diff --git a/docs/root/start/sandboxes/index.rst b/docs/root/start/sandboxes/index.rst
index 1acabd3696e6..aac98b800966 100644
--- a/docs/root/start/sandboxes/index.rst
+++ b/docs/root/start/sandboxes/index.rst
@@ -28,6 +28,7 @@ features. The following sandboxes are available:
mysql
postgres
redis
+ tls
wasm-cc
zipkin_tracing
skywalking_tracing
diff --git a/docs/root/start/sandboxes/tls.rst b/docs/root/start/sandboxes/tls.rst
new file mode 100644
index 000000000000..aed1ed2cccab
--- /dev/null
+++ b/docs/root/start/sandboxes/tls.rst
@@ -0,0 +1,172 @@
+.. _install_sandboxes_tls:
+
+TLS
+===
+
+.. sidebar:: Requirements
+
+ `jq `_
+ Used to parse ``json`` output from the upstream echo servers.
+
+This example walks through some of the ways that Envoy can be configured to make
+use of encrypted connections using ``HTTP`` over ``TLS``.
+
+It demonstrates a number of commonly used proxying and ``TLS`` termination patterns:
+
+- ``https`` -> ``http``
+- ``https`` -> ``https``
+- ``http`` -> ``https``
+- ``https`` passthrough
+
+To better understand the provided examples, and for a description of how ``TLS`` is
+configured with Envoy, please see the :ref:`securing Envoy quick start guide `.
+
+.. warning::
+
+ For the sake of simplicity, the examples provided here do not authenticate any client certificates,
+ or validate any of the provided certificates.
+
+ When using ``TLS``, you are strongly encouraged to :ref:`validate `
+ all certificates wherever possible.
+
+ You should also :ref:`authenticate clients `
+ where you control both sides of the connection, or relevant protocols are available.
+
+.. include:: _include/docker-env-setup.rst
+
+Change directory to ``examples/tls`` in the Envoy repository.
+
+Step 3: Build the sandbox
+*************************
+
+This starts four proxies listening on ``localhost`` ports ``10000-10003``.
+
+It also starts two upstream services, one ``HTTP`` and one ``HTTPS``, which echo back received headers
+in ``json`` format.
+
+The upstream services listen on the internal Docker network on ports ``80`` and ``443`` respectively.
+
+.. code-block:: console
+
+ $ pwd
+ envoy/examples/tls
+ $ docker-compose pull
+ $ docker-compose up --build -d
+ $ docker-compose ps
+
+ Name Command State Ports
+ -----------------------------------------------------------------------------------------------
+ tls_proxy-https-to-http_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10000->10000/tcp
+ tls_proxy-https-to-https_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10001->10000/tcp
+ tls_proxy-http-to-https_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10002->10000/tcp
+ tls_proxy-https-passthrough_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10003->10000/tcp
+ tls_service-http_1 node ./index.js Up
+ tls_service-https_1 node ./index.js Up
+
+Step 4: Test proxying ``https`` -> ``http``
+*******************************************
+
+The Envoy proxy listening on https://localhost:10000 terminates ``HTTPS`` and proxies to the upstream ``HTTP`` service.
+
+The :download:`https -> http configuration <_include/tls/envoy-https-http.yaml>` adds a ``TLS``
+:ref:`transport_socket ` to the
+:ref:`listener `.
+
+Querying the service at port ``10000`` you should see an ``x-forwarded-proto`` header of ``https`` has
+been added:
+
+.. code-block:: console
+
+ $ curl -sk https://localhost:10000 | jq -r '.headers["x-forwarded-proto"]'
+ https
+
+The upstream ``service-http`` handles the request.
+
+.. code-block:: console
+
+ $ curl -sk https://localhost:10000 | jq -r '.os.hostname'
+ service-http
+
+Step 5: Test proxying ``https`` -> ``https``
+********************************************
+
+The Envoy proxy listening on https://localhost:10001 terminates ``HTTPS`` and proxies to the upstream ``HTTPS`` service.
+
+The :download:`https -> https configuration <_include/tls/envoy-https-https.yaml>` adds a ``TLS``
+:ref:`transport_socket ` to both the
+:ref:`listener ` and the
+:ref:`cluster `.
+
+Querying the service at port ``10001`` you should see an ``x-forwarded-proto`` header of ``https`` has
+been added:
+
+.. code-block:: console
+
+ $ curl -sk https://localhost:10001 | jq -r '.headers["x-forwarded-proto"]'
+ https
+
+The upstream ``service-https`` handles the request.
+
+.. code-block:: console
+
+ $ curl -sk https://localhost:10001 | jq -r '.os.hostname'
+ service-https
+
+Step 6: Test proxying ``http`` -> ``https``
+*******************************************
+
+The Envoy proxy listening on http://localhost:10002 terminates ``HTTP`` and proxies to the upstream ``HTTPS`` service.
+
+The :download:`http -> https configuration <_include/tls/envoy-http-https.yaml>` adds a ``TLS``
+:ref:`transport_socket ` to the
+:ref:`cluster `.
+
+Querying the service at port ``10001`` you should see an ``x-forwarded-proto`` header of ``http`` has
+been added:
+
+.. code-block:: console
+
+ $ curl -s http://localhost:10002 | jq -r '.headers["x-forwarded-proto"]'
+ http
+
+The upstream ``service-https`` handles the request.
+
+.. code-block:: console
+
+ $ curl -s http://localhost:10002 | jq -r '.os.hostname'
+ service-https
+
+
+Step 7: Test proxying ``https`` passthrough
+*******************************************
+
+The Envoy proxy listening on https://localhost:10003 proxies directly to the upstream ``HTTPS`` service which
+does the ``TLS`` termination.
+
+The :download:`https passthrough configuration <_include/tls/envoy-https-passthrough.yaml>` requires no ``TLS``
+or ``HTTP`` setup, and instead uses a simple
+:ref:`tcp_proxy `.
+
+Querying the service at port ``10003`` you should see that no ``x-forwarded-proto`` header has been
+added:
+
+.. code-block:: console
+
+ $ curl -sk https://localhost:10003 | jq -r '.headers["x-forwarded-proto"]'
+ null
+
+The upstream ``service-https`` handles the request.
+
+.. code-block:: console
+
+ $ curl -sk https://localhost:10003 | jq -r '.os.hostname'
+ service-https
+
+.. seealso::
+
+ :ref:`Securing Envoy quick start guide `
+ Outline of key concepts for securing Envoy.
+
+ :ref:`Double proxy sandbox `
+ An example of securing traffic between proxies with validation and
+ mutual authentication using ``mTLS`` with non-``HTTP`` traffic.
diff --git a/examples/DEVELOPER.md b/examples/DEVELOPER.md
index dd2950829eb3..88e9a9b9f39c 100644
--- a/examples/DEVELOPER.md
+++ b/examples/DEVELOPER.md
@@ -85,6 +85,18 @@ responds_with \
-H 'Origin: https://example-service.com'
```
+#### Utility functions: `responds_without`
+
+You can also check that a request *does not* respond with given `HTTP` content:
+
+```bash
+responds_without \
+ "Anything unexpected" \
+ "http://localhost:8000"
+```
+
+`responds_without` can accept additional curl arguments like `responds_with`
+
#### Utility functions: `responds_with_header`
You can check that a request responds with an expected header as follows:
diff --git a/examples/tls/Dockerfile-proxy-http-https b/examples/tls/Dockerfile-proxy-http-https
new file mode 100644
index 000000000000..1d13a8c4821e
--- /dev/null
+++ b/examples/tls/Dockerfile-proxy-http-https
@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-http-https.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]
diff --git a/examples/tls/Dockerfile-proxy-https-http b/examples/tls/Dockerfile-proxy-https-http
new file mode 100644
index 000000000000..3ab63a86915a
--- /dev/null
+++ b/examples/tls/Dockerfile-proxy-https-http
@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-https-http.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]
diff --git a/examples/tls/Dockerfile-proxy-https-https b/examples/tls/Dockerfile-proxy-https-https
new file mode 100644
index 000000000000..a34183bd6e34
--- /dev/null
+++ b/examples/tls/Dockerfile-proxy-https-https
@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-https-https.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]
diff --git a/examples/tls/Dockerfile-proxy-https-passthrough b/examples/tls/Dockerfile-proxy-https-passthrough
new file mode 100644
index 000000000000..a460c25de9d0
--- /dev/null
+++ b/examples/tls/Dockerfile-proxy-https-passthrough
@@ -0,0 +1,5 @@
+FROM envoyproxy/envoy-dev:latest
+
+COPY ./envoy-https-passthrough.yaml /etc/envoy.yaml
+RUN chmod go+r /etc/envoy.yaml
+CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml"]
diff --git a/examples/tls/README.md b/examples/tls/README.md
new file mode 100644
index 000000000000..61d68e1757a7
--- /dev/null
+++ b/examples/tls/README.md
@@ -0,0 +1,2 @@
+To learn about this sandbox and for instructions on how to run it please head over
+to the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/tls.html).
diff --git a/examples/tls/docker-compose.yaml b/examples/tls/docker-compose.yaml
new file mode 100644
index 000000000000..1db7809a2220
--- /dev/null
+++ b/examples/tls/docker-compose.yaml
@@ -0,0 +1,42 @@
+version: "3.7"
+services:
+
+ proxy-https-to-http:
+ build:
+ context: .
+ dockerfile: Dockerfile-proxy-https-http
+ ports:
+ - "10000:10000"
+
+ proxy-https-to-https:
+ build:
+ context: .
+ dockerfile: Dockerfile-proxy-https-https
+ ports:
+ - "10001:10000"
+
+ proxy-http-to-https:
+ build:
+ context: .
+ dockerfile: Dockerfile-proxy-http-https
+ ports:
+ - "10002:10000"
+
+ proxy-https-passthrough:
+ build:
+ context: .
+ dockerfile: Dockerfile-proxy-https-passthrough
+ ports:
+ - "10003:10000"
+
+ service-http:
+ image: mendhak/http-https-echo
+ hostname: service-http
+ environment:
+ - HTTPS_PORT=0
+
+ service-https:
+ image: mendhak/http-https-echo
+ hostname: service-https
+ environment:
+ - HTTP_PORT=0
diff --git a/examples/tls/envoy-http-https.yaml b/examples/tls/envoy-http-https.yaml
new file mode 100644
index 000000000000..2e896de2e78b
--- /dev/null
+++ b/examples/tls/envoy-http-https.yaml
@@ -0,0 +1,45 @@
+static_resources:
+ listeners:
+ - address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 10000
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ codec_type: auto
+ stat_prefix: ingress_http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: app
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: "/"
+ route:
+ cluster: service-https
+ http_filters:
+ - name: envoy.filters.http.router
+
+ clusters:
+ - name: service-https
+ connect_timeout: 0.25s
+ type: strict_dns
+ lb_policy: round_robin
+ load_assignment:
+ cluster_name: service-https
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: service-https
+ port_value: 443
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
diff --git a/examples/tls/envoy-https-http.yaml b/examples/tls/envoy-https-http.yaml
new file mode 100644
index 000000000000..46dccfff0d6e
--- /dev/null
+++ b/examples/tls/envoy-https-http.yaml
@@ -0,0 +1,104 @@
+static_resources:
+ listeners:
+ - address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 10000
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ codec_type: auto
+ stat_prefix: ingress_http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: app
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: "/"
+ route:
+ cluster: service-http
+ http_filters:
+ - name: envoy.filters.http.router
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+ common_tls_context:
+ tls_certificates:
+ # The following self-signed certificate pair is generated using:
+ # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'
+ #
+ # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy
+ # via filename. Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource.
+ #
+ # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via
+ # Secret Discovery Service (SDS). Reference: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret.
+ certificate_chain:
+ inline_string: |
+ -----BEGIN CERTIFICATE-----
+ MIICqDCCAZACCQCquzpHNpqBcDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm
+ cm9udC1lbnZveTAeFw0yMDA3MDgwMTMxNDZaFw0zMDA3MDYwMTMxNDZaMBYxFDAS
+ BgNVBAMMC2Zyb250LWVudm95MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+ AQEAthnYkqVQBX+Wg7aQWyCCb87hBce1hAFhbRM8Y9dQTqxoMXZiA2n8G089hUou
+ oQpEdJgitXVS6YMFPFUUWfwcqxYAynLK4X5im26Yfa1eO8La8sZUS+4Bjao1gF5/
+ VJxSEo2yZ7fFBo8M4E44ZehIIocipCRS+YZehFs6dmHoq/MGvh2eAHIa+O9xssPt
+ ofFcQMR8rwBHVbKy484O10tNCouX4yUkyQXqCRy6HRu7kSjOjNKSGtjfG+h5M8bh
+ 10W7ZrsJ1hWhzBulSaMZaUY3vh5ngpws1JATQVSK1Jm/dmMRciwlTK7KfzgxHlSX
+ 58ENpS7yPTISkEICcLbXkkKGEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCmj6Hg
+ vwOxWz0xu+6fSfRL6PGJUGq6wghCfUvjfwZ7zppDUqU47fk+yqPIOzuGZMdAqi7N
+ v1DXkeO4A3hnMD22Rlqt25vfogAaZVToBeQxCPd/ALBLFrvLUFYuSlS3zXSBpQqQ
+ Ny2IKFYsMllz5RSROONHBjaJOn5OwqenJ91MPmTAG7ujXKN6INSBM0PjX9Jy4Xb9
+ zT+I85jRDQHnTFce1WICBDCYidTIvJtdSSokGSuy4/xyxAAc/BpZAfOjBQ4G1QRe
+ 9XwOi790LyNUYFJVyeOvNJwveloWuPLHb9idmY5YABwikUY6QNcXwyHTbRCkPB2I
+ m+/R4XnmL4cKQ+5Z
+ -----END CERTIFICATE-----
+ private_key:
+ inline_string: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2GdiSpVAFf5aD
+ tpBbIIJvzuEFx7WEAWFtEzxj11BOrGgxdmIDafwbTz2FSi6hCkR0mCK1dVLpgwU8
+ VRRZ/ByrFgDKcsrhfmKbbph9rV47wtryxlRL7gGNqjWAXn9UnFISjbJnt8UGjwzg
+ Tjhl6EgihyKkJFL5hl6EWzp2Yeir8wa+HZ4Achr473Gyw+2h8VxAxHyvAEdVsrLj
+ zg7XS00Ki5fjJSTJBeoJHLodG7uRKM6M0pIa2N8b6HkzxuHXRbtmuwnWFaHMG6VJ
+ oxlpRje+HmeCnCzUkBNBVIrUmb92YxFyLCVMrsp/ODEeVJfnwQ2lLvI9MhKQQgJw
+ tteSQoYRAgMBAAECggEAeDGdEkYNCGQLe8pvg8Z0ccoSGpeTxpqGrNEKhjfi6NrB
+ NwyVav10iq4FxEmPd3nobzDPkAftfvWc6hKaCT7vyTkPspCMOsQJ39/ixOk+jqFx
+ lNa1YxyoZ9IV2DIHR1iaj2Z5gB367PZUoGTgstrbafbaNY9IOSyojCIO935ubbcx
+ DWwL24XAf51ez6sXnI8V5tXmrFlNXhbhJdH8iIxNyM45HrnlUlOk0lCK4gmLJjy9
+ 10IS2H2Wh3M5zsTpihH1JvM56oAH1ahrhMXs/rVFXXkg50yD1KV+HQiEbglYKUxO
+ eMYtfaY9i2CuLwhDnWp3oxP3HfgQQhD09OEN3e0IlQKBgQDZ/3poG9TiMZSjfKqL
+ xnCABMXGVQsfFWNC8THoW6RRx5Rqi8q08yJrmhCu32YKvccsOljDQJQQJdQO1g09
+ e/adJmCnTrqxNtjPkX9txV23Lp6Ak7emjiQ5ICu7iWxrcO3zf7hmKtj7z+av8sjO
+ mDI7NkX5vnlE74nztBEjp3eC0wKBgQDV2GeJV028RW3b/QyP3Gwmax2+cKLR9PKR
+ nJnmO5bxAT0nQ3xuJEAqMIss/Rfb/macWc2N/6CWJCRT6a2vgy6xBW+bqG6RdQMB
+ xEZXFZl+sSKhXPkc5Wjb4lQ14YWyRPrTjMlwez3k4UolIJhJmwl+D7OkMRrOUERO
+ EtUvc7odCwKBgBi+nhdZKWXveM7B5N3uzXBKmmRz3MpPdC/yDtcwJ8u8msUpTv4R
+ JxQNrd0bsIqBli0YBmFLYEMg+BwjAee7vXeDFq+HCTv6XMva2RsNryCO4yD3I359
+ XfE6DJzB8ZOUgv4Dvluie3TB2Y6ZQV/p+LGt7G13yG4hvofyJYvlg3RPAoGAcjDg
+ +OH5zLN2eqah8qBN0CYa9/rFt0AJ19+7/smLTJ7QvQq4g0gwS1couplcCEnNGWiK
+ 72y1n/ckvvplmPeAE19HveMvR9UoCeV5ej86fACy8V/oVpnaaLBvL2aCMjPLjPP9
+ DWeCIZp8MV86cvOrGfngf6kJG2qZTueXl4NAuwkCgYEArKkhlZVXjwBoVvtHYmN2
+ o+F6cGMlRJTLhNc391WApsgDZfTZSdeJsBsvvzS/Nc0burrufJg0wYioTlpReSy4
+ ohhtprnQQAddfjHP7rh2LGt+irFzhdXXQ1ybGaGM9D764KUNCXLuwdly0vzXU4HU
+ q5sGxGrC1RECGB5Zwx2S2ZY=
+ -----END PRIVATE KEY-----
+
+ clusters:
+ - name: service-http
+ connect_timeout: 0.25s
+ type: strict_dns
+ lb_policy: round_robin
+ load_assignment:
+ cluster_name: service-http
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: service-http
+ port_value: 80
diff --git a/examples/tls/envoy-https-https.yaml b/examples/tls/envoy-https-https.yaml
new file mode 100644
index 000000000000..e838895d903a
--- /dev/null
+++ b/examples/tls/envoy-https-https.yaml
@@ -0,0 +1,108 @@
+static_resources:
+ listeners:
+ - address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 10000
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ codec_type: auto
+ stat_prefix: ingress_http
+ route_config:
+ name: local_route
+ virtual_hosts:
+ - name: app
+ domains:
+ - "*"
+ routes:
+ - match:
+ prefix: "/"
+ route:
+ cluster: service-https
+ http_filters:
+ - name: envoy.filters.http.router
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+ common_tls_context:
+ tls_certificates:
+ # The following self-signed certificate pair is generated using:
+ # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'
+ #
+ # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy
+ # via filename. Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource.
+ #
+ # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via
+ # Secret Discovery Service (SDS). Reference: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret.
+ certificate_chain:
+ inline_string: |
+ -----BEGIN CERTIFICATE-----
+ MIICqDCCAZACCQCquzpHNpqBcDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm
+ cm9udC1lbnZveTAeFw0yMDA3MDgwMTMxNDZaFw0zMDA3MDYwMTMxNDZaMBYxFDAS
+ BgNVBAMMC2Zyb250LWVudm95MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+ AQEAthnYkqVQBX+Wg7aQWyCCb87hBce1hAFhbRM8Y9dQTqxoMXZiA2n8G089hUou
+ oQpEdJgitXVS6YMFPFUUWfwcqxYAynLK4X5im26Yfa1eO8La8sZUS+4Bjao1gF5/
+ VJxSEo2yZ7fFBo8M4E44ZehIIocipCRS+YZehFs6dmHoq/MGvh2eAHIa+O9xssPt
+ ofFcQMR8rwBHVbKy484O10tNCouX4yUkyQXqCRy6HRu7kSjOjNKSGtjfG+h5M8bh
+ 10W7ZrsJ1hWhzBulSaMZaUY3vh5ngpws1JATQVSK1Jm/dmMRciwlTK7KfzgxHlSX
+ 58ENpS7yPTISkEICcLbXkkKGEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCmj6Hg
+ vwOxWz0xu+6fSfRL6PGJUGq6wghCfUvjfwZ7zppDUqU47fk+yqPIOzuGZMdAqi7N
+ v1DXkeO4A3hnMD22Rlqt25vfogAaZVToBeQxCPd/ALBLFrvLUFYuSlS3zXSBpQqQ
+ Ny2IKFYsMllz5RSROONHBjaJOn5OwqenJ91MPmTAG7ujXKN6INSBM0PjX9Jy4Xb9
+ zT+I85jRDQHnTFce1WICBDCYidTIvJtdSSokGSuy4/xyxAAc/BpZAfOjBQ4G1QRe
+ 9XwOi790LyNUYFJVyeOvNJwveloWuPLHb9idmY5YABwikUY6QNcXwyHTbRCkPB2I
+ m+/R4XnmL4cKQ+5Z
+ -----END CERTIFICATE-----
+ private_key:
+ inline_string: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2GdiSpVAFf5aD
+ tpBbIIJvzuEFx7WEAWFtEzxj11BOrGgxdmIDafwbTz2FSi6hCkR0mCK1dVLpgwU8
+ VRRZ/ByrFgDKcsrhfmKbbph9rV47wtryxlRL7gGNqjWAXn9UnFISjbJnt8UGjwzg
+ Tjhl6EgihyKkJFL5hl6EWzp2Yeir8wa+HZ4Achr473Gyw+2h8VxAxHyvAEdVsrLj
+ zg7XS00Ki5fjJSTJBeoJHLodG7uRKM6M0pIa2N8b6HkzxuHXRbtmuwnWFaHMG6VJ
+ oxlpRje+HmeCnCzUkBNBVIrUmb92YxFyLCVMrsp/ODEeVJfnwQ2lLvI9MhKQQgJw
+ tteSQoYRAgMBAAECggEAeDGdEkYNCGQLe8pvg8Z0ccoSGpeTxpqGrNEKhjfi6NrB
+ NwyVav10iq4FxEmPd3nobzDPkAftfvWc6hKaCT7vyTkPspCMOsQJ39/ixOk+jqFx
+ lNa1YxyoZ9IV2DIHR1iaj2Z5gB367PZUoGTgstrbafbaNY9IOSyojCIO935ubbcx
+ DWwL24XAf51ez6sXnI8V5tXmrFlNXhbhJdH8iIxNyM45HrnlUlOk0lCK4gmLJjy9
+ 10IS2H2Wh3M5zsTpihH1JvM56oAH1ahrhMXs/rVFXXkg50yD1KV+HQiEbglYKUxO
+ eMYtfaY9i2CuLwhDnWp3oxP3HfgQQhD09OEN3e0IlQKBgQDZ/3poG9TiMZSjfKqL
+ xnCABMXGVQsfFWNC8THoW6RRx5Rqi8q08yJrmhCu32YKvccsOljDQJQQJdQO1g09
+ e/adJmCnTrqxNtjPkX9txV23Lp6Ak7emjiQ5ICu7iWxrcO3zf7hmKtj7z+av8sjO
+ mDI7NkX5vnlE74nztBEjp3eC0wKBgQDV2GeJV028RW3b/QyP3Gwmax2+cKLR9PKR
+ nJnmO5bxAT0nQ3xuJEAqMIss/Rfb/macWc2N/6CWJCRT6a2vgy6xBW+bqG6RdQMB
+ xEZXFZl+sSKhXPkc5Wjb4lQ14YWyRPrTjMlwez3k4UolIJhJmwl+D7OkMRrOUERO
+ EtUvc7odCwKBgBi+nhdZKWXveM7B5N3uzXBKmmRz3MpPdC/yDtcwJ8u8msUpTv4R
+ JxQNrd0bsIqBli0YBmFLYEMg+BwjAee7vXeDFq+HCTv6XMva2RsNryCO4yD3I359
+ XfE6DJzB8ZOUgv4Dvluie3TB2Y6ZQV/p+LGt7G13yG4hvofyJYvlg3RPAoGAcjDg
+ +OH5zLN2eqah8qBN0CYa9/rFt0AJ19+7/smLTJ7QvQq4g0gwS1couplcCEnNGWiK
+ 72y1n/ckvvplmPeAE19HveMvR9UoCeV5ej86fACy8V/oVpnaaLBvL2aCMjPLjPP9
+ DWeCIZp8MV86cvOrGfngf6kJG2qZTueXl4NAuwkCgYEArKkhlZVXjwBoVvtHYmN2
+ o+F6cGMlRJTLhNc391WApsgDZfTZSdeJsBsvvzS/Nc0burrufJg0wYioTlpReSy4
+ ohhtprnQQAddfjHP7rh2LGt+irFzhdXXQ1ybGaGM9D764KUNCXLuwdly0vzXU4HU
+ q5sGxGrC1RECGB5Zwx2S2ZY=
+ -----END PRIVATE KEY-----
+
+ clusters:
+ - name: service-https
+ connect_timeout: 0.25s
+ type: strict_dns
+ lb_policy: round_robin
+ load_assignment:
+ cluster_name: service-https
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: service-https
+ port_value: 443
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
diff --git a/examples/tls/envoy-https-passthrough.yaml b/examples/tls/envoy-https-passthrough.yaml
new file mode 100644
index 000000000000..8ce160addf4a
--- /dev/null
+++ b/examples/tls/envoy-https-passthrough.yaml
@@ -0,0 +1,28 @@
+static_resources:
+ listeners:
+ - address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 10000
+ filter_chains:
+ - filters:
+ - name: envoy.filters.network.tcp_proxy
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+ cluster: service-https
+ stat_prefix: https_passthrough
+
+ clusters:
+ - name: service-https
+ connect_timeout: 0.25s
+ type: strict_dns
+ lb_policy: round_robin
+ load_assignment:
+ cluster_name: service-https
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: service-https
+ port_value: 443
diff --git a/examples/tls/verify.sh b/examples/tls/verify.sh
new file mode 100755
index 000000000000..96c92992ce26
--- /dev/null
+++ b/examples/tls/verify.sh
@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+export NAME=tls
+
+# shellcheck source=examples/verify-common.sh
+. "$(dirname "${BASH_SOURCE[0]}")/../verify-common.sh"
+
+run_log "Test https -> http"
+responds_with \
+ '"x-forwarded-proto": "https",' \
+ -k \
+ https://localhost:10000
+curl -sk https://localhost:10000 | jq '.os.hostname' | grep '"service-http"'
+
+run_log "Test https -> https"
+responds_with \
+ '"x-forwarded-proto": "https",' \
+ -k \
+ https://localhost:10001
+curl -sk https://localhost:10001 | jq '.os.hostname' | grep '"service-https"'
+
+run_log "Test http -> https"
+responds_with \
+ '"x-forwarded-proto": "http",' \
+ http://localhost:10002
+curl -s http://localhost:10002 | jq '.os.hostname' | grep '"service-https"'
+
+run_log "Test https passthrough"
+responds_without \
+ '"x-forwarded-proto"' \
+ -k \
+ https://localhost:10003
+curl -sk https://localhost:10003 | jq '.os.hostname' | grep '"service-https"'
diff --git a/examples/verify-common.sh b/examples/verify-common.sh
index 509faf3a846f..277336170f82 100644
--- a/examples/verify-common.sh
+++ b/examples/verify-common.sh
@@ -95,6 +95,16 @@ responds_with () {
}
}
+responds_without () {
+ local expected
+ expected="$1"
+ shift
+ _curl "${@}" | grep "$expected" | [[ "$(wc -l)" -eq 0 ]] || {
+ echo "ERROR: curl without (${*}): $expected" >&2
+ return 1
+ }
+}
+
responds_with_header () {
local expected
expected="$1"