-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy_protocol_filter: Add configuration to match only specific proxy protocol versions, new stats #32861
proxy_protocol_filter: Add configuration to match only specific proxy protocol versions, new stats #32861
Conversation
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
/review @fzhong-connect |
nareddyt is not a collaborator, thus allowed to assign users. |
source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc
Outdated
Show resolved
Hide resolved
source/extensions/filters/listener/proxy_protocol/proxy_protocol.h
Outdated
Show resolved
Hide resolved
source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc
Outdated
Show resolved
Hide resolved
source/extensions/filters/listener/proxy_protocol/proxy_protocol.h
Outdated
Show resolved
Hide resolved
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
api/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
Outdated
Show resolved
Hide resolved
api/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
Outdated
Show resolved
Hide resolved
@markdroth or @envoyproxy/api-shepherds PTAL, we have a question for you in the comments. |
PTAL |
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Ready for review @ggreenway |
/retest |
1 similar comment
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/wait
docs/root/configuration/listeners/listener_filters/proxy_protocol.rst
Outdated
Show resolved
Hide resolved
docs/root/configuration/listeners/listener_filters/proxy_protocol.rst
Outdated
Show resolved
Hide resolved
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
/retest |
Ready for review @ggreenway . Not sure how to re-run the flaky CI failure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mostly LGTM, aside from these small details.
I'm going to be out for awhile starting tomorrow, so one of the other maintainers will need to finish review of this and get it merged.
/wait
source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc
Outdated
Show resolved
Hide resolved
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Thanks @ggreenway . If you have time, feel free to review today. Slightly worried Github may not let other reviewers merge as the status checks say:
But no worries if you have taken off already, I can ping other reviewers tomorrow. Thanks for the thorough feedback! |
/retest |
… protocol versions, new stats (envoyproxy#32861) --------- Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
… protocol versions, new stats (envoyproxy#32861) --------- Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
… protocol versions, new stats (envoyproxy#32861) --------- Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
…ation (#34414) Commit Message: proxy_protocol_filter: Add field stat_prefix to the filter configuration Additional Description: This field allows for differentiating statistics when multiple proxy protocol listener filters are configured. This PR is a follow-up from previous conversation: #32861 (comment) Risk Level: Low All client-facing behavior changes are guarded by new filter config field. Testing: Stats unit tests Proxy protocol listener filter integration tests Docs Changes: Done Release Notes: Done Platform Specific Features: None Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
…ation (envoyproxy#34414) Commit Message: proxy_protocol_filter: Add field stat_prefix to the filter configuration Additional Description: This field allows for differentiating statistics when multiple proxy protocol listener filters are configured. This PR is a follow-up from previous conversation: envoyproxy#32861 (comment) Risk Level: Low All client-facing behavior changes are guarded by new filter config field. Testing: Stats unit tests Proxy protocol listener filter integration tests Docs Changes: Done Release Notes: Done Platform Specific Features: None Signed-off-by: Teju Nareddy <tnareddy@confluent.io>
Commit Message:
proxy_protocol_filter: Configuration to match only specific proxy protocol versions, new stats
Additional Description:
Currently the Proxy Protocol Listener filter will try to match incoming connections against both proxy protocol v1 and v2 signatures. While this is convenient, it:
allow_requests_without_proxy_protocol
is enabled) Increases the chance of signature conflicts between proxy protocol v1 requests and non-proxy protocol requests.This change adds a new config option
disallowed_versions
that scopes down the set of proxy protocol versions that the filter matches. The configuration is optional and defaults to current behavior when not specified.This change also adds new statistics per matched proxy protocol version. See doc update for details.
Pre-existing stat
downstream_cx_proxy_proto_error
is kept at it's own scope for backwards-compatibility.Risk Level: Low
Testing:
Docs Changes:
Updated proto and filter docs
Release Notes:
Updated
Platform Specific Features:
N/A
Fixes #32425