diff --git a/api/envoy/config/listener/v3/listener_components.proto b/api/envoy/config/listener/v3/listener_components.proto index c389c841e0ba..c2236a34d3c4 100644 --- a/api/envoy/config/listener/v3/listener_components.proto +++ b/api/envoy/config/listener/v3/listener_components.proto @@ -218,7 +218,11 @@ message FilterChain { // load balancers including the AWS ELB support this option. If the option is // absent or set to false, Envoy will use the physical peer address of the // connection as the remote address. - google.protobuf.BoolValue use_proxy_proto = 4; + // + // This field is deprecated. Add a + // :ref:`PROXY protocol listener filter ` + // explicitly instead. + google.protobuf.BoolValue use_proxy_proto = 4 [deprecated = true]; // [#not-implemented-hide:] filter chain metadata. core.v3.Metadata metadata = 5; diff --git a/api/envoy/config/listener/v4alpha/listener_components.proto b/api/envoy/config/listener/v4alpha/listener_components.proto index e7fe84482475..021aadc928c3 100644 --- a/api/envoy/config/listener/v4alpha/listener_components.proto +++ b/api/envoy/config/listener/v4alpha/listener_components.proto @@ -203,9 +203,9 @@ message FilterChain { google.protobuf.Duration rebuild_timeout = 1; } - reserved 2; + reserved 2, 4; - reserved "tls_context"; + reserved "tls_context", "use_proxy_proto"; // The criteria to use when matching a connection to this filter chain. FilterChainMatch filter_chain_match = 1; @@ -216,14 +216,6 @@ message FilterChain { // list is empty, the connection will close by default. repeated Filter filters = 3; - // Whether the listener should expect a PROXY protocol V1 header on new - // connections. If this option is enabled, the listener will assume that that - // remote address of the connection is the one specified in the header. Some - // load balancers including the AWS ELB support this option. If the option is - // absent or set to false, Envoy will use the physical peer address of the - // connection as the remote address. - google.protobuf.BoolValue use_proxy_proto = 4; - // [#not-implemented-hide:] filter chain metadata. core.v4alpha.Metadata metadata = 5; diff --git a/configs/envoy_double_proxy.template.yaml b/configs/envoy_double_proxy.template.yaml index 1dcaaf84765a..e5a7ab23f063 100644 --- a/configs/envoy_double_proxy.template.yaml +++ b/configs/envoy_double_proxy.template.yaml @@ -5,6 +5,12 @@ protocol: {{protocol}} address: {{address}} port_value: {{port_value}} + {% if proxy_proto %} + listener_filters: + - name: envoy.filters.listener.proxy_protocol + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol + {% endif %} filter_chains: - filter_chain_match: {} {% if tls %} @@ -23,9 +29,6 @@ - h2 - http/1.1 {% endif %} - {% if proxy_proto %} - use_proxy_proto: true - {%endif -%} filters: - name: envoy.filters.network.http_connection_manager typed_config: diff --git a/configs/envoy_front_proxy.template.yaml b/configs/envoy_front_proxy.template.yaml index e60670f112c1..a2d3dea51ade 100644 --- a/configs/envoy_front_proxy.template.yaml +++ b/configs/envoy_front_proxy.template.yaml @@ -7,6 +7,12 @@ protocol: {{protocol}} address: {{address}} port_value: {{port_value}} + {% if proxy_proto %} + listener_filters: + - name: envoy.filters.listener.proxy_protocol + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol + {% endif %} filter_chains: {% if tls %} - transport_socket: @@ -28,9 +34,6 @@ #double proxy configuration. verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000" {% endif %} - {%if proxy_proto%} - use_proxy_proto: true - {%endif%} {%endif %} filters: - name: envoy.filters.network.http_connection_manager diff --git a/configs/google-vrp/envoy-edge.yaml b/configs/google-vrp/envoy-edge.yaml index 7faa6caf2d2f..fc95700f115c 100644 --- a/configs/google-vrp/envoy-edge.yaml +++ b/configs/google-vrp/envoy-edge.yaml @@ -27,6 +27,11 @@ static_resources: address: 0.0.0.0 port_value: 10000 per_connection_buffer_limit_bytes: 32768 # 32 KiB + # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol. + # listener_filters: + # - name: envoy.filters.listener.proxy_protocol + # typed_config: + # "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol filter_chains: - transport_socket: name: envoy.transport_sockets.tls @@ -36,8 +41,6 @@ static_resources: tls_certificates: - certificate_chain: { filename: "certs/servercert.pem" } private_key: { filename: "certs/serverkey.pem" } - # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol. - # use_proxy_proto: true filters: - name: envoy.filters.network.http_connection_manager typed_config: diff --git a/docs/root/configuration/best_practices/_include/edge.yaml b/docs/root/configuration/best_practices/_include/edge.yaml index dc629699f0a8..21a6b7e7a5c1 100644 --- a/docs/root/configuration/best_practices/_include/edge.yaml +++ b/docs/root/configuration/best_practices/_include/edge.yaml @@ -34,6 +34,10 @@ static_resources: listener_filters: - name: "envoy.filters.listener.tls_inspector" typed_config: {} + # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol. + # - name: envoy.filters.listener.proxy_protocol + # typed_config: + # "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol per_connection_buffer_limit_bytes: 32768 # 32 KiB filter_chains: - filter_chain_match: @@ -46,8 +50,6 @@ static_resources: tls_certificates: - certificate_chain: { filename: "certs/servercert.pem" } private_key: { filename: "certs/serverkey.pem" } - # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol. - # use_proxy_proto: true filters: - name: envoy.filters.network.http_connection_manager typed_config: diff --git a/docs/root/configuration/http/http_conn_man/headers.rst b/docs/root/configuration/http/http_conn_man/headers.rst index fa3993706b6a..143def096e48 100644 --- a/docs/root/configuration/http/http_conn_man/headers.rst +++ b/docs/root/configuration/http/http_conn_man/headers.rst @@ -506,7 +506,7 @@ Supported variable names are: .. note:: This may not be the physical remote address of the peer if the address has been inferred from - :ref:`proxy proto ` or :ref:`x-forwarded-for + :ref:`Proxy Protocol filter ` or :ref:`x-forwarded-for `. %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% diff --git a/docs/root/configuration/observability/access_log/usage.rst b/docs/root/configuration/observability/access_log/usage.rst index 73ca330f7333..7d4b402fbd61 100644 --- a/docs/root/configuration/observability/access_log/usage.rst +++ b/docs/root/configuration/observability/access_log/usage.rst @@ -322,7 +322,7 @@ The following command operators are supported: .. note:: This may not be the physical remote address of the peer if the address has been inferred from - :ref:`proxy proto ` or :ref:`x-forwarded-for + :ref:`Proxy Protocol filter ` or :ref:`x-forwarded-for `. %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% @@ -332,7 +332,7 @@ The following command operators are supported: .. note:: This may not be the physical remote address of the peer if the address has been inferred from - :ref:`proxy proto ` or :ref:`x-forwarded-for + :ref:`Proxy Protocol filter ` or :ref:`x-forwarded-for `. %DOWNSTREAM_DIRECT_REMOTE_ADDRESS% @@ -342,7 +342,7 @@ The following command operators are supported: .. note:: This is always the physical remote address of the peer even if the downstream remote address has - been inferred from :ref:`proxy proto ` + been inferred from :ref:`Proxy Protocol filter ` or :ref:`x-forwarded-for `. %DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT% @@ -352,7 +352,7 @@ The following command operators are supported: .. note:: This is always the physical remote address of the peer even if the downstream remote address has - been inferred from :ref:`proxy proto ` + been inferred from :ref:`Proxy Protocol filter ` or :ref:`x-forwarded-for `. %DOWNSTREAM_LOCAL_ADDRESS% diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index cec10207a5b3..8323dc1d8dc4 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -104,6 +104,7 @@ Deprecated * compression: the fields :ref:`content_length `, :ref:`content_type `, :ref:`disable_on_etag_header `, :ref:`remove_accept_encoding_header ` and :ref:`runtime_enabled ` of the :ref:`Compressor ` message have been deprecated in favor of :ref:`response_direction_config `. * formatter: :ref:`text_format ` is now deprecated in favor of :ref:`text_format_source `. To migrate existing text format strings, use the :ref:`inline_string ` field. * gzip: :ref:`HTTP Gzip filter ` is rejected now unless explicitly allowed with :ref:`runtime override ` `envoy.deprecated_features.allow_deprecated_gzip_http_filter` set to `true`. +* listener: :ref:`use_proxy_proto ` has been deprecated in favor of adding a :ref:`PROXY protocol listener filter ` explicitly. * logging: the `--log-format-prefix-with-location` option is removed. * ratelimit: the :ref:`dynamic metadata ` action is deprecated in favor of the more generic :ref:`metadata ` action. * stats: the `--use-fake-symbol-table` option is removed. diff --git a/generated_api_shadow/envoy/config/listener/v3/listener_components.proto b/generated_api_shadow/envoy/config/listener/v3/listener_components.proto index cb44a81459d2..907f25b66304 100644 --- a/generated_api_shadow/envoy/config/listener/v3/listener_components.proto +++ b/generated_api_shadow/envoy/config/listener/v3/listener_components.proto @@ -215,7 +215,11 @@ message FilterChain { // load balancers including the AWS ELB support this option. If the option is // absent or set to false, Envoy will use the physical peer address of the // connection as the remote address. - google.protobuf.BoolValue use_proxy_proto = 4; + // + // This field is deprecated. Add a + // :ref:`PROXY protocol listener filter ` + // explicitly instead. + google.protobuf.BoolValue use_proxy_proto = 4 [deprecated = true]; // [#not-implemented-hide:] filter chain metadata. core.v3.Metadata metadata = 5; diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto b/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto index e7fe84482475..7cc1956a1b42 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto @@ -222,7 +222,11 @@ message FilterChain { // load balancers including the AWS ELB support this option. If the option is // absent or set to false, Envoy will use the physical peer address of the // connection as the remote address. - google.protobuf.BoolValue use_proxy_proto = 4; + // + // This field is deprecated. Add a + // :ref:`PROXY protocol listener filter ` + // explicitly instead. + google.protobuf.BoolValue hidden_envoy_deprecated_use_proxy_proto = 4 [deprecated = true]; // [#not-implemented-hide:] filter chain metadata. core.v4alpha.Metadata metadata = 5; diff --git a/test/server/listener_manager_impl_test.cc b/test/server/listener_manager_impl_test.cc index 1d5da4a8eeab..178ed3dfcf1e 100644 --- a/test/server/listener_manager_impl_test.cc +++ b/test/server/listener_manager_impl_test.cc @@ -4745,7 +4745,7 @@ TEST_F(ListenerManagerImplForInPlaceFilterChainUpdateTest, } TEST_F(ListenerManagerImplForInPlaceFilterChainUpdateTest, - TraditionalUpdateIfImplicitProxyProtocolChanges) { + DEPRECATED_FEATURE_TEST(TraditionalUpdateIfImplicitProxyProtocolChanges)) { EXPECT_CALL(*worker_, start(_)); manager_->startWorkers(guard_dog_);