Dynamic forward proxy

Attention

HTTP dynamic forward proxy support should be considered alpha and not production ready.

The following is a complete configuration that configures both the dynamic forward proxy HTTP filter as well as the dynamic forward proxy cluster. Both filter and cluster must be configured together and point to the same DNS cache parameters for Envoy to operate as an HTTP dynamic forward proxy.

Note

The HTTP connection manager allow_absolute_url parameter has been set to true to allow Envoy to proxy absolute HTTP URLs.

Attention

While configuring a tls_context on the cluster with trusted_ca certificates instructs Envoy to use TLS when connecting to upstream hosts and verify the certificate chain, currently it is not possible to configure per-host TLS configuration parameters including SNI, subject alt name verification, etc. This will be added in a future change. This means that the following configuration will not fully validate TLS certificates. Use with care until full support for per-host validation is implemented.

  1. admin:
  2.   access_log_path: /tmp/admin_access.log
  3.   address:
  4.     socket_address:
  5.       protocol: TCP
  6.       address: 127.0.0.1
  7.       port_value: 9901
  8. static_resources:
  9.   listeners:
  10.   - name: listener_0
  11.     address:
  12.       socket_address:
  13.         protocol: TCP
  14.         address: 0.0.0.0
  15.         port_value: 10000
  16.     filter_chains:
  17.     - filters:
  18.       - name: envoy.http_connection_manager
  19.         typed_config:
  20.           "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
  21.           stat_prefix: ingress_http
  22.           http_protocol_options:
  23.             allow_absolute_url: true
  24.           route_config:
  25.             name: local_route
  26.             virtual_hosts:
  27.             - name: local_service
  28.               domains: ["*"]
  29.               routes:
  30.               - match:
  31.                   prefix: "/"
  32.                 route:
  33.                   cluster: dynamic_forward_proxy_cluster
  34.           http_filters:
  35.           - name: envoy.filters.http.dynamic_forward_proxy
  36.             config:
  37.               dns_cache_config:
  38.                 name: dynamic_forward_proxy_cache_config
  39.                 dns_lookup_family: V4_ONLY
  40.           - name: envoy.router
  41.   clusters:
  42.   - name: dynamic_forward_proxy_cluster
  43.     connect_timeout: 1s
  44.     lb_policy: CLUSTER_PROVIDED
  45.     cluster_type:
  46.       name: envoy.clusters.dynamic_forward_proxy
  47.       typed_config:
  48.         "@type": type.googleapis.com/envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig
  49.         dns_cache_config:
  50.           name: dynamic_forward_proxy_cache_config
  51.           dns_lookup_family: V4_ONLY
  52.     tls_context:
  53.       common_tls_context:
  54.         validation_context:
  55.           trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}

Statistics

The dynamic forward proxy DNS cache outputs statistics in the dns_cache..* namespace.

NameTypeDescription
dns_query_attemptCounterNumber of DNS query attempts.
dns_query_successCounterNumber of DNS query successes.
dns_query_failureCounterNumber of DNS query failures.
host_address_changedCounterNumber of DNS queries that resulted in a host address change.
host_addedCounterNumber of hosts that have been added to the cache.
host_removedCounterNumber of hosts that have been removed from the cache.
num_hostsGaugeNumber of hosts that are currently in the cache.