HTTP connection manager

This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

config/filter/network/http_connection_manager/v2/http_connection_manager.proto

This extension may be referenced by the qualified name envoy.filters.network.http_connection_manager

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

HTTP connection manager configuration overview.

extensions.filters.network.http_connection_manager.v3.HttpConnectionManager

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager proto]

  1. {
  2. "codec_type": "...",
  3. "stat_prefix": "...",
  4. "rds": "{...}",
  5. "route_config": "{...}",
  6. "scoped_routes": "{...}",
  7. "http_filters": [],
  8. "add_user_agent": "{...}",
  9. "tracing": "{...}",
  10. "common_http_protocol_options": "{...}",
  11. "http_protocol_options": "{...}",
  12. "http2_protocol_options": "{...}",
  13. "server_name": "...",
  14. "server_header_transformation": "...",
  15. "scheme_header_transformation": "{...}",
  16. "max_request_headers_kb": "{...}",
  17. "stream_idle_timeout": "{...}",
  18. "request_timeout": "{...}",
  19. "request_headers_timeout": "{...}",
  20. "drain_timeout": "{...}",
  21. "delayed_close_timeout": "{...}",
  22. "access_log": [],
  23. "use_remote_address": "{...}",
  24. "xff_num_trusted_hops": "...",
  25. "original_ip_detection_extensions": [],
  26. "internal_address_config": "{...}",
  27. "skip_xff_append": "...",
  28. "via": "...",
  29. "generate_request_id": "{...}",
  30. "preserve_external_request_id": "...",
  31. "always_set_request_id_in_response": "...",
  32. "forward_client_cert_details": "...",
  33. "set_current_client_cert_details": "{...}",
  34. "proxy_100_continue": "...",
  35. "upgrade_configs": [],
  36. "normalize_path": "{...}",
  37. "merge_slashes": "...",
  38. "path_with_escaped_slashes_action": "...",
  39. "request_id_extension": "{...}",
  40. "local_reply_config": "{...}",
  41. "strip_matching_host_port": "...",
  42. "strip_any_host_port": "...",
  43. "stream_error_on_invalid_http_message": "{...}",
  44. "strip_trailing_host_dot": "..."
  45. }

codec_type

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType) Supplies the type of codec that the connection manager should use.

stat_prefix

(string, REQUIRED) The human readable prefix to use when emitting statistics for the connection manager. See the statistics documentation for more information.

rds

(extensions.filters.network.http_connection_manager.v3.Rds) The connection manager’s route table will be dynamically loaded via the RDS API.

Precisely one of rds, route_config, scoped_routes must be set.

route_config

(config.route.v3.RouteConfiguration) The route table for the connection manager is static and is specified in this property.

Precisely one of rds, route_config, scoped_routes must be set.

scoped_routes

(extensions.filters.network.http_connection_manager.v3.ScopedRoutes) A route table will be dynamically assigned to each request based on request attributes (e.g., the value of a header). The “routing scopes” (i.e., route tables) and “scope keys” are specified in this message.

Precisely one of rds, route_config, scoped_routes must be set.

http_filters

(repeated extensions.filters.network.http_connection_manager.v3.HttpFilter) A list of individual HTTP filters that make up the filter chain for requests made to the connection manager. Order matters as the filters are processed sequentially as request events happen.

add_user_agent

(BoolValue) Whether the connection manager manipulates the user-agent and x-envoy-downstream-service-cluster headers. See the linked documentation for more information. Defaults to false.

tracing

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing) Presence of the object defines whether the connection manager emits tracing data to the configured tracing provider.

common_http_protocol_options

(config.core.v3.HttpProtocolOptions) Additional settings for HTTP requests handled by the connection manager. These will be applicable to both HTTP1 and HTTP2 requests.

Attention

This field should be configured in the presence of untrusted downstreams.

Example configuration for untrusted environments:

  1. common_http_protocol_options:
  2. headers_with_underscores_action: REJECT_REQUEST
  3. idle_timeout: 900s

http_protocol_options

(config.core.v3.Http1ProtocolOptions) Additional HTTP/1 settings that are passed to the HTTP/1 codec.

http2_protocol_options

(config.core.v3.Http2ProtocolOptions) Additional HTTP/2 settings that are passed directly to the HTTP/2 codec.

Attention

This field should be configured in the presence of untrusted downstreams.

Example configuration for untrusted environments:

  1. http2_protocol_options:
  2. initial_connection_window_size: 1048576.0
  3. initial_stream_window_size: 65536.0
  4. max_concurrent_streams: 100.0

server_name

(string) An optional override that the connection manager will write to the server header in responses. If not set, the default is envoy.

server_header_transformation

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation) Defines the action to be applied to the Server header on the response path. By default, Envoy will overwrite the header with the value specified in server_name.

scheme_header_transformation

(config.core.v3.SchemeHeaderTransformation) Allows for explicit transformation of the :scheme header on the request path. If not set, Envoy’s default scheme handling applies.

max_request_headers_kb

(UInt32Value) The maximum request headers size for incoming connections. If unconfigured, the default max request headers allowed is 60 KiB. Requests that exceed this limit will receive a 431 response.

stream_idle_timeout

(Duration) The stream idle timeout for connections managed by the connection manager. If not specified, this defaults to 5 minutes. The default value was selected so as not to interfere with any smaller configured timeouts that may have existed in configurations prior to the introduction of this feature, while introducing robustness to TCP connections that terminate without a FIN.

This idle timeout applies to new streams and is overridable by the route-level idle_timeout. Even on a stream in which the override applies, prior to receipt of the initial request headers, the stream_idle_timeout applies. Each time an encode/decode event for headers or data is processed for the stream, the timer will be reset. If the timeout fires, the stream is terminated with a 408 Request Timeout error code if no upstream response header has been received, otherwise a stream reset occurs.

This timeout also specifies the amount of time that Envoy will wait for the peer to open enough window to write any remaining stream data once the entirety of stream data (local end stream is true) has been buffered pending available window. In other words, this timeout defends against a peer that does not release enough window to completely write the stream, even though all data has been proxied within available flow control windows. If the timeout is hit in this case, the tx_flush_timeout counter will be incremented. Note that max_stream_duration does not apply to this corner case.

If the overload action “envoy.overload_actions.reduce_timeouts” is configured, this timeout is scaled according to the value for HTTP_DOWNSTREAM_STREAM_IDLE.

Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due to the granularity of events presented to the connection manager. For example, while receiving very large request headers, it may be the case that there is traffic regularly arriving on the wire while the connection manage is only able to observe the end-of-headers event, hence the stream may still idle timeout.

A value of 0 will completely disable the connection manager stream idle timeout, although per-route idle timeout overrides will continue to apply.

Attention

This field should be configured in the presence of untrusted downstreams.

Example configuration for untrusted environments:

  1. stream_idle_timeout: 300s

request_timeout

(Duration) The amount of time that Envoy will wait for the entire request to be received. The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent upstream (i.e. all decoding filters have processed the request), OR when the response is initiated. If not specified or set to 0, this timeout is disabled.

Attention

This field should be configured in the presence of untrusted downstreams.

This timeout is not compatible with streaming requests.

Example configuration for untrusted environments:

  1. request_timeout: 300s

request_headers_timeout

(Duration) The amount of time that Envoy will wait for the request headers to be received. The timer is activated when the first byte of the headers is received, and is disarmed when the last byte of the headers has been received. If not specified or set to 0, this timeout is disabled.

Attention

This field should be configured in the presence of untrusted downstreams.

Example configuration for untrusted environments:

  1. request_headers_timeout: 10s

drain_timeout

(Duration) The time that Envoy will wait between sending an HTTP/2 “shutdown notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. This is used so that Envoy provides a grace period for new streams that race with the final GOAWAY frame. During this grace period, Envoy will continue to accept new streams. After the grace period, a final GOAWAY frame is sent and Envoy will start refusing new streams. Draining occurs both when a connection hits the idle timeout or during general server draining. The default grace period is 5000 milliseconds (5 seconds) if this option is not specified.

delayed_close_timeout

(Duration) The delayed close timeout is for downstream connections managed by the HTTP connection manager. It is defined as a grace period after connection close processing has been locally initiated during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy from the downstream connection) prior to Envoy closing the socket associated with that connection. NOTE: This timeout is enforced even when the socket associated with the downstream connection is pending a flush of the write buffer. However, any progress made writing data to the socket will restart the timer associated with this timeout. This means that the total grace period for a socket in this state will be <total_time_waiting_for_write_buffer_flushes>+<delayed_close_timeout>.

Delaying Envoy’s connection close and giving the peer the opportunity to initiate the close sequence mitigates a race condition that exists when downstream clients do not drain/process data in a connection’s receive buffer after a remote close has been detected via a socket write(). This race leads to such clients failing to process the response code sent by Envoy, which could result in erroneous downstream processing.

If the timeout triggers, Envoy will close the connection’s socket.

The default timeout is 1000 ms if this option is not specified.

Note

To be useful in avoiding the race condition described above, this timeout must be set to at least <max round trip time expected between clients and Envoy>+<100ms to account for a reasonable “worst” case processing time for a full iteration of Envoy’s event loop>.

Warning

A value of 0 will completely disable delayed close processing. When disabled, the downstream connection’s socket will be closed immediately after the write flush is completed or will never close if the write flush does not complete.

access_log

(repeated config.accesslog.v3.AccessLog) Configuration for HTTP access logs emitted by the connection manager.

use_remote_address

(BoolValue) If set to true, the connection manager will use the real remote address of the client connection when determining internal versus external origin and manipulating various headers. If set to false or absent, the connection manager will use the x-forwarded-for HTTP header. See the documentation for x-forwarded-for, x-envoy-internal, and x-envoy-external-address for more information.

Attention

This field should be configured in the presence of untrusted downstreams.

Example configuration for untrusted environments:

  1. use_remote_address: true

xff_num_trusted_hops

(uint32) The number of additional ingress proxy hops from the right side of the x-forwarded-for HTTP header to trust when determining the origin client’s IP address. The default is zero if this option is not specified. See the documentation for x-forwarded-for for more information.

original_ip_detection_extensions

(repeated config.core.v3.TypedExtensionConfig) The configuration for the original IP detection extensions.

When configured the extensions will be called along with the request headers and information about the downstream connection, such as the directly connected address. Each extension will then use these parameters to decide the request’s effective remote address. If an extension fails to detect the original IP address and isn’t configured to reject the request, the HCM will try the remaining extensions until one succeeds or rejects the request. If the request isn’t rejected nor any extension succeeds, the HCM will fallback to using the remote address.

Warning

Extensions cannot be used in conjunction with use_remote_address nor xff_num_trusted_hops.

Tip

This extension category has the following known extensions:

internal_address_config

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig) Configures what network addresses are considered internal for stats and header sanitation purposes. If unspecified, only RFC1918 IP addresses will be considered internal. See the documentation for x-envoy-internal for more information about internal/external addresses.

skip_xff_append

(bool) If set, Envoy will not append the remote address to the x-forwarded-for HTTP header. This may be used in conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager has mutated the request headers. While use_remote_address will also suppress XFF addition, it has consequences for logging and other Envoy uses of the remote address, so skip_xff_append should be used when only an elision of XFF addition is intended.

via

(string) Via header value to append to request and response headers. If this is empty, no via header will be appended.

generate_request_id

(BoolValue) Whether the connection manager will generate the x-request-id header if it does not exist. This defaults to true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature is not desired it can be disabled.

preserve_external_request_id

(bool) Whether the connection manager will keep the x-request-id header if passed for a request that is edge (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour. This defaults to false.

always_set_request_id_in_response

(bool) If set, Envoy will always set x-request-id header in response. If this is false or not set, the request ID is returned in responses only if tracing is forced using x-envoy-force-trace header.

forward_client_cert_details

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails) How to handle the x-forwarded-client-cert (XFCC) HTTP header.

set_current_client_cert_details

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails) This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that in the x-forwarded-client-cert header, Hash is always set, and By is always set when the client certificate presents the URI type Subject Alternative Name value.

proxy_100_continue

(bool) If proxy_100_continue is true, Envoy will proxy incoming “Expect: 100-continue” headers upstream, and forward “100 Continue” responses downstream. If this is false or not set, Envoy will instead strip the “Expect: 100-continue” header, and send a “100 Continue” response itself.

upgrade_configs

(repeated extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig)

normalize_path

(BoolValue) Should paths be normalized according to RFC 3986 before any processing of requests by HTTP filters or routing? This affects the upstream :path header as well. For paths that fail this check, Envoy will respond with 400 to paths that are malformed. This defaults to false currently but will default true in the future. When not specified, this value may be overridden by the runtime variable http_connection_manager.normalize_path. See Normalization and Comparison for details of normalization. Note that Envoy does not perform case normalization

merge_slashes

(bool) Determines if adjacent slashes in the path are merged into one before any processing of requests by HTTP filters or routing. This affects the upstream :path header as well. Without setting this option, incoming requests with path //dir///file will not match against route with prefix match set to /dir. Defaults to false. Note that slash merging is not part of HTTP spec and is provided for convenience.

path_with_escaped_slashes_action

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction) Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). The default value can be overridden by the http_connection_manager.path_with_escaped_slashes_action runtime variable. The http_connection_manager.path_with_escaped_slashes_action_sampling runtime variable can be used to apply the action to a portion of all requests.

request_id_extension

(extensions.filters.network.http_connection_manager.v3.RequestIDExtension) The configuration of the request ID extension. This includes operations such as generation, validation, and associated tracing operations. If empty, the UuidRequestIdConfig default extension is used with default parameters. See the documentation for that extension for details on what it does. Customizing the configuration for the default extension can be achieved by configuring it explicitly here. For example, to disable trace reason packing, the following configuration can be used:

  1. typed_config:
  2. "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig
  3. pack_trace_reason: false

Tip

This extension category has the following known extensions:

local_reply_config

(extensions.filters.network.http_connection_manager.v3.LocalReplyConfig) The configuration to customize local reply returned by Envoy. It can customize status code, body text and response content type. If not specified, status code and text body are hard coded in Envoy, the response content type is plain text.

strip_matching_host_port

(bool) Determines if the port part should be removed from host/authority header before any processing of request by HTTP filters or routing. The port would be removed only if it is equal to the listener’s local port. This affects the upstream host header unless the method is CONNECT in which case if no filter adds a port the original port will be restored before headers are sent upstream. Without setting this option, incoming requests with host example:443 will not match against route with domains match set to example. Defaults to false. Note that port removal is not part of HTTP spec and is provided for convenience. Only one of strip_matching_host_port or strip_any_host_port can be set.

strip_any_host_port

(bool) Determines if the port part should be removed from host/authority header before any processing of request by HTTP filters or routing. This affects the upstream host header unless the method is CONNECT in which case if no filter adds a port the original port will be restored before headers are sent upstream. Without setting this option, incoming requests with host example:443 will not match against route with domains match set to example. Defaults to false. Note that port removal is not part of HTTP spec and is provided for convenience. Only one of strip_matching_host_port or strip_any_host_port can be set.

stream_error_on_invalid_http_message

(BoolValue) Governs Envoy’s behavior when receiving invalid HTTP from downstream. If this option is false (default), Envoy will err on the conservative side handling HTTP errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. If this option is set to true, Envoy will be more permissive, only resetting the invalid stream in the case of HTTP/2 and leaving the connection open where possible (if the entire request is read for HTTP/1.1) In general this should be true for deployments receiving trusted traffic (L2 Envoys, company-internal mesh) and false when receiving untrusted traffic (edge deployments).

If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are desired, one should use the new HTTP/1 option override_stream_error_on_invalid_http_message or the new HTTP/2 option override_stream_error_on_invalid_http_message not the deprecated but similarly named stream_error_on_invalid_http_messaging

strip_trailing_host_dot

(bool) Determines if trailing dot of the host should be removed from host/authority header before any processing of request by HTTP filters or routing. This affects the upstream host header. Without setting this option, incoming requests with host example.com. will not match against route with domains match set to example.com. Defaults to false. When the incoming request contains a host/authority header that includes a port number, setting this option will strip a trailing dot, if present, from the host section, leaving the port as is (e.g. host value example.com.:443 will be updated to example.com:443).

extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing proto]

  1. {
  2. "client_sampling": "{...}",
  3. "random_sampling": "{...}",
  4. "overall_sampling": "{...}",
  5. "verbose": "...",
  6. "max_path_tag_length": "{...}",
  7. "custom_tags": [],
  8. "provider": "{...}"
  9. }

client_sampling

(type.v3.Percent) Target percentage of requests managed by this HTTP connection manager that will be force traced if the x-client-trace-id header is set. This field is a direct analog for the runtime variable ‘tracing.client_sampling’ in the HTTP Connection Manager. Default: 100%

random_sampling

(type.v3.Percent) Target percentage of requests managed by this HTTP connection manager that will be randomly selected for trace generation, if not requested by the client or not forced. This field is a direct analog for the runtime variable ‘tracing.random_sampling’ in the HTTP Connection Manager. Default: 100%

overall_sampling

(type.v3.Percent) Target percentage of requests managed by this HTTP connection manager that will be traced after all other sampling checks have been applied (client-directed, force tracing, random sampling). This field functions as an upper limit on the total configured sampling rate. For instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% of client requests with the appropriate headers to be force traced. This field is a direct analog for the runtime variable ‘tracing.global_enabled’ in the HTTP Connection Manager. Default: 100%

verbose

(bool) Whether to annotate spans with additional data. If true, spans will include logs for stream events.

max_path_tag_length

(UInt32Value) Maximum length of the request path to extract and include in the HttpUrl tag. Used to truncate lengthy request paths to meet the needs of a tracing backend. Default: 256

custom_tags

(repeated type.tracing.v3.CustomTag) A list of custom tags with unique tag name to create tags for the active span.

provider

(config.trace.v3.Tracing.Http) Configuration for an external tracing provider. If not specified, no tracing will be performed.

Attention

Please be aware that envoy.tracers.opencensus provider can only be configured once in Envoy lifetime. Any attempts to reconfigure it or to use different configurations for different HCM filters will be rejected. Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes on OpenCensus side.

Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.OperationName

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.OperationName proto]

INGRESS

(DEFAULT) ⁣The HTTP listener is used for ingress/incoming requests.

EGRESS

⁣The HTTP listener is used for egress/outgoing requests.

extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig proto]

  1. {
  2. "unix_sockets": "..."
  3. }

unix_sockets

(bool) Whether unix socket addresses should be considered internal.

extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.SetCurrentClientCertDetails proto]

  1. {
  2. "subject": "{...}",
  3. "cert": "...",
  4. "chain": "...",
  5. "dns": "...",
  6. "uri": "..."
  7. }

subject

(BoolValue) Whether to forward the subject of the client cert. Defaults to false.

cert

(bool) Whether to forward the entire client cert in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”. Defaults to false.

chain

(bool) Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format. This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”. Defaults to false.

dns

(bool) Whether to forward the DNS type Subject Alternative Names of the client cert. Defaults to false.

uri

(bool) Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to false.

extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.UpgradeConfig proto]

The configuration for HTTP upgrades. For each upgrade type desired, an UpgradeConfig must be added.

Warning

The current implementation of upgrade headers does not handle multi-valued upgrade headers. Support for multi-valued headers may be added in the future if needed.

Warning

The current implementation of upgrade headers does not work with HTTP/2 upstreams.

  1. {
  2. "upgrade_type": "...",
  3. "filters": [],
  4. "enabled": "{...}"
  5. }

upgrade_type

(string) The case-insensitive name of this upgrade, e.g. “websocket”. For each upgrade type present in upgrade_configs, requests with Upgrade: [upgrade_type] will be proxied upstream.

filters

(repeated extensions.filters.network.http_connection_manager.v3.HttpFilter) If present, this represents the filter chain which will be created for this type of upgrade. If no filters are present, the filter chain for HTTP connections will be used for this upgrade type.

enabled

(BoolValue) Determines if upgrades are enabled or disabled by default. Defaults to true. This can be overridden on a per-route basis with cluster as documented in the upgrade documentation.

Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.CodecType proto]

AUTO

(DEFAULT) ⁣For every new connection, the connection manager will determine which codec to use. This mode supports both ALPN for TLS listeners as well as protocol inference for plaintext listeners. If ALPN data is available, it is preferred, otherwise protocol inference is used. In almost all cases, this is the right option to choose for this setting.

HTTP1

⁣The connection manager will assume that the client is speaking HTTP/1.1.

HTTP2

⁣The connection manager will assume that the client is speaking HTTP/2 (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. Prior knowledge is allowed).

Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ServerHeaderTransformation proto]

OVERWRITE

(DEFAULT) ⁣Overwrite any Server header with the contents of server_name.

APPEND_IF_ABSENT

⁣If no Server header is present, append Server server_name If a Server header is present, pass it through.

PASS_THROUGH

⁣Pass through the value of the server header, and do not append a header if none is present.

Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails proto]

How to handle the x-forwarded-client-cert (XFCC) HTTP header.

SANITIZE

(DEFAULT) ⁣Do not send the XFCC header to the next hop. This is the default value.

FORWARD_ONLY

⁣When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.

APPEND_FORWARD

⁣When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it.

SANITIZE_SET

⁣When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.

ALWAYS_FORWARD_ONLY

⁣Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction

[extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathWithEscapedSlashesAction proto]

Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled.

IMPLEMENTATION_SPECIFIC_DEFAULT

(DEFAULT) ⁣Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the KEEP_UNCHANGED action. NOTE: the implementation may change the default behavior at-will.

KEEP_UNCHANGED

⁣Keep escaped slashes.

REJECT_REQUEST

⁣Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. The “httpN.downstream_rq_failed_path_normalization” counter is incremented for each rejected request.

UNESCAPE_AND_REDIRECT

⁣Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. Redirect occurs after path normalization and merge slashes transformations if they were configured. NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented for each redirected request.

UNESCAPE_AND_FORWARD

⁣Unescape %2F and %5C sequences. Note: this option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities.

extensions.filters.network.http_connection_manager.v3.LocalReplyConfig

[extensions.filters.network.http_connection_manager.v3.LocalReplyConfig proto]

The configuration to customize local reply returned by Envoy.

  1. {
  2. "mappers": [],
  3. "body_format": "{...}"
  4. }

mappers

(repeated extensions.filters.network.http_connection_manager.v3.ResponseMapper) Configuration of list of mappers which allows to filter and change local response. The mappers will be checked by the specified order until one is matched.

body_format

(config.core.v3.SubstitutionFormatString) The configuration to form response body from the command operators and to specify response content type as one of: plain/text or application/json.

Example one: “plain/text” body_format.

  1. text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n"

The following response body in “plain/text” format will be generated for a request with local reply body of “upstream connection error”, response_code=503 and path=/foo.

  1. upstream connect error:503:path=/foo

Example two: “application/json” body_format.

  1. json_format:
  2. status: "%RESPONSE_CODE%"
  3. message: "%LOCAL_REPLY_BODY%"
  4. path: "%REQ(:path)%"

The following response body in “application/json” format would be generated for a request with local reply body of “upstream connection error”, response_code=503 and path=/foo.

  1. {
  2. "status": 503,
  3. "message": "upstream connection error",
  4. "path": "/foo"
  5. }

extensions.filters.network.http_connection_manager.v3.ResponseMapper

[extensions.filters.network.http_connection_manager.v3.ResponseMapper proto]

The configuration to filter and change local response.

  1. {
  2. "filter": "{...}",
  3. "status_code": "{...}",
  4. "body": "{...}",
  5. "body_format_override": "{...}",
  6. "headers_to_add": []
  7. }

filter

(config.accesslog.v3.AccessLogFilter, REQUIRED) Filter to determine if this mapper should apply.

status_code

(UInt32Value) The new response status code if specified.

body

(config.core.v3.DataSource) The new local reply body text if specified. It will be used in the %LOCAL_REPLY_BODY% command operator in the body_format.

body_format_override

(config.core.v3.SubstitutionFormatString) A per mapper body_format to override the body_format. It will be used when this mapper is matched.

headers_to_add

(repeated config.core.v3.HeaderValueOption) HTTP headers to add to a local reply. This allows the response mapper to append, to add or to override headers of any local reply before it is sent to a downstream client.

extensions.filters.network.http_connection_manager.v3.Rds

[extensions.filters.network.http_connection_manager.v3.Rds proto]

  1. {
  2. "config_source": "{...}",
  3. "route_config_name": "..."
  4. }

config_source

(config.core.v3.ConfigSource, REQUIRED) Configuration source specifier for RDS.

route_config_name

(string) The name of the route configuration. This name will be passed to the RDS API. This allows an Envoy configuration with multiple HTTP listeners (and associated HTTP connection manager filters) to use different route configurations.

extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList

[extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList proto]

This message is used to work around the limitations with ‘oneof’ and repeated fields.

  1. {
  2. "scoped_route_configurations": []
  3. }

scoped_route_configurations

(repeated config.route.v3.ScopedRouteConfiguration, REQUIRED)

extensions.filters.network.http_connection_manager.v3.ScopedRoutes

[extensions.filters.network.http_connection_manager.v3.ScopedRoutes proto]

  1. {
  2. "name": "...",
  3. "scope_key_builder": "{...}",
  4. "rds_config_source": "{...}",
  5. "scoped_route_configurations_list": "{...}",
  6. "scoped_rds": "{...}"
  7. }

name

(string, REQUIRED) The name assigned to the scoped routing configuration.

scope_key_builder

(extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder, REQUIRED) The algorithm to use for constructing a scope key for each request.

rds_config_source

(config.core.v3.ConfigSource, REQUIRED) Configuration source specifier for RDS. This config source is used to subscribe to RouteConfiguration resources specified in ScopedRouteConfiguration messages.

scoped_route_configurations_list

(extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList) The set of routing scopes corresponding to the HCM. A scope is assigned to a request by matching a key constructed from the request’s attributes according to the algorithm specified by the ScopeKeyBuilder in this message.

Precisely one of scoped_route_configurations_list, scoped_rds must be set.

scoped_rds

(extensions.filters.network.http_connection_manager.v3.ScopedRds) The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS API. A scope is assigned to a request by matching a key constructed from the request’s attributes according to the algorithm specified by the ScopeKeyBuilder in this message.

Precisely one of scoped_route_configurations_list, scoped_rds must be set.

extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder

[extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder proto]

Specifies the mechanism for constructing “scope keys” based on HTTP request attributes. These keys are matched against a set of Key objects assembled from ScopedRouteConfiguration messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via scoped_route_configurations_list.

Upon receiving a request’s headers, the Router will build a key using the algorithm specified by this message. This key will be used to look up the routing table (i.e., the RouteConfiguration) to use for the request.

  1. {
  2. "fragments": []
  3. }

fragments

(repeated extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder, REQUIRED) The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the fragments of a ScopedRouteConfiguration. A missing fragment during comparison will make the key invalid, i.e., the computed key doesn’t match any key.

extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder

[extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder proto]

Specifies the mechanism for constructing key fragments which are composed into scope keys.

  1. {
  2. "header_value_extractor": "{...}"
  3. }

header_value_extractor

(extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor, REQUIRED) Specifies how a header field’s value should be extracted.

extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor

[extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor proto]

Specifies how the value of a header should be extracted. The following example maps the structure of a header to the fields in this message.

  1. <0> <1> <-- index
  2. X-Header: a=b;c=d
  3. | || |
  4. | || \----> <element_separator>
  5. | ||
  6. | |\----> <element.separator>
  7. | |
  8. | \----> <element.key>
  9. |
  10. \----> <name>
  11. Each 'a=b' key-value pair constitutes an 'element' of the header field.
  1. {
  2. "name": "...",
  3. "element_separator": "...",
  4. "index": "...",
  5. "element": "{...}"
  6. }

name

(string, REQUIRED) The name of the header field to extract the value from.

Note

If the header appears multiple times only the first value is used.

element_separator

(string) The element separator (e.g., ‘;’ separates ‘a;b;c;d’). Default: empty string. This causes the entirety of the header field to be extracted. If this field is set to an empty string and ‘index’ is used in the oneof below, ‘index’ must be set to 0.

index

(uint32) Specifies the zero based index of the element to extract. Note Envoy concatenates multiple values of the same header key into a comma separated string, the splitting always happens after the concatenation.

Only one of index, element may be set.

element

(extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement) Specifies the key value pair to extract the value from.

Only one of index, element may be set.

extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement

[extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement proto]

Specifies a header field’s key value pair to match on.

  1. {
  2. "separator": "...",
  3. "key": "..."
  4. }

separator

(string, REQUIRED) The separator between key and value (e.g., ‘=’ separates ‘k=v;…’). If an element is an empty string, the element is ignored. If an element contains no separator, the whole element is parsed as key and the fragment value is an empty string. If there are multiple values for a matched key, the first value is returned.

key

(string, REQUIRED) The key to match on.

extensions.filters.network.http_connection_manager.v3.ScopedRds

[extensions.filters.network.http_connection_manager.v3.ScopedRds proto]

  1. {
  2. "scoped_rds_config_source": "{...}"
  3. }

scoped_rds_config_source

(config.core.v3.ConfigSource, REQUIRED) Configuration source specifier for scoped RDS.

extensions.filters.network.http_connection_manager.v3.HttpFilter

[extensions.filters.network.http_connection_manager.v3.HttpFilter proto]

  1. {
  2. "name": "...",
  3. "typed_config": "{...}",
  4. "config_discovery": "{...}",
  5. "is_optional": "..."
  6. }

name

(string, REQUIRED) The name of the filter configuration. The name is used as a fallback to select an extension if the type of the configuration proto is not sufficient. It also serves as a resource name in ExtensionConfigDS.

typed_config

(Any) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation.

To support configuring a match tree, use an ExtensionWithMatcher with the desired HTTP filter.

Tip

This extension category has the following known extensions:

The following extensions are available in contrib images only:

Only one of typed_config, config_discovery may be set.

config_discovery

(config.core.v3.ExtensionConfigSource) Configuration source specifier for an extension configuration discovery service. In case of a failure and without the default configuration, the HTTP listener responds with code 500. Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061).

To support configuring a match tree, use an ExtensionWithMatcher with the desired HTTP filter. This works for both the default filter configuration as well as for filters provided via the API.

Only one of typed_config, config_discovery may be set.

is_optional

(bool) If true, clients that do not support this filter may ignore the filter but otherwise accept the config. Otherwise, clients that do not support this filter must reject the config. This is also same with typed per filter config.

extensions.filters.network.http_connection_manager.v3.RequestIDExtension

[extensions.filters.network.http_connection_manager.v3.RequestIDExtension proto]

  1. {
  2. "typed_config": "{...}"
  3. }

typed_config

(Any) Request ID extension specific configuration.

extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager

[extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager proto]

HTTP connection manager for use in Envoy mobile.

This extension may be referenced by the qualified name envoy.filters.network.envoy_mobile_http_connection_manager

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

  1. {
  2. "config": "{...}"
  3. }

config

(extensions.filters.network.http_connection_manager.v3.HttpConnectionManager) The configuration for the underlying HttpConnectionManager which will be instantiated for Envoy mobile.