hcm.proto

Package: hcm.options.gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto

HttpConnectionManagerSettings

Contains various settings for Envoy’s http connection manager. See here for more information: https://www.envoyproxy.io/docs/envoy/v1.9.0/configuration/http_conn_man/http_conn_man

"skipXffAppend": bool
"via": string
"xffNumTrustedHops": int
"useRemoteAddress": .google.protobuf.BoolValue
"generateRequestId": .google.protobuf.BoolValue
"proxy100Continue": bool
"streamIdleTimeout": .google.protobuf.Duration
"idleTimeout": .google.protobuf.Duration
"maxRequestHeadersKb": .google.protobuf.UInt32Value
"requestTimeout": .google.protobuf.Duration
"drainTimeout": .google.protobuf.Duration
"delayedCloseTimeout": .google.protobuf.Duration
"serverName": string
"stripAnyHostPort": bool
"acceptHttp10": bool
"defaultHostForHttp10": string
"allowChunkedLength": bool
"enableTrailers": bool
"properCaseHeaderKeyFormat": bool
"preserveCaseHeaderKeyFormat": bool
"tracing": .tracing.options.gloo.solo.io.ListenerTracingSettings
"forwardClientCertDetails": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ForwardClientCertDetails
"setCurrentClientCertDetails": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.SetCurrentClientCertDetails
"preserveExternalRequestId": bool
"upgrades": []protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig
"maxConnectionDuration": .google.protobuf.Duration
"maxStreamDuration": .google.protobuf.Duration
"maxHeadersCount": .google.protobuf.UInt32Value
"headersWithUnderscoresAction": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.HeadersWithUnderscoreAction
"maxRequestsPerConnection": .google.protobuf.UInt32Value
"serverHeaderTransformation": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ServerHeaderTransformation
"pathWithEscapedSlashesAction": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.PathWithEscapedSlashesAction
"codecType": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.CodecType
"mergeSlashes": bool
"normalizePath": .google.protobuf.BoolValue
"uuidRequestIdConfig": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.UuidRequestIdConfigSettings

Field Type Description
skipXffAppend bool
via string
xffNumTrustedHops int
useRemoteAddress .google.protobuf.BoolValue
generateRequestId .google.protobuf.BoolValue
proxy100Continue bool
streamIdleTimeout .google.protobuf.Duration
idleTimeout .google.protobuf.Duration
maxRequestHeadersKb .google.protobuf.UInt32Value
requestTimeout .google.protobuf.Duration
drainTimeout .google.protobuf.Duration
delayedCloseTimeout .google.protobuf.Duration
serverName string
stripAnyHostPort bool
acceptHttp10 bool For explanation of these settings see: https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/protocol.proto#envoy-api-msg-core-http1protocoloptions.
defaultHostForHttp10 string
allowChunkedLength bool For an explanation of these settings, see: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-http1protocoloptions.
enableTrailers bool
properCaseHeaderKeyFormat bool Formats the RESPONSE HEADER by proper casing words: the first character and any character following a special character will be capitalized if it’s an alpha character. For example, “content-type” becomes “Content-Type”, and “foo$b#$are” becomes “Foo$B#$Are”. Note that while this results in most headers following conventional casing, certain headers are not covered. For example, the “TE” header will be formatted as “Te”. Only one of properCaseHeaderKeyFormat or preserveCaseHeaderKeyFormat can be set.
preserveCaseHeaderKeyFormat bool Generates configuration for a stateful formatter extension that allows using received headers to affect the output of encoding headers. Specifically: preserving RESPONSE HEADER case during proxying. Only one of preserveCaseHeaderKeyFormat or properCaseHeaderKeyFormat can be set.
tracing .tracing.options.gloo.solo.io.ListenerTracingSettings
forwardClientCertDetails .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ForwardClientCertDetails
setCurrentClientCertDetails .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.SetCurrentClientCertDetails
preserveExternalRequestId bool
upgrades []protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig HttpConnectionManager configuration for protocol upgrade requests. Note: WebSocket upgrades are enabled by default on the HTTP Connection Manager and must be explicitly disabled.
maxConnectionDuration .google.protobuf.Duration For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions.
maxStreamDuration .google.protobuf.Duration For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions.
maxHeadersCount .google.protobuf.UInt32Value For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions.
headersWithUnderscoresAction .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.HeadersWithUnderscoreAction For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions.
maxRequestsPerConnection .google.protobuf.UInt32Value For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions.
serverHeaderTransformation .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ServerHeaderTransformation For an explanation of the settings see: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#envoy-v3-api-enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-serverheadertransformation.
pathWithEscapedSlashesAction .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.PathWithEscapedSlashesAction Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). The default value can be overridden by the :ref:http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action> runtime variable. The :ref:http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled> runtime variable can be used to apply the action to a portion of all requests.
codecType .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.CodecType Supplies the type of codec that the connection manager should use. See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager.
mergeSlashes bool Determines if adjacent slashes in the path are merged into one before any processing of requests by HTTP filters or routing. See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.
normalizePath .google.protobuf.BoolValue Should paths be normalized according to RFC 3986 before any processing of requests by HTTP filters or routing? See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.
uuidRequestIdConfig .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.UuidRequestIdConfigSettings

SetCurrentClientCertDetails

"subject": .google.protobuf.BoolValue
"cert": bool
"chain": bool
"dns": bool
"uri": bool

Field Type Description
subject .google.protobuf.BoolValue
cert bool
chain bool
dns bool
uri bool

UuidRequestIdConfigSettings

Contains setup for Envoy’s UuidRequestIdConfig

"packTraceReason": .google.protobuf.BoolValue
"useRequestIdForTraceSampling": .google.protobuf.BoolValue

Field Type Description
packTraceReason .google.protobuf.BoolValue Whether the implementation alters the UUID to contain the trace sampling decision as per the UuidRequestIdConfig message documentation. This defaults to true. If disabled no modification to the UUID will be performed. It is important to note that if disabled, stable sampling of traces, access logs, etc. will no longer work and only random sampling will be possible.
useRequestIdForTraceSampling .google.protobuf.BoolValue Set whether to use :ref:x-request-id<config_http_conn_man_headers_x-request-id> for sampling or not. This defaults to true. See the :ref:context propagation <arch_overview_tracing_context_propagation> overview for more information.

ForwardClientCertDetails

Name Description
SANITIZE
FORWARD_ONLY
APPEND_FORWARD
SANITIZE_SET
ALWAYS_FORWARD_ONLY

ServerHeaderTransformation

Name Description
OVERWRITE (DEFAULT) Overwrite any Server header with the contents of server_name.
APPEND_IF_ABSENT If no Server header is present, append Server server_name If a Server header is present, pass it through.
PASS_THROUGH Pass through the value of the server header, and do not append a header if none is present.

HeadersWithUnderscoreAction

Action to take when Envoy receives client request with header names containing underscore characters. Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented as a security measure due to systems that treat ‘_’ and ‘-‘ as interchangeable. Envoy by default allows client request headers with underscore characters.

Name Description
ALLOW ⁣Allow headers with underscores. This is the default behavior.
REJECT_CLIENT_REQUEST ⁣Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests end with the stream reset. The “httpN.requests_rejected_with_underscores_in_headers” counter is incremented for each rejected request.
DROP_HEADER ⁣Drop the client header with name containing underscores. The header is dropped before the filter chain is invoked and as such filters will not see dropped headers. The “httpN.dropped_headers_with_underscores” is incremented for each dropped header.

PathWithEscapedSlashesAction

Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled.

Name Description
IMPLEMENTATION_SPECIFIC_DEFAULT Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the KEEP_UNCHANGED action. NOTE: the implementation may change the default behavior at-will.
KEEP_UNCHANGED Keep escaped slashes.
REJECT_REQUEST Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. The “httpN.downstream_rq_failed_path_normalization” counter is incremented for each rejected request.
UNESCAPE_AND_REDIRECT Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. Redirect occurs after path normalization and merge slashes transformations if they were configured. NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented for each redirected request.
UNESCAPE_AND_FORWARD Unescape %2F and %5C sequences. Note: this option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities.

CodecType

Name Description
AUTO For every new connection, the connection manager will determine which codec to use. This mode supports both ALPN for TLS listeners as well as protocol inference for plaintext listeners. If ALPN data is available, it is preferred, otherwise protocol inference is used. In almost all cases, this is the right option to choose for this setting.
HTTP1 The connection manager will assume that the client is speaking HTTP/1.1.
HTTP2 The connection manager will assume that the client is speaking HTTP/2 (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. Prior knowledge is allowed).