/v2/discovery:listeners" body: "*" }; } } message Listener { // The unique name by which this listener is known. If no name is provided, // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically // updated or removed via :ref:`LDS ` a unique name must be provided. // By default, the maximum length of a listener's name is limited to 60 characters. This limit can // be increased by setting the :option:`--max-obj-name-len` command line argument to the desired // value. string name = 1; // The address that the listener should listen on. In general, the address must be unique, though // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on // Linux as the actual port will be allocated by the OS. Address address = 2 [(validate.rules).message.required = true]; // A list of filter chains to consider for this listener. The // :ref:`FilterChain ` with the most specific :ref:`FilterChainMatch // ` criteria is used on a connection. // // .. attention:: // // In the current version, multiple filter chains are supported **only** so that SNI can be // configured. See the :ref:`FAQ entry ` on how to configure SNI for more // information. When multiple filter chains are configured, each filter chain must have an // **identical** set of :ref:`filters `. If the filters // differ, the configuration will fail to load. In the future, this limitation will be relaxed // such that different filters can be used depending on which filter chain matches (based on SNI // or some other parameter). repeated FilterChain filter_chains = 3 [(validate.rules).repeated .min_items = 1]; // If a connection is redirected using *iptables*, the port on which the proxy // receives it might be different from the original destination address. When this flag is set to // true, the listener hands off redirected connections to the listener associated with the // original destination address. If there is no listener associated with the original destination // address, the connection is handled by the listener that receives it. Defaults to false. // // .. attention:: // // This field is deprecated. Use :ref:`an original_dst ` // :ref:`listener filter ` instead. // // Note that hand off to another listener is *NOT* performed without this flag. Once // :ref:`FilterChainMatch ` is implemented this flag will be // removed, as filter chain matching can be used to select a filter chain based on the restored // destination address. google.protobuf.BoolValue use_original_dst = 4 [deprecated = true]; // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; // Listener metadata. Metadata metadata = 6; // [#not-implemented-hide:] message DeprecatedV1 { // Whether the listener should bind to the port. A listener that doesn’t // bind can only receive connections redirected from other listeners that // set use_original_dst parameter to true. Default is true. // // [V2-API-DIFF] This is deprecated in v2, all Listeners will bind to their // port. An additional filter chain must be created for every original // destination port this listener may redirect to in v2, with the original // port specified in the FilterChainMatch destination_port field. google.protobuf.BoolValue bind_to_port = 1; } // [#not-implemented-hide:] DeprecatedV1 deprecated_v1 = 7; enum DrainType { // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check // filter), listener removal/modification, and hot restart. DEFAULT = 0; // Drain in response to listener removal/modification and hot restart. This setting does not // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress // and egress listeners. MODIFY_ONLY = 1; } // The type of draining to perform at a listener-wide level. DrainType drain_type = 8; // Listener filters have the opportunity to manipulate and augment the connection metadata that // is used in connection filter chain matching, for example. These filters are run before any in // :ref:`filter_chains `. Order matters as the filters // are processed sequentially right after a socket has been accepted by the listener, and before // a connection is created. repeated ListenerFilter listener_filters = 9; } message Filter { // The name of the filter to instantiate. The name must match a supported // filter. The built-in filters are: // // [#comment:TODO(mattklein123): Auto generate the following list] // * :ref:`envoy.client_ssl_auth` // * :ref:`envoy.echo ` // * :ref:`envoy.http_connection_manager ` // * :ref:`envoy.mongo_proxy ` // * :ref:`envoy.ratelimit ` // * :ref:`envoy.redis_proxy ` // * :ref:`envoy.tcp_proxy ` string name = 1 [(validate.rules).string.min_bytes = 1]; // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. google.protobuf.Struct config = 2; // [#not-implemented-hide:] message DeprecatedV1 { string type = 1; } // [#not-implemented-hide:] DeprecatedV1 deprecated_v1 = 3 [deprecated = true]; } // Specifies the match criteria for selecting a specific filter chain for a // listener. message FilterChainMatch { // If non-empty, the SNI domains to consider. May contain a wildcard prefix, // e.g. ``*.example.com``. // // .. attention:: // // See the :ref:`FAQ entry ` on how to configure SNI for more // information. repeated string sni_domains = 1; // If non-empty, an IP address and prefix length to match addresses when the // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. // [#not-implemented-hide:] repeated CidrRange prefix_ranges = 3; // If non-empty, an IP address and suffix length to match addresses when the // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. // [#not-implemented-hide:] string address_suffix = 4; // [#not-implemented-hide:] google.protobuf.UInt32Value suffix_len = 5; // The criteria is satisfied if the source IP address of the downstream // connection is contained in at least one of the specified subnets. If the // parameter is not specified or the list is empty, the source IP address is // ignored. // [#not-implemented-hide:] repeated CidrRange source_prefix_ranges = 6; // The criteria is satisfied if the source port of the downstream connection // is contained in at least one of the specified ports. If the parameter is // not specified, the source port is ignored. // [#not-implemented-hide:] repeated google.protobuf.UInt32Value source_ports = 7; // Optional destination port to consider when use_original_dst is set on the // listener in determining a filter chain match. // [#not-implemented-hide:] google.protobuf.UInt32Value destination_port = 8; } // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and // various other parameters. message FilterChain { // The criteria to use when matching a connection to this filter chain. FilterChainMatch filter_chain_match = 1; // The TLS context for this filter chain. DownstreamTlsContext tls_context = 2; // A list of individual network filters that make up the filter chain for // connections established with the listener. Order matters as the filters are // processed sequentially as connection events happen. Note: If the filter // list is empty, the connection will close by default. repeated Filter filters = 3; // Whether the listener should expect a PROXY protocol V1 header on new // connections. If this option is enabled, the listener will assume that that // remote address of the connection is the one specified in the header. Some // load balancers including the AWS ELB support this option. If the option is // absent or set to false, Envoy will use the physical peer address of the // connection as the remote address. google.protobuf.BoolValue use_proxy_proto = 4; // [#not-implemented-hide:] filter chain metadata. Metadata metadata = 5; // [#not-implemented-hide:] See base.TransportSocket description. TransportSocket transport_socket = 6; } message ListenerFilter { // The name of the filter to instantiate. The name must match a supported // filter. The built-in filters are: // // [#comment:TODO(mattklein123): Auto generate the following list] // * :ref:`envoy.listener.original_dst ` string name = 1 [(validate.rules).string.min_bytes = 1]; // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. google.protobuf.Struct config = 2; }