Skip to content

Commit 84e8436

Browse files
http: Support inferring X-Forwarded-Proto from PROXY protocol destination port (#43088)
When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior. This change adds a new HCM configuration option `forwarded_proto_config` that allows specifying which PROXY protocol destination ports should be treated as HTTPS or HTTP. When enabled and the local address was restored from PROXY protocol, the `x-forwarded-proto` header is set based on whether the destination port is in `https_destination_ports` or `http_destination_ports`. Example configuration: ``` http_connection_manager: forwarded_proto_config: https_destination_ports: [443, 8443] http_destination_ports: [80, 8080] ``` Risk Level: Low - opt-in feature that only activates when explicitly configured and when localAddressRestored() is true Testing: Added 6 unit tests in conn_manager_utility_test.cc covering port 443/80 mapping, unmapped ports, empty config, non-restored address, and custom ports Docs Changes: N/A Release Notes: Added Platform Specific Features: [Optional Runtime guard:] Fixes #43031 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] API Considerations: Added new message ForwardedProtoConfig and field forwarded_proto_config (#61) to HttpConnectionManager. The configuration uses two repeated uint32 fields (https_destination_ports and http_destination_ports) for type-safe port specification without requiring string validation. --------- Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ f126920c1c3443175680bdc88c55116b979d396f
1 parent 7468956 commit 84e8436

1 file changed

Lines changed: 44 additions & 1 deletion

File tree

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

Lines changed: 44 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
3939
// HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
4040
// [#extension: envoy.filters.network.http_connection_manager]
4141

42-
// [#next-free-field: 61]
42+
// [#next-free-field: 62]
4343
message HttpConnectionManager {
4444
option (udpa.annotations.versioning).previous_message_type =
4545
"envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@@ -1051,6 +1051,49 @@ message HttpConnectionManager {
10511051
// This should be set to ``false`` in cases where Envoy's view of the downstream address may not correspond to the
10521052
// actual client address, for example, if there's another proxy in front of the Envoy.
10531053
google.protobuf.BoolValue add_proxy_protocol_connection_state = 53;
1054+
1055+
// Configuration for controlling how the ``x-forwarded-proto`` header is set.
1056+
// This allows customization of protocol inference, including support for inferring the original
1057+
// protocol (HTTP or HTTPS) from the PROXY protocol destination port.
1058+
//
1059+
// This is useful when a Layer 4 load balancer (such as AWS NLB) terminates TLS and uses
1060+
// PROXY protocol to communicate with Envoy.
1061+
//
1062+
// When configured and the local address was restored from PROXY protocol (indicating the
1063+
// original destination address is available), the ``x-forwarded-proto`` header will be set
1064+
// based on whether the destination port is in ``https_destination_ports`` or
1065+
// ``http_destination_ports``.
1066+
//
1067+
// Example configuration:
1068+
//
1069+
// .. code-block:: yaml
1070+
//
1071+
// http_connection_manager:
1072+
// forward_proto_config:
1073+
// https_destination_ports: [443, 8443]
1074+
// http_destination_ports: [80, 8080]
1075+
//
1076+
// If not configured, defaults to disabled and the standard behavior applies (using connection
1077+
// TLS status or trusted downstream headers).
1078+
ForwardProtoConfig forward_proto_config = 61;
1079+
}
1080+
1081+
// Configuration options for setting the ``x-forwarded-proto`` header.
1082+
// This message provides flexibility for future enhancements to protocol inference.
1083+
message ForwardProtoConfig {
1084+
// List of destination ports that should be treated as HTTPS.
1085+
// When the PROXY protocol destination port matches one of these ports,
1086+
// ``x-forwarded-proto`` will be set to ``https``.
1087+
//
1088+
// Common values: 443, 8443
1089+
repeated uint32 https_destination_ports = 1;
1090+
1091+
// List of destination ports that should be treated as HTTP.
1092+
// When the PROXY protocol destination port matches one of these ports,
1093+
// ``x-forwarded-proto`` will be set to ``http``.
1094+
//
1095+
// Common values: 80, 8080
1096+
repeated uint32 http_destination_ports = 2;
10541097
}
10551098

10561099
// The configuration to customize local reply returned by Envoy.

0 commit comments

Comments
 (0)