SNI dynamic forward proxy

Attention

SNI dynamic forward proxy support should be considered alpha and not production ready.

Through the combination of TLS inspector listener filter, this network filter and the dynamic forward proxy cluster, Envoy supports SNI based dynamic forward proxy. The implementation works just like the HTTP dynamic forward proxy, but using the value in SNI as target host instead.

The following is a complete configuration that configures both this filter as well as the dynamic forward proxy cluster. Both filter and cluster must be configured together and point to the same DNS cache parameters for Envoy to operate as an SNI dynamic forward proxy.

Note

The following config doesn’t terminate TLS in listener, so there is no need to configure TLS context in cluster. The TLS handshake is passed through by Envoy.

  1. admin:
  2.   address:
  3.     socket_address:
  4.       protocol: TCP
  5.       address: 127.0.0.1
  6.       port_value: 9901
  7. static_resources:
  8.   listeners:
  9.   - name: listener_0
  10.     address:
  11.       socket_address:
  12.         protocol: TCP
  13.         address: 0.0.0.0
  14.         port_value: 10000
  15.     listener_filters:
  16.     - name: envoy.filters.listener.tls_inspector
  17.       typed_config:
  18.         "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
  19.     filter_chains:
  20.     - filters:
  21.       - name: envoy.filters.network.sni_dynamic_forward_proxy
  22.         typed_config:
  23.           "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
  24.           port_value: 443
  25.           dns_cache_config:
  26.             name: dynamic_forward_proxy_cache_config
  27.             dns_lookup_family: V4_ONLY
  28.       - name: envoy.tcp_proxy
  29.         typed_config:
  30.           "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
  31.           stat_prefix: tcp
  32.           cluster: dynamic_forward_proxy_cluster
  33.   clusters:
  34.   - name: dynamic_forward_proxy_cluster
  35.     lb_policy: CLUSTER_PROVIDED
  36.     cluster_type:
  37.       name: envoy.clusters.dynamic_forward_proxy
  38.       typed_config:
  39.         "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
  40.         dns_cache_config:
  41.           name: dynamic_forward_proxy_cache_config
  42.           dns_lookup_family: V4_ONLY