listener: deprecate use_proxy_proto

api/envoy/config/listener/v3/listener_components.proto

@@ -218,7 +218,11 @@ message FilterChain {
  // load balancers including the AWS ELB support this option. If the option is
  // absent or set to false, Envoy will use the physical peer address of the
  // connection as the remote address.
- google.protobuf.BoolValue use_proxy_proto = 4;
+ //
+ // This field is deprecated. Add a
+ // :ref:`PROXY protocol listener filter <config_listener_filters_proxy_protocol>`
+ // explicitly instead.
+ google.protobuf.BoolValue use_proxy_proto = 4 [deprecated = true];
 
  // [#not-implemented-hide:] filter chain metadata.
  core.v3.Metadata metadata = 5;

configs/envoy_double_proxy.template.yaml

@@ -5,6 +5,12 @@
  protocol: {{protocol}}
  address: {{address}}
  port_value: {{port_value}}
+ {% if proxy_proto %}
+ listener_filters:
+ - name: envoy.filters.listener.proxy_protocol
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+ {% endif %}
  filter_chains:
  - filter_chain_match: {}
  {% if tls %}
@@ -23,9 +29,6 @@
  - h2
  - http/1.1
  {% endif %}
- {% if proxy_proto %}
- use_proxy_proto: true
- {%endif -%}
  filters:
  - name: envoy.filters.network.http_connection_manager
  typed_config:

configs/envoy_front_proxy.template.yaml

@@ -7,6 +7,12 @@
  protocol: {{protocol}}
  address: {{address}}
  port_value: {{port_value}}
+ {% if proxy_proto %}
+ listener_filters:
+ - name: envoy.filters.listener.proxy_protocol
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+ {% endif %}
  filter_chains:
  {% if tls %}
  - transport_socket:
@@ -28,9 +34,6 @@
  #double proxy configuration.
  verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000"
  {% endif %}
- {%if proxy_proto%}
- use_proxy_proto: true
- {%endif%}
  {%endif %}
  filters:
  - name: envoy.filters.network.http_connection_manager

configs/google-vrp/envoy-edge.yaml

@@ -27,6 +27,11 @@ static_resources:
  address: 0.0.0.0
  port_value: 10000
  per_connection_buffer_limit_bytes: 32768 # 32 KiB
+ # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
+ # listener_filters:
+ # - name: envoy.filters.listener.proxy_protocol
+ # typed_config:
+ # "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
  filter_chains:
  - transport_socket:
  name: envoy.transport_sockets.tls
@@ -36,8 +41,6 @@ static_resources:
  tls_certificates:
  - certificate_chain: { filename: "certs/servercert.pem" }
  private_key: { filename: "certs/serverkey.pem" }
- # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
- # use_proxy_proto: true
  filters:
  - name: envoy.filters.network.http_connection_manager
  typed_config:

docs/root/configuration/best_practices/_include/edge.yaml

@@ -34,6 +34,10 @@ static_resources:
  listener_filters:
  - name: "envoy.filters.listener.tls_inspector"
  typed_config: {}
+ # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
+ # - name: envoy.filters.listener.proxy_protocol
+ # typed_config:
+ # "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
  per_connection_buffer_limit_bytes: 32768 # 32 KiB
  filter_chains:
  - filter_chain_match:
@@ -46,8 +50,6 @@ static_resources:
  tls_certificates:
  - certificate_chain: { filename: "certs/servercert.pem" }
  private_key: { filename: "certs/serverkey.pem" }
- # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
- # use_proxy_proto: true
  filters:
  - name: envoy.filters.network.http_connection_manager
  typed_config:

docs/root/configuration/http/http_conn_man/headers.rst

@@ -506,7 +506,7 @@ Supported variable names are:
  .. note::
 
  This may not be the physical remote address of the peer if the address has been inferred from
- :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` or :ref:`x-forwarded-for
+ :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>` or :ref:`x-forwarded-for
  <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%

docs/root/configuration/observability/access_log/usage.rst

@@ -322,7 +322,7 @@ The following command operators are supported:
  .. note::
 
  This may not be the physical remote address of the peer if the address has been inferred from
- :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` or :ref:`x-forwarded-for
+ :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>` or :ref:`x-forwarded-for
  <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%
@@ -332,7 +332,7 @@ The following command operators are supported:
  .. note::
 
  This may not be the physical remote address of the peer if the address has been inferred from
- :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` or :ref:`x-forwarded-for
+ :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>` or :ref:`x-forwarded-for
  <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_DIRECT_REMOTE_ADDRESS%
@@ -342,7 +342,7 @@ The following command operators are supported:
  .. note::
 
  This is always the physical remote address of the peer even if the downstream remote address has
- been inferred from :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>`
+ been inferred from :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>`
  or :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT%
@@ -352,7 +352,7 @@ The following command operators are supported:
  .. note::
 
  This is always the physical remote address of the peer even if the downstream remote address has
- been inferred from :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>`
+ been inferred from :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>`
  or :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_LOCAL_ADDRESS%

docs/root/version_history/current.rst

@@ -95,6 +95,7 @@ Deprecated
 * cluster: HTTP configuration for upstream clusters has beem reworked. HTTP-specific configuration is now done in the new :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message, configured via the cluster's :ref:`extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`. This replaces explicit HTTP configuration in cluster config, including :ref:`upstream_http_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.upstream_http_protocol_options>` :ref:`common_http_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.common_http_protocol_options>` :ref:`http_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.http_protocol_options>` :ref:`http2_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.http2_protocol_options>` and :ref:`protocol_selection<envoy_v3_api_field_config.cluster.v3.Cluster.protocol_selection>`. Examples of before-and-after configuration can be found in the :ref:`http_protocol_options docs <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` and all of Envoy's example configurations have been updated to the new style of config.
 * compression: the fields :ref:`content_length <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.content_length>`, :ref:`content_type <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.content_type>`, :ref:`disable_on_etag_header <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.disable_on_etag_header>`, :ref:`remove_accept_encoding_header <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.remove_accept_encoding_header>` and :ref:`runtime_enabled <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.runtime_enabled>` of the :ref:`Compressor <envoy_v3_api_msg_extensions.filters.http.compressor.v3.Compressor>` message have been deprecated in favor of :ref:`response_direction_config <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.response_direction_config>`.
 * gzip: :ref:`HTTP Gzip filter <config_http_filters_gzip>` is rejected now unless explicitly allowed with :ref:`runtime override <config_runtime_deprecation>` `envoy.deprecated_features.allow_deprecated_gzip_http_filter` set to `true`.
+* listener: :ref:`use_proxy_proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` has been deprecated in favor of adding a :ref:`PROXY protocol listener filter <config_listener_filters_proxy_protocol>` explicitly.
 * logging: the `--log-format-prefix-with-location` option is removed.
 * ratelimit: the :ref:`dynamic metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>` action is deprecated in favor of the more generic :ref:`metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.metadata>` action.
 * stats: the `--use-fake-symbol-table` option is removed.

test/server/listener_manager_impl_test.cc

@@ -4714,7 +4714,7 @@ TEST_F(ListenerManagerImplForInPlaceFilterChainUpdateTest,
 }
 
 TEST_F(ListenerManagerImplForInPlaceFilterChainUpdateTest,
- TraditionalUpdateIfImplicitProxyProtocolChanges) {
+ DEPRECATED_FEATURE_TEST(TraditionalUpdateIfImplicitProxyProtocolChanges)) {
 
  EXPECT_CALL(*worker_, start(_));
  manager_->startWorkers(guard_dog_);