Navigation :
Getting Started
What is Gloo Gateway?
Setup
Guides
Operations
Reference
-
Open Source Attribution
-
API Reference
-- address.proto
-- address.proto
-- advanced_http.proto
-- advanced_http.proto
-- als.proto
-- annotations.proto
-- any.proto
-- api.proto
-- apple_dns_resolver.proto
-- artifact.proto
-- authority.proto
-- aws.proto
-- aws_ec2.proto
-- azure.proto
-- backoff.proto
-- base.proto
-- base.proto
-- buffer.proto
-- caching.proto
-- cares_dns_resolver.proto
-- cidr.proto
-- cipher_detection_input.proto
-- circuit_breaker.proto
-- cluster.proto
-- config.proto
-- config.proto
-- connection.proto
-- connection_limit.proto
-- consul.proto
-- context_params.proto
-- core.proto
-- cors.proto
-- csrf.proto
-- custom_tag.proto
-- datadog.proto
-- deprecation.proto
-- descriptor.proto
-- discovery.proto
-- dlp.proto
-- domain.proto
-- duration.proto
-- dynamic_forward_proxy.proto
-- empty.proto
-- endpoint.proto
-- envoy.glooe.solo.io.project
-- envoy_glooe_solo_io.project
-- event_service_config.proto
-- ext.proto
-- extauth.proto
-- extension.proto
-- extension.proto
-- extensions.proto
-- external_options.proto
-- extproc.proto
-- failover.proto
-- failover.proto
-- fault.proto
-- field_mask.proto
-- filter.proto
-- gateway.proto
-- gateway.solo.io.project
-- gateway_solo_io.project
-- gcp.proto
-- gloo.solo.io.project
-- gloo_solo_io.project
-- gloo_validation.proto
-- glooe.solo.io.project
-- glooe_solo_io.project
-- graphql.proto
-- graphql.proto
-- graphql.proto
-- grpc.proto
-- grpc_json.proto
-- grpc_output_sink.proto
-- grpc_service.proto
-- grpc_web.proto
-- gzip.proto
-- hcm.proto
-- header_validation.proto
-- headers.proto
-- health_check.proto
-- health_check.proto
-- healthcheck.proto
-- http.proto
-- http.proto
-- http_gateway.proto
-- http_inputs.proto
-- http_output_sink.proto
-- http_path.proto
-- http_uri.proto
-- http_uri.proto
-- ingress.proto
-- instance.proto
-- ip.proto
-- jwt.proto
-- kubernetes.proto
-- lbhash.proto
-- load_balancer.proto
-- local_ratelimit.proto
-- matchable_http_gateway.proto
-- matchable_tcp_gateway.proto
-- matcher.proto
-- matchers.proto
-- metadata.proto
-- metadata.proto
-- metrics.proto
-- migrate.proto
-- migrate.proto
-- mutation_rules.proto
-- opencensus.proto
-- opentelemetry.proto
-- options.proto
-- orca.proto
-- outlier_detection.proto
-- parameters.proto
-- percent.proto
-- percent.proto
-- pipe.proto
-- placement.proto
-- processing_mode.proto
-- protocol.proto
-- protocol_upgrade.proto
-- proxy.proto
-- proxy_endpoint.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxylatency.proto
-- proxyprotocol.proto
-- query_options.proto
-- query_options.proto
-- range.proto
-- range.proto
-- range.proto
-- range.proto
-- ratelimit.proto
-- ratelimit.proto
-- ratelimit.proto
-- rbac.proto
-- ref.proto
-- regex.proto
-- regex.proto
-- resolver.proto
-- resource.proto
-- resource_locator.proto
-- resource_name.proto
-- rest.proto
-- retries.proto
-- route.proto
-- route_components.proto
-- route_table.proto
-- router.proto
-- sanitize.proto
-- secret.proto
-- security.proto
-- selectors.proto
-- semantic_version.proto
-- semantic_version.proto
-- sensitive.proto
-- sensitive.proto
-- server_name_matcher.proto
-- service.proto
-- service_spec.proto
-- settings.proto
-- shadowing.proto
-- snap.proto
-- socket_option.proto
-- socket_option.proto
-- solo-discovery-service.proto
-- solo-kit.proto
-- solo_jwt_authn.proto
-- solo_xff_offset_filter.proto
-- source_context.proto
-- ssl.proto
-- ssl.proto
-- stages.proto
-- stateful_session.proto
-- statefulsession.proto
-- statefulsession.proto
-- static.proto
-- stats.proto
-- status.proto
-- status.proto
-- status.proto
-- status.proto
-- stitching.proto
-- string.proto
-- string.proto
-- struct.proto
-- subset.proto
-- subset_spec.proto
-- tap.proto
-- tap.proto
-- tcp.proto
-- timestamp.proto
-- tls_cipher_inspector.proto
-- trace.proto
-- tracing.proto
-- transformation.proto
-- transformation.proto
-- transformation.proto
-- type.proto
-- typed_struct.proto
-- upstream.proto
-- upstream_proxy_protocol.proto
-- upstream_wait_filter.proto
-- version.proto
-- versioning.proto
-- versioning.proto
-- virtual_service.proto
-- waf.proto
-- waf.proto
-- wasm.proto
-- wasm.proto
-- wasm.proto
-- wrappers.proto
-- xslt_transformer.proto
-- zipkin.proto
-
Command Line Reference
-
Changelog
-
Helm Chart Values
-
Security Updates
- Security Posture
- Gloo Gateway Port Reference
- Release Support
-
Cheatsheets
Contribution Guide
Get help and support
ssl.proto
Package: gloo.solo.io
Types:
SslConfig
SslConfig contains the options necessary to configure a virtual host or listener to use TLS termination
"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sniDomains": [] string
"verifySubjectAltName": [] string
"parameters": .gloo.solo.io.SslParameters
"alpnProtocols": [] string
"oneWayTls": .google.protobuf.BoolValue
"disableTlsSessionResumption": .google.protobuf.BoolValue
"transportSocketConnectTimeout": .google.protobuf.Duration
Field
Type
Description
secretRef
.core.solo.io.ResourceRef
SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of secretRef
, sslFiles
, or sds
can be set.
sslFiles
.gloo.solo.io.SSLFiles
SSLFiles reference paths to certificates which are local to the proxy. Only one of sslFiles
, secretRef
, or sds
can be set.
sds
.gloo.solo.io.SDSConfig
Use secret discovery service. Only one of sds
, secretRef
, or sslFiles
can be set.
sniDomains
[]string
optional. the SNI domains that should be considered for TLS connections.
verifySubjectAltName
[]string
Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
parameters
.gloo.solo.io.SslParameters
alpnProtocols
[]string
Set Application Level Protocol Negotiation If empty, defaults to [“h2”, “http/1.1”]. As an advanced option you may use [“allow_empty”] to avoid defaults and set alpn to have no alpn set (ie pass empty slice).
oneWayTls
.google.protobuf.BoolValue
If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA. If unset, defaults to false.
disableTlsSessionResumption
.google.protobuf.BoolValue
If set to true, the TLS session resumption will be deactivated, note that it deactivates only the tickets based tls session resumption (not the cache).
transportSocketConnectTimeout
.google.protobuf.Duration
If present and nonzero, the amount of time to allow incoming connections to complete any transport socket negotiations. If this expires before the transport reports connection establishment, the connection is summarily closed.
SSLFiles
SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem
"tlsCert": string
"tlsKey": string
"rootCa": string
Field
Type
Description
tlsCert
string
tlsKey
string
rootCa
string
for client cert validation. optional.
UpstreamSslConfig
SslConfig contains the options necessary to configure an upstream to use TLS origination
"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sni": string
"verifySubjectAltName": [] string
"parameters": .gloo.solo.io.SslParameters
"alpnProtocols": [] string
"allowRenegotiation": .google.protobuf.BoolValue
Field
Type
Description
secretRef
.core.solo.io.ResourceRef
SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of secretRef
, sslFiles
, or sds
can be set.
sslFiles
.gloo.solo.io.SSLFiles
SSLFiles reference paths to certificates which are local to the proxy. Only one of sslFiles
, secretRef
, or sds
can be set.
sds
.gloo.solo.io.SDSConfig
Use secret discovery service. Only one of sds
, secretRef
, or sslFiles
can be set.
sni
string
optional. the SNI domains that should be considered for TLS connections.
verifySubjectAltName
[]string
Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
parameters
.gloo.solo.io.SslParameters
alpnProtocols
[]string
Set Application Level Protocol Negotiation. If empty, it is not set.
allowRenegotiation
.google.protobuf.BoolValue
Allow Tls renegotiation, the default value is false. TLS renegotiation is considered insecure and shouldn’t be used unless absolutely necessary.
SDSConfig
"targetUri": string
"callCredentials": .gloo.solo.io.CallCredentials
"clusterName": string
"certificatesSecretName": string
"validationContextName": string
Field
Type
Description
targetUri
string
Target uri for the sds channel. currently only a unix domain socket is supported.
callCredentials
.gloo.solo.io.CallCredentials
Call credentials. Only one of callCredentials
or clusterName
can be set.
clusterName
string
The name of the sds cluster in envoy. Only one of clusterName
or callCredentials
can be set.
certificatesSecretName
string
The name of the secret containing the certificate.
validationContextName
string
The name of secret containing the validation context (i.e. root ca).
CallCredentials
"fileCredentialSource": .gloo.solo.io.CallCredentials.FileCredentialSource
FileCredentialSource
"tokenFileName": string
"header": string
Field
Type
Description
tokenFileName
string
File containing auth token.
header
string
Header to carry the token.
SslParameters
General TLS parameters. See the envoy docs
for more information on the meaning of these values.
"minimumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"maximumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"cipherSuites": [] string
"ecdhCurves": [] string
ProtocolVersion
Name
Description
TLS_AUTO
Envoy will choose the optimal TLS version.
TLSv1_0
TLS 1.0
TLSv1_1
TLS 1.1
TLSv1_2
TLS 1.2
TLSv1_3
TLS 1.3