TLS Inspector

TLS Inspector listener filter allows detecting whether the transport appears to be TLS or plaintext, and if it is TLS, it detects the Server Name Indication and/or Application-Layer Protocol Negotiation from the client. This can be used to select a FilterChain via the server_names and/or application_protocols of a FilterChainMatch.

  • SNI

  • v3 API reference

  • This filter may be configured with the name envoy.filters.listener.tls_inspector or type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector as the type_url.

Example

A sample filter configuration could be:

  1. listener_filters:
  2. - name: "envoy.filters.listener.tls_inspector"

Or by specifying the type_url of the typed_config:

  1. listener_filters:
  2. - name: "tls_inspector"
  3. typed_config:
  4. "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector

Statistics

This filter has a statistics tree rooted at tls_inspector with the following statistics:

Name

Type

Description

connection_closed

Counter

Total connections closed

client_hello_too_large

Counter

Total unreasonably large Client Hello received

read_error

Counter

Total read errors

tls_found

Counter

Total number of times TLS was found

tls_not_found

Counter

Total number of times TLS was not found

alpn_found

Counter

Total number of times Application-Layer Protocol Negotiation was successful

alpn_not_found

Counter

Total number of times Application-Layer Protocol Negotiation has failed

sni_found

Counter

Total number of times Server Name Indication was found

sni_not_found

Counter

Total number of times Server Name Indication was not found