hcm.proto

Package: hcm.options.gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto

HttpConnectionManagerSettings

Contains various settings for Envoy’s http connection manager. See here for more information: https://www.envoyproxy.io/docs/envoy/v1.9.0/configuration/http_conn_man/http_conn_man

"skipXffAppend": bool
"via": string
"xffNumTrustedHops": int
"useRemoteAddress": .google.protobuf.BoolValue
"generateRequestId": .google.protobuf.BoolValue
"proxy100Continue": bool
"streamIdleTimeout": .google.protobuf.Duration
"idleTimeout": .google.protobuf.Duration
"maxRequestHeadersKb": .google.protobuf.UInt32Value
"requestTimeout": .google.protobuf.Duration
"drainTimeout": .google.protobuf.Duration
"delayedCloseTimeout": .google.protobuf.Duration
"serverName": string
"acceptHttp10": bool
"defaultHostForHttp10": string
"properCaseHeaderKeyFormat": bool
"tracing": .tracing.options.gloo.solo.io.ListenerTracingSettings
"forwardClientCertDetails": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ForwardClientCertDetails
"setCurrentClientCertDetails": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.SetCurrentClientCertDetails
"preserveExternalRequestId": bool
"upgrades": []protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig
"maxConnectionDuration": .google.protobuf.Duration
"maxStreamDuration": .google.protobuf.Duration
"serverHeaderTransformation": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ServerHeaderTransformation
"pathWithEscapedSlashesAction": .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.PathWithEscapedSlashesAction

Field Type Description
skipXffAppend bool
via string
xffNumTrustedHops int
useRemoteAddress .google.protobuf.BoolValue
generateRequestId .google.protobuf.BoolValue
proxy100Continue bool
streamIdleTimeout .google.protobuf.Duration
idleTimeout .google.protobuf.Duration
maxRequestHeadersKb .google.protobuf.UInt32Value
requestTimeout .google.protobuf.Duration
drainTimeout .google.protobuf.Duration
delayedCloseTimeout .google.protobuf.Duration
serverName string
acceptHttp10 bool For explanation of these settings see: https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/core/protocol.proto#envoy-api-msg-core-http1protocoloptions.
defaultHostForHttp10 string
properCaseHeaderKeyFormat bool
tracing .tracing.options.gloo.solo.io.ListenerTracingSettings
forwardClientCertDetails .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ForwardClientCertDetails
setCurrentClientCertDetails .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.SetCurrentClientCertDetails
preserveExternalRequestId bool
upgrades []protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig HttpConnectionManager configuration for protocol upgrade requests. Note: WebSocket upgrades are enabled by default on the HTTP Connection Manager and must be explicitly disabled.
maxConnectionDuration .google.protobuf.Duration For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions.
maxStreamDuration .google.protobuf.Duration
serverHeaderTransformation .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.ServerHeaderTransformation For an explanation of the settings see: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#envoy-v3-api-enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-serverheadertransformation.
pathWithEscapedSlashesAction .hcm.options.gloo.solo.io.HttpConnectionManagerSettings.PathWithEscapedSlashesAction Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). The default value can be overridden by the :ref:http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action> runtime variable. The :ref:http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled> runtime variable can be used to apply the action to a portion of all requests.

SetCurrentClientCertDetails

"subject": .google.protobuf.BoolValue
"cert": bool
"chain": bool
"dns": bool
"uri": bool

Field Type Description
subject .google.protobuf.BoolValue
cert bool
chain bool
dns bool
uri bool

ForwardClientCertDetails

Name Description
SANITIZE
FORWARD_ONLY
APPEND_FORWARD
SANITIZE_SET
ALWAYS_FORWARD_ONLY

ServerHeaderTransformation

Name Description
OVERWRITE (DEFAULT) Overwrite any Server header with the contents of server_name.
APPEND_IF_ABSENT If no Server header is present, append Server server_name If a Server header is present, pass it through.
PASS_THROUGH Pass through the value of the server header, and do not append a header if none is present.

PathWithEscapedSlashesAction

Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. This operation occurs before URL normalization and the merge slashes transformations if they were enabled.

Name Description
IMPLEMENTATION_SPECIFIC_DEFAULT Default behavior specific to implementation (i.e. Envoy) of this configuration option. Envoy, by default, takes the KEEP_UNCHANGED action. NOTE: the implementation may change the default behavior at-will.
KEEP_UNCHANGED Keep escaped slashes.
REJECT_REQUEST Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. The “httpN.downstream_rq_failed_path_normalization” counter is incremented for each rejected request.
UNESCAPE_AND_REDIRECT Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. Redirect occurs after path normalization and merge slashes transformations if they were configured. NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented for each redirected request.
UNESCAPE_AND_FORWARD Unescape %2F and %5C sequences. Note: this option should not be enabled if intermediaries perform path based access control as it may lead to path confusion vulnerabilities.