Created
October 18, 2022 22:49
-
-
Save vnayar/4ea3db6fb3eacaa7482c4f820300015d to your computer and use it in GitHub Desktop.
EnvoyProxy Part 4: Enable TLS connection termination for an HTTPS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Resources loaded at boot, rather than dynamically via APIs. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap-staticresources | |
| static_resources: | |
| # A listener wraps an address to bind to and filters to run on messages on that address. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-msg-config-listener-v3-listener | |
| listeners: | |
| # The address of an interface to bind to. Interfaces can be sockets, pipes, or internal addresses. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-address | |
| - address: | |
| # This address is for a network socket, with an IP and a port. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-socketaddress | |
| socket_address: | |
| # The value 0.0.0.0 indicates that all interfaces will be bound to. | |
| address: 0.0.0.0 | |
| # Port 443 is the default port for HTTPS, we use 8443 in user space. | |
| port_value: 8443 | |
| # Filter chains wrap several related configurations, e.g. match criteria, TLS context, filters, etc. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchain | |
| filter_chains: | |
| - | |
| # Configures a transport socket protocol like TLS or ALTS. | |
| # To specify a specific type, a "typed_config" field with valid "@type" name is required. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-transportsocket | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| # A transport socket listening to downstream connections (clients) using TLS. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-downstreamtlscontext | |
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext | |
| # TLS contextual information shared by both the client and server. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-commontlscontext | |
| common_tls_context: | |
| # A list of TLS certificates that can be used, clients will only choose a single one per session. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-tlscertificate | |
| tls_certificates: | |
| - | |
| # A datasource from which to read the public key certificate, such as a file or | |
| # environment variable. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-datasource | |
| certificate_chain: | |
| filename: cert.pem | |
| # A datasource from which to read the private key, such as a file or environment variable. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-conf | |
| private_key: | |
| filename: key.pem | |
| # An ordered list of filters to apply to connections. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filter | |
| filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| # A generic configuration whose fields vary with its "@type". | |
| typed_config: | |
| # The HttpConnectionManager filter converts raw data into HTTP messages, logging, | |
| # tracing, header manipulation, routing, and statistics. | |
| # https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#arch-overview-http-conn-man | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extension-envoy-filters-network-http-connection-manager | |
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| # The human readable prefix used when emitting statistics. | |
| stat_prefix: ingress_http | |
| # The static routing table used by this filter. Individual routes may also add "rate | |
| # limit descriptors", essentially tags, to requests which may be referenced in the | |
| # "http_filters" config. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-msg-config-route-v3-routeconfiguration | |
| route_config: | |
| name: local_route | |
| # An array of virtual hosts which will compose the routing table. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-virtualhost | |
| virtual_hosts: | |
| - name: backend | |
| # A list of domains, e.g. *.foo.com, that will match this virtual host. | |
| domains: | |
| - "*" | |
| # A list of routes to match against requests, the first one that matches will be used. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route | |
| routes: | |
| # The conditions that a request must satisfy to follow this route. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routematch | |
| - match: | |
| # A match against the beginning of the :path pseudo-header. | |
| prefix: "/" | |
| # The routing action to take if the request matches the conditions. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routeaction | |
| route: | |
| host_rewrite_literal: www.envoyproxy.io | |
| cluster: service_envoyproxy_io | |
| # Individual filters applied by the HTTP Connection Manager. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpfilter | |
| http_filters: | |
| # The router filter performs HTTP forwarding with optional logic for retries, statistics, etc. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extension-envoy-filters-http-router | |
| # https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router | |
| - name: envoy.filters.http.router | |
| typed_config: | |
| "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
| # Configurations for logically similar upstream hosts, called clusters, that Envoy connects to. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster | |
| clusters: | |
| - name: service_envoyproxy_io | |
| # The cluster type, in this case, discover the target via a DNS lookup. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-discoverytype | |
| type: LOGICAL_DNS | |
| connect_timeout: 500s | |
| dns_lookup_family: V4_ONLY | |
| # For endpoints that are part of the cluster, determine how requests are distributed. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint.proto#envoy-v3-api-msg-config-endpoint-v3-clusterloadassignment | |
| load_assignment: | |
| cluster_name: service_envoyproxy_io | |
| endpoints: | |
| # A list of endpoints that belong to this cluster. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-localitylbendpoints | |
| - lb_endpoints: | |
| # A single endpoint, it's load-balancing weight, etc. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: www.envoyproxy.io | |
| port_value: 443 | |
| # A customized transport socket, in this case, with TLS enabled. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-transportsocket | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto | |
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
| # Server Name Indication, the server being contacted in step 1 of the TLS handshake. | |
| sni: www.envoyproxy.io |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment