options.proto
Package: gloo.solo.io
Types:
- ListenerOptions
- ConnectionBalanceConfig
- ExactBalance
- RouteConfigurationOptions
- HttpListenerOptions
- TcpListenerOptions
- VirtualHostOptions
- RouteOptions
- MaxStreamDuration
- DestinationSpec
- WeightedDestinationOptions
Source File: github.com/solo-io/gloo/projects/gloo/api/v1/options.proto
ListenerOptions
Optional, feature-specific configuration that lives on gateways. Each ListenerOption object contains configuration for a specific feature. Note to developers: new Listener plugins must be added to this struct to be usable by Gloo. (plugins currently need to be compiled into Gloo)
"accessLoggingService": .als.options.gloo.solo.io.AccessLoggingService
"extensions": .gloo.solo.io.Extensions
"perConnectionBufferLimitBytes": .google.protobuf.UInt32Value
"socketOptions": []solo.io.envoy.api.v2.core.SocketOption
"proxyProtocol": .proxy_protocol.options.gloo.solo.io.ProxyProtocol
"connectionBalanceConfig": .gloo.solo.io.ConnectionBalanceConfig
"listenerAccessLoggingService": .als.options.gloo.solo.io.AccessLoggingService
Field | Type | Description |
---|---|---|
accessLoggingService |
.als.options.gloo.solo.io.AccessLoggingService | Configuration for access logging in a filter like the HttpConnectionManager. |
extensions |
.gloo.solo.io.Extensions | Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API. |
perConnectionBufferLimitBytes |
.google.protobuf.UInt32Value | Soft limit on size of the listener’s new connection read and write buffers. If unspecified, defaults to 1MiB For more info, check out the Envoy docs. |
socketOptions |
[]solo.io.envoy.api.v2.core.SocketOption | Additional socket options that may not be present in Envoy source code or precompiled binaries. |
proxyProtocol |
.proxy_protocol.options.gloo.solo.io.ProxyProtocol | Enable ProxyProtocol support for this listener. |
connectionBalanceConfig |
.gloo.solo.io.ConnectionBalanceConfig | Configuration for listener connection balancing. |
listenerAccessLoggingService |
.als.options.gloo.solo.io.AccessLoggingService | If enabled this sets up an early access logging service for the listener. Added initially to support listener level logging for HTTP listeners. For more info see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log. |
ConnectionBalanceConfig
Configuration for listener connection balancing.
"exactBalance": .gloo.solo.io.ConnectionBalanceConfig.ExactBalance
Field | Type | Description |
---|---|---|
exactBalance |
.gloo.solo.io.ConnectionBalanceConfig.ExactBalance |
ExactBalance
A connection balancer implementation that does exact balancing. This means that a lock is held during balancing so that connection counts are nearly exactly balanced between worker threads. This is “nearly” exact in the sense that a connection might close in parallel thus making the counts incorrect, but this should be rectified on the next accept. This balancer sacrifices accept throughput for accuracy and should be used when there are a small number of connections that rarely cycle (e.g., service mesh gRPC egress).
Field | Type | Description |
---|
RouteConfigurationOptions
"maxDirectResponseBodySizeBytes": .google.protobuf.UInt32Value
"mostSpecificHeaderMutationsWins": .google.protobuf.BoolValue
Field | Type | Description |
---|---|---|
maxDirectResponseBodySizeBytes |
.google.protobuf.UInt32Value | The maximum bytes of the response direct response body size. If not specified the default is 4096. Please refer to the Envoy documentation for more details about the max_direct_response_body_size_bytes attribute. |
mostSpecificHeaderMutationsWins |
.google.protobuf.BoolValue | By default, headers that should be added/removed are evaluated from most to least specific. To allow setting overrides at the route or virtual host level, this order can be reversed by setting this option to true. Refer to the Envoy documentation for more details. |
HttpListenerOptions
Optional, feature-specific configuration that lives on http listeners
"grpcWeb": .grpc_web.options.gloo.solo.io.GrpcWeb
"httpConnectionManagerSettings": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings
"healthCheck": .healthcheck.options.gloo.solo.io.HealthCheck
"extensions": .gloo.solo.io.Extensions
"waf": .waf.options.gloo.solo.io.Settings
"dlp": .dlp.options.gloo.solo.io.FilterConfig
"wasm": .wasm.options.gloo.solo.io.PluginSource
"extauth": .enterprise.gloo.solo.io.Settings
"ratelimitServer": .ratelimit.options.gloo.solo.io.Settings
"caching": .caching.options.gloo.solo.io.Settings
"disableExtProc": .google.protobuf.BoolValue
"extProc": .extproc.options.gloo.solo.io.Settings
"gzip": .solo.io.envoy.config.filter.http.gzip.v2.Gzip
"proxyLatency": .envoy.config.filter.http.proxylatency.v2.ProxyLatency
"buffer": .solo.io.envoy.extensions.filters.http.buffer.v3.Buffer
"csrf": .solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy
"grpcJsonTranscoder": .grpc_json.options.gloo.solo.io.GrpcJsonTranscoder
"sanitizeClusterHeader": .google.protobuf.BoolValue
"leftmostXffAddress": .google.protobuf.BoolValue
"dynamicForwardProxy": .dfp.options.gloo.solo.io.FilterConfig
"connectionLimit": .connection_limit.options.gloo.solo.io.ConnectionLimit
"networkLocalRatelimit": .local_ratelimit.options.gloo.solo.io.TokenBucket
"httpLocalRatelimit": .local_ratelimit.options.gloo.solo.io.Settings
"router": .gloo.solo.io.Router
"tap": .tap.options.gloo.solo.io.Tap
"statefulSession": .stateful_session.options.gloo.solo.io.StatefulSession
"headerValidationSettings": .header_validation.options.gloo.solo.io.HeaderValidationSettings
Field | Type | Description |
---|---|---|
grpcWeb |
.grpc_web.options.gloo.solo.io.GrpcWeb | |
httpConnectionManagerSettings |
.hcm.options.gloo.solo.io.HttpConnectionManagerSettings | |
healthCheck |
.healthcheck.options.gloo.solo.io.HealthCheck | enable Envoy health checks on this listener. |
extensions |
.gloo.solo.io.Extensions | Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API. |
waf |
.waf.options.gloo.solo.io.Settings | Enterprise-only: Config for Web Application Firewall (WAF), supporting the popular ModSecurity 3.0 ruleset. |
dlp |
.dlp.options.gloo.solo.io.FilterConfig | Enterprise-only: Config for data loss prevention. |
wasm |
.wasm.options.gloo.solo.io.PluginSource | Enterprise-only: WASM related configuration [experimental!]. |
extauth |
.enterprise.gloo.solo.io.Settings | Enterprise-only: External auth related settings. |
ratelimitServer |
.ratelimit.options.gloo.solo.io.Settings | Enterprise-only: Settings for the rate limiting server itself. |
caching |
.caching.options.gloo.solo.io.Settings | Enterprise-only: Settings for the cache server itself. |
disableExtProc |
.google.protobuf.BoolValue | Enterprise-only: Set to true to disable the External Processing filter for this listener. This can be overridden by child VirtualHostOptions or RouteOptions. Only one of disableExtProc or extProc can be set. |
extProc |
.extproc.options.gloo.solo.io.Settings | Enterprise-only: External Processing filter settings for the listener. This can be used to override the defaults from the global settings (via shallow merge). Some of the settings on the listener can be overridden by child VirtualHostOptions or RouteOptions. Only one of extProc or disableExtProc can be set. |
gzip |
.solo.io.envoy.config.filter.http.gzip.v2.Gzip | Gzip is an HTTP option which enables Gloo to compress data returned from an upstream service upon client request. Compression is useful in situations where large payloads need to be transmitted without compromising the response time. Example: gzip: contentType: - "application/json" compressionLevel: BEST . |
proxyLatency |
.envoy.config.filter.http.proxylatency.v2.ProxyLatency | Enterprise-only: Proxy latency. |
buffer |
.solo.io.envoy.extensions.filters.http.buffer.v3.Buffer | Buffer can be used to set the maximum request size that the filter will buffer before the connection manager will stop buffering and return a 413 response. |
csrf |
.solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy | Csrf can be used to set percent of requests for which the CSRF filter is enabled, enable shadow-only mode where policies will be evaluated and tracked, but not enforced and add additional source origins that will be allowed in addition to the destination origin. For more, see https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/csrf/v2/csrf.proto. |
grpcJsonTranscoder |
.grpc_json.options.gloo.solo.io.GrpcJsonTranscoder | Exposed envoy config for the gRPC to JSON transcoding filter, envoy.filters.http.grpc_json_transcoder. For more, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto. |
sanitizeClusterHeader |
.google.protobuf.BoolValue | Enterprise-only: If using the HTTP header specified by cluster_header to direct traffic to a cluster, this option will sanitize that header from downstream traffic. Defaults to false. |
leftmostXffAddress |
.google.protobuf.BoolValue | Enterprise-only: Setting this value to true will grab the leftmost IP address from the x-forwarded-for header and set it as the downstream address. It is worth noting that the x-forwarded-for header can be tampered with by clients and should therefore be sanitized by any preceding proxies / load balancers if this option is to be used. |
dynamicForwardProxy |
.dfp.options.gloo.solo.io.FilterConfig | |
connectionLimit |
.connection_limit.options.gloo.solo.io.ConnectionLimit | ConnectionLimit can be used to limit the number of active connections per gateway. Useful for resource protection as well as DoS prevention. |
networkLocalRatelimit |
.local_ratelimit.options.gloo.solo.io.TokenBucket | NetworkLocalRatelimit can be used to rate limit the connections per gateway at the L4 layer and works pre-auth. It uses envoy’s own local rate limit filter to do so, without the need for an external rate limit server to be set up. |
httpLocalRatelimit |
.local_ratelimit.options.gloo.solo.io.Settings | HttpLocalRatelimit can be used to rate limit the number of requests per gateway and works pre-auth. Unlike the NetworkLocalRatelimit, this works as part of the HCM (ie: L7 layer). All virtual host and routes that are part of this gateway will share this rate limit unless explicity configured with another limit. It uses envoy’s own local rate limit filter to do so, without the need for an external rate limit server to be set up. |
router |
.gloo.solo.io.Router | Router is an extension of the envoy http filters Maps to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto. |
tap |
.tap.options.gloo.solo.io.Tap | Enterprise only: Tap filter settings (experimental). |
statefulSession |
.stateful_session.options.gloo.solo.io.StatefulSession | Enterprise only: Listener-level stateful session settings. |
headerValidationSettings |
.header_validation.options.gloo.solo.io.HeaderValidationSettings | Header validation settings - fields in this message can be used to determine whether requests should be rejected based on the contents of the header. |
TcpListenerOptions
Optional, feature-specific configuration that lives on tcp listeners
"tcpProxySettings": .tcp.options.gloo.solo.io.TcpProxySettings
"connectionLimit": .connection_limit.options.gloo.solo.io.ConnectionLimit
"localRatelimit": .local_ratelimit.options.gloo.solo.io.TokenBucket
Field | Type | Description |
---|---|---|
tcpProxySettings |
.tcp.options.gloo.solo.io.TcpProxySettings | |
connectionLimit |
.connection_limit.options.gloo.solo.io.ConnectionLimit | ConnectionLimit can be used to limit the number of active connections per gateway. Useful for resource protection as well as DoS prevention. |
localRatelimit |
.local_ratelimit.options.gloo.solo.io.TokenBucket | LocalRatelimit can be used to rate limit the connections per gateway at the L4 layer. It uses envoy’s own local rate limit filter to do so, without the need for an external rate limit server to be set up. |
VirtualHostOptions
Optional, feature-specific configuration that lives on virtual hosts. Each VirtualHostOptions object contains configuration for a specific feature. Note to developers: new Virtual Host plugins must be added to this struct to be usable by Gloo. (plugins currently need to be compiled into Gloo)
"extensions": .gloo.solo.io.Extensions
"retries": .retries.options.gloo.solo.io.RetryPolicy
"stats": .stats.options.gloo.solo.io.Stats
"headerManipulation": .headers.options.gloo.solo.io.HeaderManipulation
"cors": .cors.options.gloo.solo.io.CorsPolicy
"transformations": .transformation.options.gloo.solo.io.Transformations
"ratelimitBasic": .ratelimit.options.gloo.solo.io.IngressRateLimit
"ratelimitEarly": .ratelimit.options.gloo.solo.io.RateLimitVhostExtension
"rateLimitEarlyConfigs": .ratelimit.options.gloo.solo.io.RateLimitConfigRefs
"ratelimit": .ratelimit.options.gloo.solo.io.RateLimitVhostExtension
"rateLimitConfigs": .ratelimit.options.gloo.solo.io.RateLimitConfigRefs
"ratelimitRegular": .ratelimit.options.gloo.solo.io.RateLimitVhostExtension
"rateLimitRegularConfigs": .ratelimit.options.gloo.solo.io.RateLimitConfigRefs
"waf": .waf.options.gloo.solo.io.Settings
"jwt": .jwt.options.gloo.solo.io.VhostExtension
"jwtStaged": .jwt.options.gloo.solo.io.JwtStagedVhostExtension
"rbac": .rbac.options.gloo.solo.io.ExtensionSettings
"extauth": .enterprise.gloo.solo.io.ExtAuthExtension
"dlp": .dlp.options.gloo.solo.io.Config
"bufferPerRoute": .solo.io.envoy.extensions.filters.http.buffer.v3.BufferPerRoute
"csrf": .solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy
"includeRequestAttemptCount": .google.protobuf.BoolValue
"includeAttemptCountInResponse": .google.protobuf.BoolValue
"stagedTransformations": .transformation.options.gloo.solo.io.TransformationStages
"extProc": .extproc.options.gloo.solo.io.RouteSettings
Field | Type | Description |
---|---|---|
extensions |
.gloo.solo.io.Extensions | Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API. |
retries |
.retries.options.gloo.solo.io.RetryPolicy | |
stats |
.stats.options.gloo.solo.io.Stats | |
headerManipulation |
.headers.options.gloo.solo.io.HeaderManipulation | Append/Remove headers on Requests or Responses on all routes contained in this Virtual Host. |
cors |
.cors.options.gloo.solo.io.CorsPolicy | Defines a CORS policy for the virtual host If a CORS policy is also defined on the route matched by the request, the policies are merged. |
transformations |
.transformation.options.gloo.solo.io.Transformations | Transformations to apply. Note: this field is superseded by staged_transformations . If staged_transformations.regular is set, this field will be ignored. |
ratelimitBasic |
.ratelimit.options.gloo.solo.io.IngressRateLimit | Enterprise-only: Config for GlooE rate-limiting using simplified (gloo-specific) API. |
ratelimitEarly |
.ratelimit.options.gloo.solo.io.RateLimitVhostExtension | Enterprise-only: Partial config for GlooE rate-limiting based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit actions here, which define how request characteristics get translated into descriptors used by the rate-limit service for rate-limiting. Configure rate-limit descriptors and their associated limits on the Gloo settings. Only one of ratelimit_early or rate_limit_early_configs can be set. Only one of ratelimitEarly or rateLimitEarlyConfigs can be set. |
rateLimitEarlyConfigs |
.ratelimit.options.gloo.solo.io.RateLimitConfigRefs | References to RateLimitConfig resources. This is used to configure the GlooE rate limit server. Only one of ratelimit_early or rate_limit_early_configs can be set. Only one of rateLimitEarlyConfigs or ratelimitEarly can be set. |
ratelimit |
.ratelimit.options.gloo.solo.io.RateLimitVhostExtension | Enterprise-only: Partial config for GlooE rate-limiting based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit actions here, which define how request characteristics get translated into descriptors used by the rate-limit service for rate-limiting. Configure rate-limit descriptors and their associated limits on the Gloo settings. Only one of ratelimit or rate_limit_configs can be set. Only one of ratelimit or rateLimitConfigs can be set. |
rateLimitConfigs |
.ratelimit.options.gloo.solo.io.RateLimitConfigRefs | References to RateLimitConfig resources. This is used to configure the GlooE rate limit server. Only one of ratelimit or rate_limit_configs can be set. Only one of rateLimitConfigs or ratelimit can be set. |
ratelimitRegular |
.ratelimit.options.gloo.solo.io.RateLimitVhostExtension | Enterprise-only: Partial config for GlooE rate-limiting based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit actions here, which define how request characteristics get translated into descriptors used by the rate-limit service for rate-limiting. Configure rate-limit descriptors and their associated limits on the Gloo settings. Only one of ratelimit_regular or rate_limit_regular_configs can be set. Only one of ratelimitRegular or rateLimitRegularConfigs can be set. |
rateLimitRegularConfigs |
.ratelimit.options.gloo.solo.io.RateLimitConfigRefs | References to RateLimitConfig resources. This is used to configure the GlooE rate limit server. Only one of ratelimit_regular or rate_limit_regular_configs can be set. Only one of rateLimitRegularConfigs or ratelimitRegular can be set. |
waf |
.waf.options.gloo.solo.io.Settings | Enterprise-only: Config for Web Application Firewall (WAF), supporting the popular ModSecurity 3.0 ruleset. |
jwt |
.jwt.options.gloo.solo.io.VhostExtension | Enterprise-only: Config for reading and verifying JWTs. Copy verifiable information from JWTs into other headers to make routing decisions or combine with RBAC for fine-grained access control. This has been deprecated in favor of staged jwt. The same configuration can be achieved through staged jwt using AfterExtAuth. Only one of jwt or jwtStaged can be set. |
jwtStaged |
.jwt.options.gloo.solo.io.JwtStagedVhostExtension | Enterprise-only: Config for reading and verifying JWTs. Copy verifiable information from JWTs into other headers to make routing decisions or combine with RBAC for fine-grained access control. JWT configuration has stages “BeforeExtAuth” and “AfterExtAuth”. BeforeExtAuth JWT validation runs before the external authentication service. This is useful when JWT is used in conjunction with other auth mechanisms specified in the boolean expression Extauth API. AfterExtAuth validation runs after external authentication service, which is useful for verifying JWTs obtained during extauth (e.g. oauth/oidc). Only one of jwtStaged or jwt can be set. |
rbac |
.rbac.options.gloo.solo.io.ExtensionSettings | Enterprise-only: Config for RBAC (currently only supports RBAC based on JWT claims). |
extauth |
.enterprise.gloo.solo.io.ExtAuthExtension | Enterprise-only: Authentication configuration. |
dlp |
.dlp.options.gloo.solo.io.Config | Enterprise-only: Config for data loss prevention. |
bufferPerRoute |
.solo.io.envoy.extensions.filters.http.buffer.v3.BufferPerRoute | BufferPerRoute can be used to set the maximum request size that the filter will buffer before the connection manager will stop buffering and return a 413 response. Note: If you have not set a global config (at the gateway level), this override will not do anything by itself. |
csrf |
.solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy | Csrf can be used to set percent of requests for which the CSRF filter is enabled, enable shadow-only mode where policies will be evaluated and tracked, but not enforced and add additional source origins that will be allowed in addition to the destination origin. For more, see https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/csrf/v2/csrf.proto. |
includeRequestAttemptCount |
.google.protobuf.BoolValue | IncludeRequestAttemptCount decides whether the x-envoy-attempt-count header should be included in the upstream request. Setting this option will cause it to override any existing header value, so in the case of two Envoys on the request path with this option enabled, the upstream will see the attempt count as perceived by the second Envoy. Defaults to false. |
includeAttemptCountInResponse |
.google.protobuf.BoolValue | IncludeAttemptCountInResponse decides whether the x-envoy-attempt-count header should be included in the downstream response. Setting this option will cause the router to override any existing header value, so in the case of two Envoys on the request path with this option enabled, the downstream will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. |
stagedTransformations |
.transformation.options.gloo.solo.io.TransformationStages | Early transformations stage. These transformations run before most other options are processed. If the regular field is set in here, the transformations field is ignored. |
extProc |
.extproc.options.gloo.solo.io.RouteSettings | Enterprise-only: External Processing filter settings for the virtual host. This can be used to override certain HttpListenerOptions settings, and can be overridden by RouteOptions settings. |
RouteOptions
Optional, feature-specific configuration that lives on routes. Each RouteOptions object contains configuration for a specific feature. Note to developers: new Route plugins must be added to this struct to be usable by Gloo. (plugins currently need to be compiled into Gloo)
"transformations": .transformation.options.gloo.solo.io.Transformations
"faults": .fault.options.gloo.solo.io.RouteFaults
"prefixRewrite": .google.protobuf.StringValue
"timeout": .google.protobuf.Duration
"retries": .retries.options.gloo.solo.io.RetryPolicy
"extensions": .gloo.solo.io.Extensions
"tracing": .tracing.options.gloo.solo.io.RouteTracingSettings
"shadowing": .shadowing.options.gloo.solo.io.RouteShadowing
"headerManipulation": .headers.options.gloo.solo.io.HeaderManipulation
"hostRewrite": string
"autoHostRewrite": .google.protobuf.BoolValue
"hostRewritePathRegex": .solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute
"hostRewriteHeader": .google.protobuf.StringValue
"appendXForwardedHost": .google.protobuf.BoolValue
"cors": .cors.options.gloo.solo.io.CorsPolicy
"lbHash": .lbhash.options.gloo.solo.io.RouteActionHashConfig
"upgrades": []protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig
"ratelimitBasic": .ratelimit.options.gloo.solo.io.IngressRateLimit
"ratelimitEarly": .ratelimit.options.gloo.solo.io.RateLimitRouteExtension
"rateLimitEarlyConfigs": .ratelimit.options.gloo.solo.io.RateLimitConfigRefs
"ratelimit": .ratelimit.options.gloo.solo.io.RateLimitRouteExtension
"rateLimitConfigs": .ratelimit.options.gloo.solo.io.RateLimitConfigRefs
"ratelimitRegular": .ratelimit.options.gloo.solo.io.RateLimitRouteExtension
"rateLimitRegularConfigs": .ratelimit.options.gloo.solo.io.RateLimitConfigRefs
"waf": .waf.options.gloo.solo.io.Settings
"jwt": .jwt.options.gloo.solo.io.RouteExtension
"jwtStaged": .jwt.options.gloo.solo.io.JwtStagedRouteExtension
"rbac": .rbac.options.gloo.solo.io.ExtensionSettings
"extauth": .enterprise.gloo.solo.io.ExtAuthExtension
"dlp": .dlp.options.gloo.solo.io.Config
"bufferPerRoute": .solo.io.envoy.extensions.filters.http.buffer.v3.BufferPerRoute
"csrf": .solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy
"stagedTransformations": .transformation.options.gloo.solo.io.TransformationStages
"envoyMetadata": map<string, .google.protobuf.Struct>
"regexRewrite": .solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute
"maxStreamDuration": .gloo.solo.io.RouteOptions.MaxStreamDuration
"idleTimeout": .google.protobuf.Duration
"extProc": .extproc.options.gloo.solo.io.RouteSettings
Field | Type | Description |
---|---|---|
transformations |
.transformation.options.gloo.solo.io.Transformations | Transformations to apply. Note: this field is superseded by staged_transformations . If staged_transformations.regular is set, this field will be ignored. |
faults |
.fault.options.gloo.solo.io.RouteFaults | |
prefixRewrite |
.google.protobuf.StringValue | For requests matched on this route, rewrite the HTTP request path to the provided value before forwarding upstream. |
timeout |
.google.protobuf.Duration | Specifies the upstream timeout for the route. If not specified, the default is 15s. This spans between the point at which the entire downstream request (i.e. end-of-stream) has been processed and when the upstream response has been completely processed. A value of 0 will disable the route’s timeout. |
retries |
.retries.options.gloo.solo.io.RetryPolicy | |
extensions |
.gloo.solo.io.Extensions | Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API. |
tracing |
.tracing.options.gloo.solo.io.RouteTracingSettings | Defines route-specific tracing configuration. See here for additional information on Envoy’s tracing capabilities: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/observability/tracing.html See here for additional information about configuring tracing with Gloo Gateway. |
shadowing |
.shadowing.options.gloo.solo.io.RouteShadowing | Specifies traffic shadowing configuration for the route. See here for additional information on Envoy’s shadowing capabilities: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-api-msg-route-routeaction-requestmirrorpolicy. |
headerManipulation |
.headers.options.gloo.solo.io.HeaderManipulation | Append/Remove headers on Requests or Responses on this Route. |
hostRewrite |
string |
Indicates that during forwarding, the host header will be swapped with this value. Only one of hostRewrite , autoHostRewrite , hostRewritePathRegex , or hostRewriteHeader can be set. |
autoHostRewrite |
.google.protobuf.BoolValue | Enable/Disable auto host re-write. Indicates that the host header will be swapped with the hostname of the upstream host. This setting is only honored for upstreams that use DNS resolution (i.e., their generated Envoy cluster is of type STRICT_DNS or LOGICAL_DNS – think aws, azure, or static upstreams with hostnames). Only one of autoHostRewrite , hostRewrite , hostRewritePathRegex , or hostRewriteHeader can be set. |
hostRewritePathRegex |
.solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute | Indicates that during forwarding, the host header will be swapped with the result of the regex substitution executed on path value with query and fragment removed. Only one of hostRewritePathRegex , hostRewrite , autoHostRewrite , or hostRewriteHeader can be set. |
hostRewriteHeader |
.google.protobuf.StringValue | Indicates that during forwarding, the host header will be swapped with the content of given downstream or custom header. If header value is empty, host header is left intact. Using this option will append the x-forwarded-host header if append_x_forwarded_host is set. Only one of hostRewriteHeader , hostRewrite , autoHostRewrite , or hostRewritePathRegex can be set. |
appendXForwardedHost |
.google.protobuf.BoolValue | If true and there is a host rewrite, appends the x-forwarded-host header to requests. |
cors |
.cors.options.gloo.solo.io.CorsPolicy | Defines a CORS policy for the route If a CORS policy is also defined on the route’s virtual host, the policies are merged. |
lbHash |
.lbhash.options.gloo.solo.io.RouteActionHashConfig | For routes served by a hashing load balancer, this defines the input to the hash key Gloo configures Envoy with the first available RouteActionHashConfig among the following ordered list of providers: - route, upstream, virtual service. |
upgrades |
[]protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig | Route configuration for protocol upgrade requests. |
ratelimitBasic |
.ratelimit.options.gloo.solo.io.IngressRateLimit | Enterprise-only: Config for GlooE rate-limiting using simplified (gloo-specific) API. |
ratelimitEarly |
.ratelimit.options.gloo.solo.io.RateLimitRouteExtension | Enterprise-only: Partial config for GlooE rate-limiting based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit actions here, which define how request characteristics get translated into descriptors used by the rate-limit service for rate-limiting. Configure rate-limit descriptors and their associated limits on the Gloo settings. Only one of ratelimit_early or rate_limit_early_configs can be set. Only one of ratelimitEarly or rateLimitEarlyConfigs can be set. |
rateLimitEarlyConfigs |
.ratelimit.options.gloo.solo.io.RateLimitConfigRefs | References to RateLimitConfig resources. This is used to configure the GlooE rate limit server. Only one of ratelimit_early or rate_limit_early_configs can be set. Only one of rateLimitEarlyConfigs or ratelimitEarly can be set. |
ratelimit |
.ratelimit.options.gloo.solo.io.RateLimitRouteExtension | Enterprise-only: Partial config for GlooE rate-limiting based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit actions here, which define how request characteristics get translated into descriptors used by the rate-limit service for rate-limiting. Configure rate-limit descriptors and their associated limits on the Gloo settings. Only one of ratelimit or rate_limit_configs can be set. Only one of ratelimit or rateLimitConfigs can be set. |
rateLimitConfigs |
.ratelimit.options.gloo.solo.io.RateLimitConfigRefs | References to RateLimitConfig resources. This is used to configure the GlooE rate limit server. Only one of ratelimit or rate_limit_configs can be set. Only one of rateLimitConfigs or ratelimit can be set. |
ratelimitRegular |
.ratelimit.options.gloo.solo.io.RateLimitRouteExtension | Enterprise-only: Partial config for GlooE rate-limiting based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit actions here, which define how request characteristics get translated into descriptors used by the rate-limit service for rate-limiting. Configure rate-limit descriptors and their associated limits on the Gloo settings. Only one of ratelimit_early or rate_limit_early_configs can be set. Only one of ratelimitRegular or rateLimitRegularConfigs can be set. |
rateLimitRegularConfigs |
.ratelimit.options.gloo.solo.io.RateLimitConfigRefs | References to RateLimitConfig resources. This is used to configure the GlooE rate limit server. Only one of ratelimit_early or rate_limit_early_configs can be set. Only one of rateLimitRegularConfigs or ratelimitRegular can be set. |
waf |
.waf.options.gloo.solo.io.Settings | Enterprise-only: Config for Web Application Firewall (WAF), supporting the popular ModSecurity 3.0 ruleset. |
jwt |
.jwt.options.gloo.solo.io.RouteExtension | Enterprise-only: Config for reading and verifying JWTs. Copy verifiable information from JWTs into other headers to make routing decisions or combine with RBAC for fine-grained access control. This has been deprecated in favor of staged jwt. The same configuration can be achieved through staged jwt using AfterExtAuth. Only one of jwt or jwtStaged can be set. |
jwtStaged |
.jwt.options.gloo.solo.io.JwtStagedRouteExtension | Enterprise-only: Config for reading and verifying JWTs. Copy verifiable information from JWTs into other headers to make routing decisions or combine with RBAC for fine-grained access control. JWT configuration has stages “BeforeExtAuth” and “AfterExtAuth”. BeforeExtAuth JWT validation runs before the external authentication service. This is useful when JWT is used in conjunction with other auth mechanisms specified in the boolean expression Extauth API. AfterExtAuth validation runs after external authentication service, which is useful for verifying JWTs obtained during extauth (e.g. oauth/oidc). Only one of jwtStaged or jwt can be set. |
rbac |
.rbac.options.gloo.solo.io.ExtensionSettings | Enterprise-only: Config for RBAC (currently only supports RBAC based on JWT claims). |
extauth |
.enterprise.gloo.solo.io.ExtAuthExtension | Enterprise-only: Authentication configuration. |
dlp |
.dlp.options.gloo.solo.io.Config | Enterprise-only: Config for data loss prevention. |
bufferPerRoute |
.solo.io.envoy.extensions.filters.http.buffer.v3.BufferPerRoute | BufferPerRoute can be used to set the maximum request size that the filter will buffer before the connection manager will stop buffering and return a 413 response. Note: If you have not set a global config (at the gateway level), this override will not do anything by itself. |
csrf |
.solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy | Csrf can be used to set percent of requests for which the CSRF filter is enabled, enable shadow-only mode where policies will be evaluated and tracked, but not enforced and add additional source origins that will be allowed in addition to the destination origin. For more, see https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/csrf/v2/csrf.proto. |
stagedTransformations |
.transformation.options.gloo.solo.io.TransformationStages | Early transformations stage. These transformations run before most other options are processed. If the regular field is set in here, the transformations field is ignored. |
envoyMetadata |
map<string, .google.protobuf.Struct> |
This field can be used to provide additional information about the route. This metadata can be consumed by the Envoy filters that process requests that match the route. For more info about metadata, see here. The value of this field will be propagated to the metadata attribute of the corresponding Envoy route. Please refer to the Envoy documentation for more details about the metadata attribute. |
regexRewrite |
.solo.io.envoy.type.matcher.v3.RegexMatchAndSubstitute | For requests matched on this route, rewrite the HTTP request path according to the provided regex pattern before forwarding upstream Please refer to the Envoy documentation for more details about the regex_rewrite attribute. |
maxStreamDuration |
.gloo.solo.io.RouteOptions.MaxStreamDuration | Settings for maximum durations and timeouts for streams on the route. Please refer to the Envoy documentation. |
idleTimeout |
.google.protobuf.Duration | Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, although the Gateway’s httpConnectionManagerSettings wide stream_idle_timeout will still apply. A value of 0 will completely disable the route’s idle timeout, even if a connection manager stream idle timeout is configured. Please refer to the Envoy documentation. |
extProc |
.extproc.options.gloo.solo.io.RouteSettings | Enterprise-only: External Processing filter settings for the route. This can be used to override certain HttpListenerOptions or VirtualHostOptions settings. |
MaxStreamDuration
This is a 1:1 translation to the Envoy API described here
"maxStreamDuration": .google.protobuf.Duration
"grpcTimeoutHeaderMax": .google.protobuf.Duration
"grpcTimeoutHeaderOffset": .google.protobuf.Duration
Field | Type | Description |
---|---|---|
maxStreamDuration |
.google.protobuf.Duration | Specifies the maximum duration allowed for streams on the route. If not specified, the value from the max_stream_duration field in HttpConnectionManager.common_http_protocol_options is used. If this field is set explicitly to zero, any HttpConnectionManager max_stream_duration timeout will be disabled for this route. |
grpcTimeoutHeaderMax |
.google.protobuf.Duration | If present, and the request contains a grpc-timeout header, use that value as the max_stream_duration , but limit the applied timeout to the maximum value specified here. If set to 0, the grpc-timeout header is used without modification. |
grpcTimeoutHeaderOffset |
.google.protobuf.Duration | If present, Envoy will adjust the timeout provided by the grpc-timeout header by subtracting the provided duration from the header. This is useful for allowing Envoy to set its global timeout to be less than that of the deadline imposed by the calling client, which makes it more likely that Envoy will handle the timeout instead of having the call canceled by the client. If, after applying the offset, the resulting timeout is zero or negative, the stream will timeout immediately. |
DestinationSpec
Configuration for Destinations that are tied to the UpstreamSpec or ServiceSpec on that destination
"aws": .aws.options.gloo.solo.io.DestinationSpec
"azure": .azure.options.gloo.solo.io.DestinationSpec
"rest": .rest.options.gloo.solo.io.DestinationSpec
"grpc": .grpc.options.gloo.solo.io.DestinationSpec
Field | Type | Description |
---|---|---|
aws |
.aws.options.gloo.solo.io.DestinationSpec | Only one of aws , azure , rest , or grpc can be set. |
azure |
.azure.options.gloo.solo.io.DestinationSpec | Only one of azure , aws , rest , or grpc can be set. |
rest |
.rest.options.gloo.solo.io.DestinationSpec | Only one of rest , aws , azure , or grpc can be set. |
grpc |
.grpc.options.gloo.solo.io.DestinationSpec | Only one of grpc , aws , azure , or rest can be set. |
WeightedDestinationOptions
Optional, feature-specific configuration that is applied when a specific weighted destination is selected for routing.
"headerManipulation": .headers.options.gloo.solo.io.HeaderManipulation
"transformations": .transformation.options.gloo.solo.io.Transformations
"extensions": .gloo.solo.io.Extensions
"extauth": .enterprise.gloo.solo.io.ExtAuthExtension
"bufferPerRoute": .solo.io.envoy.extensions.filters.http.buffer.v3.BufferPerRoute
"csrf": .solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy
"stagedTransformations": .transformation.options.gloo.solo.io.TransformationStages
Field | Type | Description |
---|---|---|
headerManipulation |
.headers.options.gloo.solo.io.HeaderManipulation | Append/Remove headers on Requests or Responses to/from this Weighted Destination. |
transformations |
.transformation.options.gloo.solo.io.Transformations | Transformations to apply. Note: this field is superseded by staged_transformations . If staged_transformations.regular is set, this field will be ignored. |
extensions |
.gloo.solo.io.Extensions | Extensions will be passed along from Listeners, Gateways, VirtualServices, Routes, and Route tables to the underlying Proxy, making them useful for controllers, validation tools, etc. which interact with kubernetes yaml. Some sample use cases: * controllers, deployment pipelines, helm charts, etc. which wish to use extensions as a kind of opaque metadata. * In the future, Gloo may support gRPC-based plugins which communicate with the Gloo translator out-of-process. Opaque Extensions enables development of out-of-process plugins without requiring recompiling & redeploying Gloo’s API. |
extauth |
.enterprise.gloo.solo.io.ExtAuthExtension | Enterprise-only: Authentication configuration. |
bufferPerRoute |
.solo.io.envoy.extensions.filters.http.buffer.v3.BufferPerRoute | BufferPerRoute can be used to set the maximum request size that the filter will buffer before the connection manager will stop buffering and return a 413 response. Note: If you have not set a global config (at the gateway level), this override will not do anything by itself. |
csrf |
.solo.io.envoy.extensions.filters.http.csrf.v3.CsrfPolicy | Csrf can be used to set percent of requests for which the CSRF filter is enabled, enable shadow-only mode where policies will be evaluated and tracked, but not enforced and add additional source origins that will be allowed in addition to the destination origin. For more, see https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/csrf/v2/csrf.proto. |
stagedTransformations |
.transformation.options.gloo.solo.io.TransformationStages | Early transformations stage. These transformations run before most other options are processed. If the regular field is set in here, the transformations field is ignored. |