1// Copyright 2020 The gRPC Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15// Local copy of Envoy xDS proto file, used for testing only. 16 17syntax = "proto3"; 18 19package envoy.config.listener.v3; 20 21import "src/proto/grpc/testing/xds/v3/address.proto"; 22import "src/proto/grpc/testing/xds/v3/base.proto"; 23 24import "google/protobuf/any.proto"; 25import "google/protobuf/wrappers.proto"; 26 27// [#protodoc-title: Listener configuration] 28// Listener :ref:`configuration overview <config_listeners>` 29 30// Describes a type of API listener, which is used in non-proxy clients. The type of API 31// exposed to the non-proxy application depends on the type of API listener. 32message ApiListener { 33 // The type in this field determines the type of API listener. At present, the following 34 // types are supported: 35 // envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager (HTTP) 36 // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the 37 // specific config message for each type of API listener. We could not do this in v2 because 38 // it would have caused circular dependencies for go protos: lds.proto depends on this file, 39 // and http_connection_manager.proto depends on rds.proto, which is in the same directory as 40 // lds.proto, so lds.proto cannot depend on this file.] 41 google.protobuf.Any api_listener = 1; 42} 43 44message Filter { 45 reserved 3; 46 47 // The name of the filter to instantiate. The name must match a 48 // :ref:`supported filter <config_network_filters>`. 49 string name = 1; 50 51 // [#extension-category: envoy.filters.network] 52 oneof config_type { 53 // Filter specific configuration which depends on the filter being 54 // instantiated. See the supported filters for further documentation. 55 google.protobuf.Any typed_config = 4; 56 } 57} 58 59message FilterChainMatch { 60 enum ConnectionSourceType { 61 // Any connection source matches. 62 ANY = 0; 63 64 // Match a connection originating from the same host. 65 SAME_IP_OR_LOOPBACK = 1; 66 67 // Match a connection originating from a different host. 68 EXTERNAL = 2; 69 } 70 71 reserved 1; 72 73 // Optional destination port to consider when use_original_dst is set on the 74 // listener in determining a filter chain match. 75 google.protobuf.UInt32Value destination_port = 8; 76 77 // If non-empty, an IP address and prefix length to match addresses when the 78 // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. 79 repeated core.v3.CidrRange prefix_ranges = 3; 80 81 // Specifies the connection source IP match type. Can be any, local or external network. 82 ConnectionSourceType source_type = 12; 83 84 // The criteria is satisfied if the source IP address of the downstream 85 // connection is contained in at least one of the specified subnets. If the 86 // parameter is not specified or the list is empty, the source IP address is 87 // ignored. 88 repeated core.v3.CidrRange source_prefix_ranges = 6; 89 90 // The criteria is satisfied if the source port of the downstream connection 91 // is contained in at least one of the specified ports. If the parameter is 92 // not specified, the source port is ignored. 93 repeated uint32 source_ports = 7; 94 95 // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining 96 // a filter chain match. Those values will be compared against the server names of a new 97 // connection, when detected by one of the listener filters. 98 // 99 // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` 100 // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. 101 // 102 // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. 103 // 104 // .. attention:: 105 // 106 // See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more 107 // information. 108 repeated string server_names = 11; 109 110 // If non-empty, a transport protocol to consider when determining a filter chain match. 111 // This value will be compared against the transport protocol of a new connection, when 112 // it's detected by one of the listener filters. 113 // 114 // Suggested values include: 115 // 116 // * ``raw_buffer`` - default, used when no transport protocol is detected, 117 // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>` 118 // when TLS protocol is detected. 119 string transport_protocol = 9; 120 121 // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when 122 // determining a filter chain match. Those values will be compared against the application 123 // protocols of a new connection, when detected by one of the listener filters. 124 // 125 // Suggested values include: 126 // 127 // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector 128 // <config_listener_filters_tls_inspector>`, 129 // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>` 130 // 131 // .. attention:: 132 // 133 // Currently, only :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides 134 // application protocol detection based on the requested 135 // `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values. 136 // 137 // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, 138 // and matching on values other than ``h2`` is going to lead to a lot of false negatives, 139 // unless all connecting clients are known to use ALPN. 140 repeated string application_protocols = 10; 141} 142 143// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and 144// various other parameters. 145// [#next-free-field: 10] 146message FilterChain { 147 // The criteria to use when matching a connection to this filter chain. 148 FilterChainMatch filter_chain_match = 1; 149 150 // A list of individual network filters that make up the filter chain for 151 // connections established with the listener. Order matters as the filters are 152 // processed sequentially as connection events happen. Note: If the filter 153 // list is empty, the connection will close by default. 154 repeated Filter filters = 3; 155 156 // Optional custom transport socket implementation to use for downstream connections. 157 // To setup TLS, set a transport socket with name `tls` and 158 // :ref:`DownstreamTlsContext <envoy_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` in the `typed_config`. 159 // If no transport socket configuration is specified, new connections 160 // will be set up with plaintext. 161 core.v3.TransportSocket transport_socket = 6; 162} 163 164// [#next-free-field: 23] 165message Listener { 166 // The unique name by which this listener is known. If no name is provided, 167 // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically 168 // updated or removed via :ref:`LDS <config_listeners_lds>` a unique name must be provided. 169 string name = 1; 170 171 // The address that the listener should listen on. In general, the address must be unique, though 172 // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on 173 // Linux as the actual port will be allocated by the OS. 174 core.v3.Address address = 2; 175 176 // A list of filter chains to consider for this listener. The 177 // :ref:`FilterChain <envoy_api_msg_config.listener.v3.FilterChain>` with the most specific 178 // :ref:`FilterChainMatch <envoy_api_msg_config.listener.v3.FilterChainMatch>` criteria is used on a 179 // connection. 180 // 181 // Example using SNI for filter chain selection can be found in the 182 // :ref:`FAQ entry <faq_how_to_setup_sni>`. 183 repeated FilterChain filter_chains = 3; 184 185 // If a connection is redirected using *iptables*, the port on which the proxy 186 // receives it might be different from the original destination address. When this flag is set to 187 // true, the listener hands off redirected connections to the listener associated with the 188 // original destination address. If there is no listener associated with the original destination 189 // address, the connection is handled by the listener that receives it. Defaults to false. 190 google.protobuf.BoolValue use_original_dst = 4; 191 192 // The default filter chain if none of the filter chain matches. If no default filter chain is supplied, 193 // the connection will be closed. The filter chain match is ignored in this field. 194 FilterChain default_filter_chain = 25; 195 196 // Used to represent an API listener, which is used in non-proxy clients. The type of API 197 // exposed to the non-proxy application depends on the type of API listener. 198 // When this field is set, no other field except for :ref:`name<envoy_api_field_config.listener.v3.Listener.name>` 199 // should be set. 200 // 201 // .. note:: 202 // 203 // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, 204 // not LDS. 205 // 206 // [#next-major-version: In the v3 API, instead of this messy approach where the socket 207 // listener fields are directly in the top-level Listener message and the API listener types 208 // are in the ApiListener message, the socket listener messages should be in their own message, 209 // and the top-level Listener should essentially be a oneof that selects between the 210 // socket listener and the various types of API listener. That way, a given Listener message 211 // can structurally only contain the fields of the relevant type.] 212 ApiListener api_listener = 19; 213} 214