TLS Inspector

TLS Inspector listener filter allows detecting whether the transport appears to be TLS or plaintext, and if it is TLS, it detects the Server Name Indication and/or Application-Layer Protocol Negotiation from the client. This can be used to select a FilterChain via the server_names and/or application_protocols of a FilterChainMatch.

  • SNI
  • v2 API reference
  • This filter should be configured with the name envoy.listener.tls_inspector.

Example

A sample filter configuration could be:

  1. listener_filters:
  2. - name: "envoy.listener.tls_inspector"
  3. config: {}

Statistics

This filter has statistics rooted at tls_inspector with the following statistics:

NameTypeDescription
connection_closedCounterTotal connections closed
client_hello_too_largeCounterTotal unreasonably large Client Hello received
read_errorCounterTotal read errors
tls_foundCounterTotal number of times TLS was found
tls_not_foundCounterTotal number of times TLS was not found
alpn_foundCounterTotal number of times Application-Layer Protocol Negotiation was successful
alpn_not_foundCounterTotal number of times Application-Layer Protocol Negotiation has failed
sni_foundCounterTotal number of times Server Name Indication was found
sni_not_foundCounterTotal number of times Server Name Indication was not found