envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.95k stars 4.8k forks source link

filter_chain_match does not apply to dynamic_forward_proxy HTTP targets #15348

Closed aSapien closed 3 years ago

aSapien commented 3 years ago

Title: Prefix ranges for destination CIDR do not match

Description: When using a filter chain match for destination using prefix_ranges (for example) 192.168.0.0/16 the filter chain is not found and the connection is closed.

Repro steps: Start a standard envoy docker container with the command and config (provided below). Once running, try to perform a request and match on the filter, reaching the dynamic_forward_proxy cluster.

Request command:

curl --proxy http://localhost:10000 http://192.168.0.1

The expected result is to have a "Filter match!" response (as defined in the direct_response route), but no response is returned (curl: (52) Empty reply from server) and the log shows that there was no matching filter.

Relevant log line:

[debug][conn_handler] [source/server/connection_handler_impl.cc:469] closing connection: no matching filter chain found

Envoy docker command:

docker run --rm -it -v $(pwd)/config.yaml:/config.yaml \
                                  -p 9901:9901 \
                                  -p 10000:10000 \
                                  envoyproxy/envoy:v1.17-latest \
                                  -c /config.yaml --log-level debug

Admin and Stats Output:

*/stats*: (Click to expand) ```sh cluster.dynamic_forward_proxy_cluster.assignment_stale: 0 cluster.dynamic_forward_proxy_cluster.assignment_timeout_received: 0 cluster.dynamic_forward_proxy_cluster.bind_errors: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.default.cx_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.default.cx_pool_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.default.rq_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.default.rq_pending_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.default.rq_retry_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.high.cx_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.high.cx_pool_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.high.rq_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.high.rq_pending_open: 0 cluster.dynamic_forward_proxy_cluster.circuit_breakers.high.rq_retry_open: 0 cluster.dynamic_forward_proxy_cluster.default.total_match_count: 0 cluster.dynamic_forward_proxy_cluster.lb_healthy_panic: 0 cluster.dynamic_forward_proxy_cluster.lb_local_cluster_not_ok: 0 cluster.dynamic_forward_proxy_cluster.lb_recalculate_zone_structures: 0 cluster.dynamic_forward_proxy_cluster.lb_subsets_active: 0 cluster.dynamic_forward_proxy_cluster.lb_subsets_created: 0 cluster.dynamic_forward_proxy_cluster.lb_subsets_fallback: 0 cluster.dynamic_forward_proxy_cluster.lb_subsets_fallback_panic: 0 cluster.dynamic_forward_proxy_cluster.lb_subsets_removed: 0 cluster.dynamic_forward_proxy_cluster.lb_subsets_selected: 0 cluster.dynamic_forward_proxy_cluster.lb_zone_cluster_too_small: 0 cluster.dynamic_forward_proxy_cluster.lb_zone_no_capacity_left: 0 cluster.dynamic_forward_proxy_cluster.lb_zone_number_differs: 0 cluster.dynamic_forward_proxy_cluster.lb_zone_routing_all_directly: 0 cluster.dynamic_forward_proxy_cluster.lb_zone_routing_cross_zone: 0 cluster.dynamic_forward_proxy_cluster.lb_zone_routing_sampled: 0 cluster.dynamic_forward_proxy_cluster.max_host_weight: 0 cluster.dynamic_forward_proxy_cluster.membership_change: 0 cluster.dynamic_forward_proxy_cluster.membership_degraded: 0 cluster.dynamic_forward_proxy_cluster.membership_excluded: 0 cluster.dynamic_forward_proxy_cluster.membership_healthy: 0 cluster.dynamic_forward_proxy_cluster.membership_total: 0 cluster.dynamic_forward_proxy_cluster.original_dst_host_invalid: 0 cluster.dynamic_forward_proxy_cluster.retry_or_shadow_abandoned: 0 cluster.dynamic_forward_proxy_cluster.update_attempt: 0 cluster.dynamic_forward_proxy_cluster.update_empty: 0 cluster.dynamic_forward_proxy_cluster.update_failure: 0 cluster.dynamic_forward_proxy_cluster.update_no_rebuild: 0 cluster.dynamic_forward_proxy_cluster.update_success: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_active: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_close_notify: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_connect_attempts_exceeded: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_connect_fail: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_connect_timeout: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_destroy: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_destroy_local: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_destroy_local_with_active_rq: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_destroy_remote: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_destroy_remote_with_active_rq: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_destroy_with_active_rq: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_http1_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_http2_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_idle_timeout: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_max_requests: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_none_healthy: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_overflow: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_pool_overflow: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_protocol_error: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_rx_bytes_buffered: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_rx_bytes_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_tx_bytes_buffered: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_tx_bytes_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_flow_control_backed_up_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_flow_control_drained_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_flow_control_paused_reading_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_flow_control_resumed_reading_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_internal_redirect_failed_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_internal_redirect_succeeded_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_active: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_cancelled: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_completed: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_maintenance_mode: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_max_duration_reached: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_pending_active: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_pending_failure_eject: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_pending_overflow: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_pending_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_per_try_timeout: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_retry: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_retry_backoff_exponential: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_retry_backoff_ratelimited: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_retry_limit_exceeded: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_retry_overflow: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_retry_success: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_rx_reset: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_timeout: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_total: 0 cluster.dynamic_forward_proxy_cluster.upstream_rq_tx_reset: 0 cluster.dynamic_forward_proxy_cluster.version: 0 cluster_manager.active_clusters: 1 cluster_manager.cluster_added: 1 cluster_manager.cluster_modified: 0 cluster_manager.cluster_removed: 0 cluster_manager.cluster_updated: 0 cluster_manager.cluster_updated_via_merge: 0 cluster_manager.update_merge_cancelled: 0 cluster_manager.update_out_of_merge_window: 0 cluster_manager.warming_clusters: 0 dns_cache.dynamic_forward_proxy_cache_config.circuit_breakers.rq_pending_open: 0 dns_cache.dynamic_forward_proxy_cache_config.circuit_breakers.rq_pending_remaining: 1024 dns_cache.dynamic_forward_proxy_cache_config.dns_query_attempt: 0 dns_cache.dynamic_forward_proxy_cache_config.dns_query_failure: 0 dns_cache.dynamic_forward_proxy_cache_config.dns_query_success: 0 dns_cache.dynamic_forward_proxy_cache_config.dns_rq_pending_overflow: 0 dns_cache.dynamic_forward_proxy_cache_config.host_added: 0 dns_cache.dynamic_forward_proxy_cache_config.host_address_changed: 0 dns_cache.dynamic_forward_proxy_cache_config.host_overflow: 0 dns_cache.dynamic_forward_proxy_cache_config.host_removed: 0 dns_cache.dynamic_forward_proxy_cache_config.num_hosts: 0 filesystem.flushed_by_timer: 76 filesystem.reopen_failed: 0 filesystem.write_buffered: 0 filesystem.write_completed: 0 filesystem.write_failed: 0 filesystem.write_total_buffered: 0 http.admin.downstream_cx_active: 1 http.admin.downstream_cx_delayed_close_timeout: 0 http.admin.downstream_cx_destroy: 0 http.admin.downstream_cx_destroy_active_rq: 0 http.admin.downstream_cx_destroy_local: 0 http.admin.downstream_cx_destroy_local_active_rq: 0 http.admin.downstream_cx_destroy_remote: 0 http.admin.downstream_cx_destroy_remote_active_rq: 0 http.admin.downstream_cx_drain_close: 0 http.admin.downstream_cx_http1_active: 1 http.admin.downstream_cx_http1_total: 1 http.admin.downstream_cx_http2_active: 0 http.admin.downstream_cx_http2_total: 0 http.admin.downstream_cx_http3_active: 0 http.admin.downstream_cx_http3_total: 0 http.admin.downstream_cx_idle_timeout: 0 http.admin.downstream_cx_max_duration_reached: 0 http.admin.downstream_cx_overload_disable_keepalive: 0 http.admin.downstream_cx_protocol_error: 0 http.admin.downstream_cx_rx_bytes_buffered: 556 http.admin.downstream_cx_rx_bytes_total: 556 http.admin.downstream_cx_ssl_active: 0 http.admin.downstream_cx_ssl_total: 0 http.admin.downstream_cx_total: 1 http.admin.downstream_cx_tx_bytes_buffered: 0 http.admin.downstream_cx_tx_bytes_total: 0 http.admin.downstream_cx_upgrades_active: 0 http.admin.downstream_cx_upgrades_total: 0 http.admin.downstream_flow_control_paused_reading_total: 0 http.admin.downstream_flow_control_resumed_reading_total: 0 http.admin.downstream_rq_1xx: 0 http.admin.downstream_rq_2xx: 0 http.admin.downstream_rq_3xx: 0 http.admin.downstream_rq_4xx: 0 http.admin.downstream_rq_5xx: 0 http.admin.downstream_rq_active: 1 http.admin.downstream_rq_completed: 0 http.admin.downstream_rq_header_timeout: 0 http.admin.downstream_rq_http1_total: 1 http.admin.downstream_rq_http2_total: 0 http.admin.downstream_rq_http3_total: 0 http.admin.downstream_rq_idle_timeout: 0 http.admin.downstream_rq_max_duration_reached: 0 http.admin.downstream_rq_non_relative_path: 0 http.admin.downstream_rq_overload_close: 0 http.admin.downstream_rq_response_before_rq_complete: 0 http.admin.downstream_rq_rx_reset: 0 http.admin.downstream_rq_timeout: 0 http.admin.downstream_rq_too_large: 0 http.admin.downstream_rq_total: 1 http.admin.downstream_rq_tx_reset: 0 http.admin.downstream_rq_ws_on_non_ws_route: 0 http.admin.rs_too_large: 0 http.async-client.no_cluster: 0 http.async-client.no_route: 0 http.async-client.passthrough_internal_redirect_bad_location: 0 http.async-client.passthrough_internal_redirect_no_route: 0 http.async-client.passthrough_internal_redirect_predicate: 0 http.async-client.passthrough_internal_redirect_too_many_redirects: 0 http.async-client.passthrough_internal_redirect_unsafe_scheme: 0 http.async-client.rq_direct_response: 0 http.async-client.rq_redirect: 0 http.async-client.rq_reset_after_downstream_response_started: 0 http.async-client.rq_total: 0 http.egress_edge.downstream_cx_active: 0 http.egress_edge.downstream_cx_delayed_close_timeout: 0 http.egress_edge.downstream_cx_destroy: 0 http.egress_edge.downstream_cx_destroy_active_rq: 0 http.egress_edge.downstream_cx_destroy_local: 0 http.egress_edge.downstream_cx_destroy_local_active_rq: 0 http.egress_edge.downstream_cx_destroy_remote: 0 http.egress_edge.downstream_cx_destroy_remote_active_rq: 0 http.egress_edge.downstream_cx_drain_close: 0 http.egress_edge.downstream_cx_http1_active: 0 http.egress_edge.downstream_cx_http1_total: 0 http.egress_edge.downstream_cx_http2_active: 0 http.egress_edge.downstream_cx_http2_total: 0 http.egress_edge.downstream_cx_http3_active: 0 http.egress_edge.downstream_cx_http3_total: 0 http.egress_edge.downstream_cx_idle_timeout: 0 http.egress_edge.downstream_cx_max_duration_reached: 0 http.egress_edge.downstream_cx_overload_disable_keepalive: 0 http.egress_edge.downstream_cx_protocol_error: 0 http.egress_edge.downstream_cx_rx_bytes_buffered: 0 http.egress_edge.downstream_cx_rx_bytes_total: 0 http.egress_edge.downstream_cx_ssl_active: 0 http.egress_edge.downstream_cx_ssl_total: 0 http.egress_edge.downstream_cx_total: 0 http.egress_edge.downstream_cx_tx_bytes_buffered: 0 http.egress_edge.downstream_cx_tx_bytes_total: 0 http.egress_edge.downstream_cx_upgrades_active: 0 http.egress_edge.downstream_cx_upgrades_total: 0 http.egress_edge.downstream_flow_control_paused_reading_total: 0 http.egress_edge.downstream_flow_control_resumed_reading_total: 0 http.egress_edge.downstream_rq_1xx: 0 http.egress_edge.downstream_rq_2xx: 0 http.egress_edge.downstream_rq_3xx: 0 http.egress_edge.downstream_rq_4xx: 0 http.egress_edge.downstream_rq_5xx: 0 http.egress_edge.downstream_rq_active: 0 http.egress_edge.downstream_rq_completed: 0 http.egress_edge.downstream_rq_header_timeout: 0 http.egress_edge.downstream_rq_http1_total: 0 http.egress_edge.downstream_rq_http2_total: 0 http.egress_edge.downstream_rq_http3_total: 0 http.egress_edge.downstream_rq_idle_timeout: 0 http.egress_edge.downstream_rq_max_duration_reached: 0 http.egress_edge.downstream_rq_non_relative_path: 0 http.egress_edge.downstream_rq_overload_close: 0 http.egress_edge.downstream_rq_response_before_rq_complete: 0 http.egress_edge.downstream_rq_rx_reset: 0 http.egress_edge.downstream_rq_timeout: 0 http.egress_edge.downstream_rq_too_large: 0 http.egress_edge.downstream_rq_total: 0 http.egress_edge.downstream_rq_tx_reset: 0 http.egress_edge.downstream_rq_ws_on_non_ws_route: 0 http.egress_edge.no_cluster: 0 http.egress_edge.no_route: 0 http.egress_edge.passthrough_internal_redirect_bad_location: 0 http.egress_edge.passthrough_internal_redirect_no_route: 0 http.egress_edge.passthrough_internal_redirect_predicate: 0 http.egress_edge.passthrough_internal_redirect_too_many_redirects: 0 http.egress_edge.passthrough_internal_redirect_unsafe_scheme: 0 http.egress_edge.rq_direct_response: 0 http.egress_edge.rq_redirect: 0 http.egress_edge.rq_reset_after_downstream_response_started: 0 http.egress_edge.rq_total: 0 http.egress_edge.rs_too_large: 0 http.egress_edge.tracing.client_enabled: 0 http.egress_edge.tracing.health_check: 0 http.egress_edge.tracing.not_traceable: 0 http.egress_edge.tracing.random_sampling: 0 http.egress_edge.tracing.service_forced: 0 http1.dropped_headers_with_underscores: 0 http1.metadata_not_supported_error: 0 http1.requests_rejected_with_underscores_in_headers: 0 http1.response_flood: 0 listener.0.0.0.0_10000.downstream_cx_active: 0 listener.0.0.0.0_10000.downstream_cx_destroy: 0 listener.0.0.0.0_10000.downstream_cx_overflow: 0 listener.0.0.0.0_10000.downstream_cx_overload_reject: 0 listener.0.0.0.0_10000.downstream_cx_total: 0 listener.0.0.0.0_10000.downstream_global_cx_overflow: 0 listener.0.0.0.0_10000.downstream_pre_cx_active: 0 listener.0.0.0.0_10000.downstream_pre_cx_timeout: 0 listener.0.0.0.0_10000.http.egress_edge.downstream_rq_1xx: 0 listener.0.0.0.0_10000.http.egress_edge.downstream_rq_2xx: 0 listener.0.0.0.0_10000.http.egress_edge.downstream_rq_3xx: 0 listener.0.0.0.0_10000.http.egress_edge.downstream_rq_4xx: 0 listener.0.0.0.0_10000.http.egress_edge.downstream_rq_5xx: 0 listener.0.0.0.0_10000.http.egress_edge.downstream_rq_completed: 0 listener.0.0.0.0_10000.no_filter_chain_match: 1 listener.0.0.0.0_10000.worker_0.downstream_cx_active: 0 listener.0.0.0.0_10000.worker_0.downstream_cx_total: 0 listener.0.0.0.0_10000.worker_1.downstream_cx_active: 0 listener.0.0.0.0_10000.worker_1.downstream_cx_total: 0 listener.0.0.0.0_10000.worker_2.downstream_cx_active: 0 listener.0.0.0.0_10000.worker_2.downstream_cx_total: 0 listener.0.0.0.0_10000.worker_3.downstream_cx_active: 0 listener.0.0.0.0_10000.worker_3.downstream_cx_total: 0 listener.admin.downstream_cx_active: 1 listener.admin.downstream_cx_destroy: 0 listener.admin.downstream_cx_overflow: 0 listener.admin.downstream_cx_overload_reject: 0 listener.admin.downstream_cx_total: 1 listener.admin.downstream_global_cx_overflow: 0 listener.admin.downstream_pre_cx_active: 0 listener.admin.downstream_pre_cx_timeout: 0 listener.admin.http.admin.downstream_rq_1xx: 0 listener.admin.http.admin.downstream_rq_2xx: 0 listener.admin.http.admin.downstream_rq_3xx: 0 listener.admin.http.admin.downstream_rq_4xx: 0 listener.admin.http.admin.downstream_rq_5xx: 0 listener.admin.http.admin.downstream_rq_completed: 0 listener.admin.main_thread.downstream_cx_active: 1 listener.admin.main_thread.downstream_cx_total: 1 listener.admin.no_filter_chain_match: 0 listener_manager.listener_added: 1 listener_manager.listener_create_failure: 0 listener_manager.listener_create_success: 4 listener_manager.listener_in_place_updated: 0 listener_manager.listener_modified: 0 listener_manager.listener_removed: 0 listener_manager.listener_stopped: 0 listener_manager.total_filter_chains_draining: 0 listener_manager.total_listeners_active: 1 listener_manager.total_listeners_draining: 0 listener_manager.total_listeners_warming: 0 listener_manager.workers_started: 1 main_thread.watchdog_mega_miss: 0 main_thread.watchdog_miss: 0 runtime.admin_overrides_active: 0 runtime.deprecated_feature_seen_since_process_start: 1 runtime.deprecated_feature_use: 1 runtime.load_error: 0 runtime.load_success: 1 runtime.num_keys: 0 runtime.num_layers: 2 runtime.override_dir_exists: 0 runtime.override_dir_not_exists: 1 server.concurrency: 4 server.days_until_first_cert_expiring: 2147483647 server.debug_assertion_failures: 0 server.dynamic_unknown_fields: 0 server.envoy_bug_failures: 0 server.hot_restart_epoch: 0 server.hot_restart_generation: 1 server.live: 1 server.main_thread.watchdog_mega_miss: 0 server.main_thread.watchdog_miss: 0 server.memory_allocated: 8553744 server.memory_heap_size: 12582912 server.memory_physical_size: 14303382 server.parent_connections: 0 server.seconds_until_first_ocsp_response_expiring: 0 server.state: 0 server.static_unknown_fields: 0 server.stats_recent_lookups: 1160 server.total_connections: 0 server.uptime: 385 server.version: 14066761 server.worker_0.watchdog_mega_miss: 0 server.worker_0.watchdog_miss: 0 server.worker_1.watchdog_mega_miss: 0 server.worker_1.watchdog_miss: 0 server.worker_2.watchdog_mega_miss: 0 server.worker_2.watchdog_miss: 0 server.worker_3.watchdog_mega_miss: 0 server.worker_3.watchdog_miss: 0 vhost.local_service.vcluster.other.upstream_rq_retry: 0 vhost.local_service.vcluster.other.upstream_rq_retry_limit_exceeded: 0 vhost.local_service.vcluster.other.upstream_rq_retry_overflow: 0 vhost.local_service.vcluster.other.upstream_rq_retry_success: 0 vhost.local_service.vcluster.other.upstream_rq_timeout: 0 vhost.local_service.vcluster.other.upstream_rq_total: 0 workers.watchdog_mega_miss: 0 workers.watchdog_miss: 0 cluster.dynamic_forward_proxy_cluster.upstream_cx_connect_ms: No recorded values cluster.dynamic_forward_proxy_cluster.upstream_cx_length_ms: No recorded values http.admin.downstream_cx_length_ms: No recorded values http.admin.downstream_rq_time: No recorded values http.egress_edge.downstream_cx_length_ms: No recorded values http.egress_edge.downstream_rq_time: No recorded values listener.0.0.0.0_10000.downstream_cx_length_ms: No recorded values listener.admin.downstream_cx_length_ms: No recorded values server.initialization_time_ms: P0(nan,22.0) P25(nan,22.25) P50(nan,22.5) P75(nan,22.75) P90(nan,22.9) P95(nan,22.95) P99(nan,22.99) P99.5(nan,22.995) P99.9(nan,22.999) P100(nan,23.0) ```
*/clusters*: (Click to expand) ```sh dynamic_forward_proxy_cluster::default_priority::max_connections::1024 dynamic_forward_proxy_cluster::default_priority::max_pending_requests::1024 dynamic_forward_proxy_cluster::default_priority::max_requests::1024 dynamic_forward_proxy_cluster::default_priority::max_retries::3 dynamic_forward_proxy_cluster::high_priority::max_connections::1024 dynamic_forward_proxy_cluster::high_priority::max_pending_requests::1024 dynamic_forward_proxy_cluster::high_priority::max_requests::1024 dynamic_forward_proxy_cluster::high_priority::max_retries::3 dynamic_forward_proxy_cluster::added_via_api::false ```
*/server_info*: (Click to expand) ```sh { "version": "d6a4496e712d7a2335b26e2f76210d5904002c26/1.17.1/Clean/RELEASE/BoringSSL", "state": "LIVE", "hot_restart_version": "11.104", "command_line_options": { "base_id": "0", "use_dynamic_base_id": false, "base_id_path": "", "concurrency": 4, "config_path": "/config.yaml", "config_yaml": "", "allow_unknown_static_fields": false, "reject_unknown_dynamic_fields": false, "ignore_unknown_dynamic_fields": false, "admin_address_path": "", "local_address_ip_version": "v4", "log_level": "debug", "component_log_level": "", "log_format": "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v", "log_format_escaped": false, "log_path": "", "service_cluster": "", "service_node": "", "service_zone": "", "drain_strategy": "Gradual", "mode": "Serve", "disable_hot_restart": false, "enable_mutex_tracing": false, "restart_epoch": 0, "cpuset_threads": false, "disabled_extensions": [], "bootstrap_version": 0, "enable_fine_grain_logging": false, "socket_path": "@envoy_domain_socket", "socket_mode": 0, "hidden_envoy_deprecated_max_stats": "0", "hidden_envoy_deprecated_max_obj_name_len": "0", "file_flush_interval": "10s", "drain_time": "600s", "parent_shutdown_time": "900s" }, "node": { "id": "", "cluster": "", "user_agent_name": "envoy", "user_agent_build_version": { "version": { "major_number": 1, "minor_number": 17, "patch": 1 }, "metadata": { "build.type": "RELEASE", "revision.sha": "d6a4496e712d7a2335b26e2f76210d5904002c26", "ssl.version": "BoringSSL", "revision.status": "Clean" } }, "extensions": [ { "name": "dubbo", "category": "envoy.dubbo_proxy.protocols", "type_descriptor": "", "disabled": false }, { "name": "envoy.dynamic.ot", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.lightstep", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.datadog", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.dynamic_ot", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.lightstep", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.opencensus", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.skywalking", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.xray", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tracers.zipkin", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "envoy.zipkin", "category": "envoy.tracers", "type_descriptor": "", "disabled": false }, { "name": "udp_default_writer", "category": "envoy.udp_packet_writers", "type_descriptor": "", "disabled": false }, { "name": "udp_gso_batch_writer", "category": "envoy.udp_packet_writers", "type_descriptor": "", "disabled": false }, { "name": "envoy.bootstrap.wasm", "category": "envoy.bootstrap", "type_descriptor": "", "disabled": false }, { "name": "envoy.extensions.network.socket_interface.default_socket_interface", "category": "envoy.bootstrap", "type_descriptor": "", "disabled": false }, { "name": "envoy.extensions.http.cache.simple", "category": "envoy.http.cache", "type_descriptor": "", "disabled": false }, { "name": "quiche_quic_listener", "category": "envoy.udp_listeners", "type_descriptor": "", "disabled": false }, { "name": "raw_udp_listener", "category": "envoy.udp_listeners", "type_descriptor": "", "disabled": false }, { "name": "envoy.access_loggers.file", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.access_loggers.http_grpc", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.access_loggers.tcp_grpc", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.access_loggers.wasm", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.file_access_log", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.http_grpc_access_log", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.tcp_grpc_access_log", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.wasm_access_log", "category": "envoy.access_loggers", "type_descriptor": "", "disabled": false }, { "name": "envoy.buffer", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.cors", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.csrf", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.ext_authz", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.ext_proc", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.fault", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.adaptive_concurrency", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.admission_control", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.aws_lambda", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.aws_request_signing", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.buffer", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.cache", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.cdn_loop", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.compressor", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.cors", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.csrf", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.decompressor", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.dynamic_forward_proxy", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.dynamo", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.ext_authz", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.ext_proc", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.fault", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.grpc_http1_bridge", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.grpc_http1_reverse_bridge", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.grpc_json_transcoder", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.grpc_stats", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.grpc_web", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.gzip", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.header_to_metadata", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.health_check", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.ip_tagging", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.jwt_authn", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.local_ratelimit", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.lua", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.oauth2", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.on_demand", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.original_src", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.ratelimit", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.rbac", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.router", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.squash", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.tap", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.http.wasm", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.grpc_http1_bridge", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.grpc_json_transcoder", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.grpc_web", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.gzip", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.health_check", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.http_dynamo_filter", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.ip_tagging", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.local_rate_limit", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.lua", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.rate_limit", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.router", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.squash", "category": "envoy.filters.http", "type_descriptor": "", "disabled": false }, { "name": "envoy.watchdog.abort_action", "category": "envoy.guarddog_actions", "type_descriptor": "", "disabled": false }, { "name": "envoy.watchdog.profile_action", "category": "envoy.guarddog_actions", "type_descriptor": "", "disabled": false }, { "name": "envoy.ip", "category": "envoy.resolvers", "type_descriptor": "", "disabled": false }, { "name": "quiche", "category": "envoy.quic_server_codec", "type_descriptor": "", "disabled": false }, { "name": "envoy.extensions.upstreams.http.v3.HttpProtocolOptions", "category": "envoy.upstream_options", "type_descriptor": "", "disabled": false }, { "name": "envoy.upstreams.http.http_protocol_options", "category": "envoy.upstream_options", "type_descriptor": "", "disabled": false }, { "name": "envoy.grpc_credentials.aws_iam", "category": "envoy.grpc_credentials", "type_descriptor": "", "disabled": false }, { "name": "envoy.grpc_credentials.default", "category": "envoy.grpc_credentials", "type_descriptor": "", "disabled": false }, { "name": "envoy.grpc_credentials.file_based_metadata", "category": "envoy.grpc_credentials", "type_descriptor": "", "disabled": false }, { "name": "envoy.client_ssl_auth", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.echo", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.ext_authz", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.client_ssl_auth", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.direct_response", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.dubbo_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.echo", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.ext_authz", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.http_connection_manager", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.kafka_broker", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.local_ratelimit", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.mongo_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.mysql_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.postgres_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.ratelimit", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.rbac", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.redis_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.rocketmq_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.sni_cluster", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.sni_dynamic_forward_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.tcp_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.thrift_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.wasm", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.network.zookeeper_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.http_connection_manager", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.mongo_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.ratelimit", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.redis_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "envoy.tcp_proxy", "category": "envoy.filters.network", "type_descriptor": "", "disabled": false }, { "name": "auto", "category": "envoy.thrift_proxy.transports", "type_descriptor": "", "disabled": false }, { "name": "framed", "category": "envoy.thrift_proxy.transports", "type_descriptor": "", "disabled": false }, { "name": "header", "category": "envoy.thrift_proxy.transports", "type_descriptor": "", "disabled": false }, { "name": "unframed", "category": "envoy.thrift_proxy.transports", "type_descriptor": "", "disabled": false }, { "name": "envoy.cluster.eds", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.cluster.logical_dns", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.cluster.original_dst", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.cluster.static", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.cluster.strict_dns", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.clusters.aggregate", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.clusters.dynamic_forward_proxy", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "envoy.clusters.redis", "category": "envoy.clusters", "type_descriptor": "", "disabled": false }, { "name": "dubbo.hessian2", "category": "envoy.dubbo_proxy.serializers", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.udp.dns_filter", "category": "envoy.filters.udp_listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.udp_listener.udp_proxy", "category": "envoy.filters.udp_listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.internal_redirect_predicates.allow_listed_routes", "category": "envoy.internal_redirect_predicates", "type_descriptor": "", "disabled": false }, { "name": "envoy.internal_redirect_predicates.previous_routes", "category": "envoy.internal_redirect_predicates", "type_descriptor": "", "disabled": false }, { "name": "envoy.internal_redirect_predicates.safe_cross_scheme", "category": "envoy.internal_redirect_predicates", "type_descriptor": "", "disabled": false }, { "name": "envoy.compression.gzip.decompressor", "category": "envoy.compression.decompressor", "type_descriptor": "", "disabled": false }, { "name": "envoy.rate_limit_descriptors.expr", "category": "envoy.rate_limit_descriptors", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.alts", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.quic", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.raw_buffer", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.starttls", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.tap", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.tls", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "raw_buffer", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "starttls", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "tls", "category": "envoy.transport_sockets.downstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.listener.http_inspector", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.listener.original_dst", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.listener.original_src", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.listener.proxy_protocol", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.listener.tls_inspector", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.listener.http_inspector", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.listener.original_dst", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.listener.original_src", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.listener.proxy_protocol", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.listener.tls_inspector", "category": "envoy.filters.listener", "type_descriptor": "", "disabled": false }, { "name": "envoy.compression.gzip.compressor", "category": "envoy.compression.compressor", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.dubbo.router", "category": "envoy.dubbo_proxy.filters", "type_descriptor": "", "disabled": false }, { "name": "envoy.resource_monitors.fixed_heap", "category": "envoy.resource_monitors", "type_descriptor": "", "disabled": false }, { "name": "envoy.resource_monitors.injected_resource", "category": "envoy.resource_monitors", "type_descriptor": "", "disabled": false }, { "name": "quiche", "category": "envoy.quic_client_codec", "type_descriptor": "", "disabled": false }, { "name": "envoy.retry_priorities.previous_priorities", "category": "envoy.retry_priorities", "type_descriptor": "", "disabled": false }, { "name": "auto", "category": "envoy.thrift_proxy.protocols", "type_descriptor": "", "disabled": false }, { "name": "binary", "category": "envoy.thrift_proxy.protocols", "type_descriptor": "", "disabled": false }, { "name": "binary/non-strict", "category": "envoy.thrift_proxy.protocols", "type_descriptor": "", "disabled": false }, { "name": "compact", "category": "envoy.thrift_proxy.protocols", "type_descriptor": "", "disabled": false }, { "name": "twitter", "category": "envoy.thrift_proxy.protocols", "type_descriptor": "", "disabled": false }, { "name": "envoy.retry_host_predicates.omit_canary_hosts", "category": "envoy.retry_host_predicates", "type_descriptor": "", "disabled": false }, { "name": "envoy.retry_host_predicates.omit_host_metadata", "category": "envoy.retry_host_predicates", "type_descriptor": "", "disabled": false }, { "name": "envoy.retry_host_predicates.previous_hosts", "category": "envoy.retry_host_predicates", "type_descriptor": "", "disabled": false }, { "name": "envoy.health_checkers.redis", "category": "envoy.health_checkers", "type_descriptor": "", "disabled": false }, { "name": "default", "category": "envoy.dubbo_proxy.route_matchers", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.thrift.rate_limit", "category": "envoy.thrift_proxy.filters", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.thrift.router", "category": "envoy.thrift_proxy.filters", "type_descriptor": "", "disabled": false }, { "name": "envoy.dog_statsd", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.metrics_service", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.stat_sinks.dog_statsd", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.stat_sinks.hystrix", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.stat_sinks.metrics_service", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.stat_sinks.statsd", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.stat_sinks.wasm", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.statsd", "category": "envoy.stats_sinks", "type_descriptor": "", "disabled": false }, { "name": "envoy.filters.connection_pools.tcp.generic", "category": "envoy.upstreams", "type_descriptor": "", "disabled": false }, { "name": "envoy.wasm.runtime.null", "category": "envoy.wasm.runtime", "type_descriptor": "", "disabled": false }, { "name": "envoy.wasm.runtime.v8", "category": "envoy.wasm.runtime", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.alts", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.quic", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.raw_buffer", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.tap", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.tls", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "envoy.transport_sockets.upstream_proxy_protocol", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "raw_buffer", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false }, { "name": "tls", "category": "envoy.transport_sockets.upstream", "type_descriptor": "", "disabled": false } ], "client_features": [], "listening_addresses": [], "hidden_envoy_deprecated_build_version": "d6a4496e712d7a2335b26e2f76210d5904002c26/1.17.1/Clean/RELEASE/BoringSSL" }, "uptime_current_epoch": "100s", "uptime_all_epochs": "100s" } ```

Config:

static_resources:
  listeners:
  - name: listener_0
    listener_filters:
    - name: envoy.listener.original_dst  # Make sure the original IP/PORT is being evaluated on the filter matched
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    use_original_dst: true  # Make sure the original IP/PORT is being evaluated on the filter matched
    filter_chains:
    - filter_chain_match:
        prefix_ranges:
           # Use this filter for destinations in this local network CIDR
        - address_prefix: 192.168.0.1
          prefix_len: 16
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: egress_edge
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                direct_response: # Verify the filter is matching
                  status: 200
                  body:
                    inline_string: |
                      Filter match!
          http_filters:
          - name: envoy.filters.http.dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
              dns_cache_config:
                name: dynamic_forward_proxy_cache_config
                dns_lookup_family: V4_ONLY
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dynamic_forward_proxy_cluster
    connect_timeout: 1s
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
*Logs*: (Click to expand) ```sh [2021-03-06 23:12:20.765][1][info][main] [source/server/server.cc:323] initializing epoch 0 (base id=0, hot restart version=11.104) [2021-03-06 23:12:20.765][1][info][main] [source/server/server.cc:325] statically linked extensions: [2021-03-06 23:12:20.765][1][info][main] [source/server/server.cc:327] envoy.compression.decompressor: envoy.compression.gzip.decompressor [2021-03-06 23:12:20.765][1][info][main] [source/server/server.cc:327] envoy.grpc_credentials: envoy.grpc_credentials.aws_iam, envoy.grpc_credentials.default, envoy.grpc_credentials.file_based_metadata [2021-03-06 23:12:20.765][1][info][main] [source/server/server.cc:327] envoy.udp_listeners: quiche_quic_listener, raw_udp_listener [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.guarddog_actions: envoy.watchdog.abort_action, envoy.watchdog.profile_action [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.resolvers: envoy.ip [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.filters.network: envoy.client_ssl_auth, envoy.echo, envoy.ext_authz, envoy.filters.network.client_ssl_auth, envoy.filters.network.direct_response, envoy.filters.network.dubbo_proxy, envoy.filters.network.echo, envoy.filters.network.ext_authz, envoy.filters.network.http_connection_manager, envoy.filters.network.kafka_broker, envoy.filters.network.local_ratelimit, envoy.filters.network.mongo_proxy, envoy.filters.network.mysql_proxy, envoy.filters.network.postgres_proxy, envoy.filters.network.ratelimit, envoy.filters.network.rbac, envoy.filters.network.redis_proxy, envoy.filters.network.rocketmq_proxy, envoy.filters.network.sni_cluster, envoy.filters.network.sni_dynamic_forward_proxy, envoy.filters.network.tcp_proxy, envoy.filters.network.thrift_proxy, envoy.filters.network.wasm, envoy.filters.network.zookeeper_proxy, envoy.http_connection_manager, envoy.mongo_proxy, envoy.ratelimit, envoy.redis_proxy, envoy.tcp_proxy [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.filters.http: envoy.buffer, envoy.cors, envoy.csrf, envoy.ext_authz, envoy.ext_proc, envoy.fault, envoy.filters.http.adaptive_concurrency, envoy.filters.http.admission_control, envoy.filters.http.aws_lambda, envoy.filters.http.aws_request_signing, envoy.filters.http.buffer, envoy.filters.http.cache, envoy.filters.http.cdn_loop, envoy.filters.http.compressor, envoy.filters.http.cors, envoy.filters.http.csrf, envoy.filters.http.decompressor, envoy.filters.http.dynamic_forward_proxy, envoy.filters.http.dynamo, envoy.filters.http.ext_authz, envoy.filters.http.ext_proc, envoy.filters.http.fault, envoy.filters.http.grpc_http1_bridge, envoy.filters.http.grpc_http1_reverse_bridge, envoy.filters.http.grpc_json_transcoder, envoy.filters.http.grpc_stats, envoy.filters.http.grpc_web, envoy.filters.http.gzip, envoy.filters.http.header_to_metadata, envoy.filters.http.health_check, envoy.filters.http.ip_tagging, envoy.filters.http.jwt_authn, envoy.filters.http.local_ratelimit, envoy.filters.http.lua, envoy.filters.http.oauth2, envoy.filters.http.on_demand, envoy.filters.http.original_src, envoy.filters.http.ratelimit, envoy.filters.http.rbac, envoy.filters.http.router, envoy.filters.http.squash, envoy.filters.http.tap, envoy.filters.http.wasm, envoy.grpc_http1_bridge, envoy.grpc_json_transcoder, envoy.grpc_web, envoy.gzip, envoy.health_check, envoy.http_dynamo_filter, envoy.ip_tagging, envoy.local_rate_limit, envoy.lua, envoy.rate_limit, envoy.router, envoy.squash [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.compression.compressor: envoy.compression.gzip.compressor [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.udp_packet_writers: udp_default_writer, udp_gso_batch_writer [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.resource_monitors: envoy.resource_monitors.fixed_heap, envoy.resource_monitors.injected_resource [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.rate_limit_descriptors: envoy.rate_limit_descriptors.expr [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.tracers: envoy.dynamic.ot, envoy.lightstep, envoy.tracers.datadog, envoy.tracers.dynamic_ot, envoy.tracers.lightstep, envoy.tracers.opencensus, envoy.tracers.skywalking, envoy.tracers.xray, envoy.tracers.zipkin, envoy.zipkin [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.filters.udp_listener: envoy.filters.udp.dns_filter, envoy.filters.udp_listener.udp_proxy [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.retry_host_predicates: envoy.retry_host_predicates.omit_canary_hosts, envoy.retry_host_predicates.omit_host_metadata, envoy.retry_host_predicates.previous_hosts [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.access_loggers: envoy.access_loggers.file, envoy.access_loggers.http_grpc, envoy.access_loggers.tcp_grpc, envoy.access_loggers.wasm, envoy.file_access_log, envoy.http_grpc_access_log, envoy.tcp_grpc_access_log, envoy.wasm_access_log [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.upstreams: envoy.filters.connection_pools.tcp.generic [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.transport_sockets.downstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.starttls, envoy.transport_sockets.tap, envoy.transport_sockets.tls, raw_buffer, starttls, tls [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.quic_server_codec: quiche [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.thrift_proxy.transports: auto, framed, header, unframed [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.stats_sinks: envoy.dog_statsd, envoy.metrics_service, envoy.stat_sinks.dog_statsd, envoy.stat_sinks.hystrix, envoy.stat_sinks.metrics_service, envoy.stat_sinks.statsd, envoy.stat_sinks.wasm, envoy.statsd [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.filters.listener: envoy.filters.listener.http_inspector, envoy.filters.listener.original_dst, envoy.filters.listener.original_src, envoy.filters.listener.proxy_protocol, envoy.filters.listener.tls_inspector, envoy.listener.http_inspector, envoy.listener.original_dst, envoy.listener.original_src, envoy.listener.proxy_protocol, envoy.listener.tls_inspector [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.clusters: envoy.cluster.eds, envoy.cluster.logical_dns, envoy.cluster.original_dst, envoy.cluster.static, envoy.cluster.strict_dns, envoy.clusters.aggregate, envoy.clusters.dynamic_forward_proxy, envoy.clusters.redis [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.thrift_proxy.protocols: auto, binary, binary/non-strict, compact, twitter [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.dubbo_proxy.filters: envoy.filters.dubbo.router [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.wasm.runtime: envoy.wasm.runtime.null, envoy.wasm.runtime.v8 [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.upstream_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions, envoy.upstreams.http.http_protocol_options [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.retry_priorities: envoy.retry_priorities.previous_priorities [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.health_checkers: envoy.health_checkers.redis [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.dubbo_proxy.protocols: dubbo [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.dubbo_proxy.serializers: dubbo.hessian2 [2021-03-06 23:12:20.766][1][info][main] [source/server/server.cc:327] envoy.thrift_proxy.filters: envoy.filters.thrift.rate_limit, envoy.filters.thrift.router [2021-03-06 23:12:20.767][1][info][main] [source/server/server.cc:327] envoy.bootstrap: envoy.bootstrap.wasm, envoy.extensions.network.socket_interface.default_socket_interface [2021-03-06 23:12:20.767][1][info][main] [source/server/server.cc:327] envoy.quic_client_codec: quiche [2021-03-06 23:12:20.767][1][info][main] [source/server/server.cc:327] envoy.transport_sockets.upstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.tap, envoy.transport_sockets.tls, envoy.transport_sockets.upstream_proxy_protocol, raw_buffer, tls [2021-03-06 23:12:20.767][1][info][main] [source/server/server.cc:327] envoy.http.cache: envoy.extensions.http.cache.simple [2021-03-06 23:12:20.767][1][info][main] [source/server/server.cc:327] envoy.dubbo_proxy.route_matchers: default [2021-03-06 23:12:20.767][1][info][main] [source/server/server.cc:327] envoy.internal_redirect_predicates: envoy.internal_redirect_predicates.allow_listed_routes, envoy.internal_redirect_predicates.previous_routes, envoy.internal_redirect_predicates.safe_cross_scheme [2021-03-06 23:12:20.776][1][warning][misc] [source/common/protobuf/message_validator_impl.cc:21] Deprecated field: type envoy.api.v2.Listener Using deprecated option 'envoy.api.v2.Listener.use_original_dst' from file listener.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override. [2021-03-06 23:12:20.776][1][info][main] [source/server/server.cc:343] HTTP header map info: [2021-03-06 23:12:20.777][1][warning][runtime] [source/common/runtime/runtime_features.cc:31] Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size [2021-03-06 23:12:20.777][1][warning][runtime] [source/common/runtime/runtime_features.cc:31] Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size [2021-03-06 23:12:20.778][1][warning][runtime] [source/common/runtime/runtime_features.cc:31] Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size [2021-03-06 23:12:20.778][1][warning][runtime] [source/common/runtime/runtime_features.cc:31] Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size [2021-03-06 23:12:20.778][1][info][main] [source/server/server.cc:346] request header map: 616 bytes: :authority,:method,:path,:protocol,:scheme,accept,accept-encoding,access-control-request-method,authentication,authorization,cache-control,cdn-loop,connection,content-encoding,content-length,content-type,expect,grpc-accept-encoding,grpc-timeout,if-match,if-modified-since,if-none-match,if-range,if-unmodified-since,keep-alive,origin,pragma,proxy-connection,referer,te,transfer-encoding,upgrade,user-agent,via,x-client-trace-id,x-envoy-attempt-count,x-envoy-decorator-operation,x-envoy-downstream-service-cluster,x-envoy-downstream-service-node,x-envoy-expected-rq-timeout-ms,x-envoy-external-address,x-envoy-force-trace,x-envoy-hedge-on-per-try-timeout,x-envoy-internal,x-envoy-ip-tags,x-envoy-max-retries,x-envoy-original-path,x-envoy-original-url,x-envoy-retriable-header-names,x-envoy-retriable-status-codes,x-envoy-retry-grpc-on,x-envoy-retry-on,x-envoy-upstream-alt-stat-name,x-envoy-upstream-rq-per-try-timeout-ms,x-envoy-upstream-rq-timeout-alt-response,x-envoy-upstream-rq-timeout-ms,x-forwarded-client-cert,x-forwarded-for,x-forwarded-proto,x-ot-span-context,x-request-id [2021-03-06 23:12:20.778][1][info][main] [source/server/server.cc:346] request trailer map: 128 bytes: [2021-03-06 23:12:20.779][1][info][main] [source/server/server.cc:346] response header map: 424 bytes: :status,access-control-allow-credentials,access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,access-control-expose-headers,access-control-max-age,age,cache-control,connection,content-encoding,content-length,content-type,date,etag,expires,grpc-message,grpc-status,keep-alive,last-modified,location,proxy-connection,server,transfer-encoding,upgrade,vary,via,x-envoy-attempt-count,x-envoy-decorator-operation,x-envoy-degraded,x-envoy-immediate-health-check-fail,x-envoy-ratelimited,x-envoy-upstream-canary,x-envoy-upstream-healthchecked-cluster,x-envoy-upstream-service-time,x-request-id [2021-03-06 23:12:20.779][1][info][main] [source/server/server.cc:346] response trailer map: 152 bytes: grpc-message,grpc-status [2021-03-06 23:12:20.780][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.shrink_heap. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.stop_accepting_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.reject_incoming_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.stop_accepting_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.reject_incoming_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.stop_accepting_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.reject_incoming_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.stop_accepting_connections. [2021-03-06 23:12:20.781][1][debug][main] [source/server/overload_manager_impl.cc:385] No overload action is configured for envoy.overload_actions.reject_incoming_connections. [2021-03-06 23:12:20.781][1][info][main] [source/server/server.cc:486] admin address: 0.0.0.0:9901 [2021-03-06 23:12:20.783][1][info][main] [source/server/server.cc:634] runtime: layers: - name: base static_layer: {} - name: admin admin_layer: {} [2021-03-06 23:12:20.783][1][info][config] [source/server/configuration_impl.cc:125] loading tracing configuration [2021-03-06 23:12:20.783][1][info][config] [source/server/configuration_impl.cc:85] loading 0 static secret(s) [2021-03-06 23:12:20.783][1][info][config] [source/server/configuration_impl.cc:91] loading 1 cluster(s) [2021-03-06 23:12:20.784][12][debug][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread running [2021-03-06 23:12:20.785][1][debug][upstream] [source/common/upstream/upstream_impl.cc:1018] initializing Primary cluster dynamic_forward_proxy_cluster completed [2021-03-06 23:12:20.785][1][debug][init] [source/common/init/manager_impl.cc:49] init manager Cluster dynamic_forward_proxy_cluster contains no targets [2021-03-06 23:12:20.785][1][debug][init] [source/common/init/watcher_impl.cc:14] init manager Cluster dynamic_forward_proxy_cluster initialized, notifying ClusterImplBase [2021-03-06 23:12:20.785][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:947] adding TLS cluster dynamic_forward_proxy_cluster [2021-03-06 23:12:20.785][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:120] cm init: init complete: cluster=dynamic_forward_proxy_cluster primary=0 secondary=0 [2021-03-06 23:12:20.785][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:140] maybe finish initialize state: 0 [2021-03-06 23:12:20.786][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:91] cm init: adding: cluster=dynamic_forward_proxy_cluster primary=0 secondary=0 [2021-03-06 23:12:20.786][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:140] maybe finish initialize state: 1 [2021-03-06 23:12:20.786][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:149] maybe finish initialize primary init clusters empty: true [2021-03-06 23:12:20.786][1][info][config] [source/server/configuration_impl.cc:95] loading 1 listener(s) [2021-03-06 23:12:20.786][1][debug][config] [source/server/configuration_impl.cc:97] listener #0: [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:395] begin add/update listener: name=listener_0 hash=18262469619681037125 [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:432] use full listener update path for listener name=listener_0 hash=18262469619681037125 [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:129] filter #0: [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:130] name: envoy.listener.original_dst [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:137] config: {} [2021-03-06 23:12:20.788][1][warning][misc] [bazel-out/k8-opt/bin/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.listener.original_dst' for 'envoy.filters.listener.original_dst'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:95] filter #0: [2021-03-06 23:12:20.788][1][debug][config] [source/server/listener_manager_impl.cc:96] name: envoy.filters.network.http_connection_manager [2021-03-06 23:12:20.789][1][debug][config] [source/server/listener_manager_impl.cc:103] config: { "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "http_filters": [ { "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig", "dns_cache_config": { "dns_lookup_family": "V4_ONLY", "name": "dynamic_forward_proxy_cache_config" } }, "name": "envoy.filters.http.dynamic_forward_proxy" }, { "name": "envoy.filters.http.router", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" } } ], "access_log": [ { "name": "envoy.access_loggers.file", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", "path": "/dev/stdout" } } ], "route_config": { "name": "local_route", "virtual_hosts": [ { "routes": [ { "direct_response": { "body": { "inline_string": "Filter match!\n" }, "status": 200 }, "match": { "prefix": "/" } }, { "match": { "connect_matcher": {} }, "route": { "cluster": "dynamic_forward_proxy_cluster", "upgrade_configs": [ { "connect_config": {}, "upgrade_type": "CONNECT" } ] } } ], "name": "local_service", "domains": [ "*" ] } ] }, "stat_prefix": "egress_edge" } [2021-03-06 23:12:20.793][1][debug][config] [source/extensions/filters/network/http_connection_manager/config.cc:495] http filter #0 [2021-03-06 23:12:20.796][1][debug][config] [source/extensions/filters/network/http_connection_manager/config.cc:517] name: envoy.filters.http.dynamic_forward_proxy [2021-03-06 23:12:20.796][1][debug][config] [source/extensions/filters/network/http_connection_manager/config.cc:524] config: { "@type": "type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig", "dns_cache_config": { "dns_lookup_family": "V4_ONLY", "name": "dynamic_forward_proxy_cache_config" } } [2021-03-06 23:12:20.796][1][debug][config] [source/extensions/filters/network/http_connection_manager/config.cc:495] http filter #1 [2021-03-06 23:12:20.796][1][debug][config] [source/extensions/filters/network/http_connection_manager/config.cc:517] name: envoy.filters.http.router [2021-03-06 23:12:20.796][1][debug][config] [source/extensions/filters/network/http_connection_manager/config.cc:524] config: { "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" } [2021-03-06 23:12:20.797][1][debug][config] [source/server/filter_chain_manager_impl.cc:222] new fc_contexts has 1 filter chains, including 1 newly built [2021-03-06 23:12:20.797][1][debug][init] [source/common/init/manager_impl.cc:24] added target Listener-init-target listener_0 to init manager Server [2021-03-06 23:12:20.797][1][debug][config] [source/server/listener_impl.cc:130] Create listen socket for listener listener_0 on address 0.0.0.0:10000 [2021-03-06 23:12:20.797][1][debug][config] [source/server/listener_impl.cc:120] Set listener listener_0 socket factory local address to 0.0.0.0:10000 [2021-03-06 23:12:20.797][1][debug][config] [source/server/listener_impl.cc:683] add active listener: name=listener_0, hash=18262469619681037125, address=0.0.0.0:10000 [2021-03-06 23:12:20.797][1][info][config] [source/server/configuration_impl.cc:107] loading stats configuration [2021-03-06 23:12:20.797][1][debug][init] [source/common/init/manager_impl.cc:49] init manager RTDS contains no targets [2021-03-06 23:12:20.797][1][debug][init] [source/common/init/watcher_impl.cc:14] init manager RTDS initialized, notifying RTDS [2021-03-06 23:12:20.797][1][info][runtime] [source/common/runtime/runtime_impl.cc:425] RTDS has finished initialization [2021-03-06 23:12:20.797][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:209] continue initializing secondary clusters [2021-03-06 23:12:20.797][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:140] maybe finish initialize state: 2 [2021-03-06 23:12:20.797][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:149] maybe finish initialize primary init clusters empty: true [2021-03-06 23:12:20.797][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:164] maybe finish initialize secondary init clusters empty: true [2021-03-06 23:12:20.797][1][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:185] maybe finish initialize cds api ready: false [2021-03-06 23:12:20.797][1][info][upstream] [source/common/upstream/cluster_manager_impl.cc:191] cm init: all clusters initialized [2021-03-06 23:12:20.797][1][warning][main] [source/server/server.cc:609] there is no configured limit to the number of allowed active connections. Set a limit via the runtime key overload.global_downstream_max_connections [2021-03-06 23:12:20.798][1][info][main] [source/server/server.cc:712] all clusters initialized. initializing init manager [2021-03-06 23:12:20.798][1][debug][init] [source/common/init/manager_impl.cc:53] init manager Server initializing [2021-03-06 23:12:20.798][1][debug][init] [source/common/init/target_impl.cc:15] init manager Server initializing target Listener-init-target listener_0 [2021-03-06 23:12:20.798][1][debug][init] [source/common/init/manager_impl.cc:49] init manager Listener-local-init-manager listener_0 18262469619681037125 contains no targets [2021-03-06 23:12:20.798][1][debug][init] [source/common/init/watcher_impl.cc:14] init manager Listener-local-init-manager listener_0 18262469619681037125 initialized, notifying Listener-local-init-watcher listener_0 [2021-03-06 23:12:20.798][1][debug][init] [source/common/init/watcher_impl.cc:14] target Listener-init-target listener_0 initialized, notifying init manager Server [2021-03-06 23:12:20.798][1][debug][init] [source/common/init/watcher_impl.cc:14] init manager Server initialized, notifying RunHelper [2021-03-06 23:12:20.798][1][info][config] [source/server/listener_manager_impl.cc:888] all dependencies initialized. starting workers [2021-03-06 23:12:20.799][1][debug][config] [source/server/listener_manager_impl.cc:899] starting worker 0 [2021-03-06 23:12:20.799][1][debug][config] [source/server/listener_manager_impl.cc:899] starting worker 1 [2021-03-06 23:12:20.799][1][debug][config] [source/server/listener_manager_impl.cc:899] starting worker 2 [2021-03-06 23:12:20.799][16][debug][main] [source/server/worker_impl.cc:127] worker entering dispatch loop [2021-03-06 23:12:20.799][1][debug][config] [source/server/listener_manager_impl.cc:899] starting worker 3 [2021-03-06 23:12:20.799][18][debug][main] [source/server/worker_impl.cc:127] worker entering dispatch loop [2021-03-06 23:12:20.799][16][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:947] adding TLS cluster dynamic_forward_proxy_cluster [2021-03-06 23:12:20.800][1][info][main] [source/server/server.cc:731] starting main dispatch loop [2021-03-06 23:12:20.800][19][debug][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread running [2021-03-06 23:12:20.800][18][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:947] adding TLS cluster dynamic_forward_proxy_cluster [2021-03-06 23:12:20.800][20][debug][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread running [2021-03-06 23:12:20.800][17][debug][main] [source/server/worker_impl.cc:127] worker entering dispatch loop [2021-03-06 23:12:20.800][15][debug][main] [source/server/worker_impl.cc:127] worker entering dispatch loop [2021-03-06 23:12:20.801][15][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:947] adding TLS cluster dynamic_forward_proxy_cluster [2021-03-06 23:12:20.801][22][debug][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread running [2021-03-06 23:12:20.801][17][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:947] adding TLS cluster dynamic_forward_proxy_cluster [2021-03-06 23:12:20.801][21][debug][grpc] [source/common/grpc/google_async_client_impl.cc:50] completionThread running [2021-03-06 23:12:23.656][17][debug][filter] [source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted [2021-03-06 23:12:23.656][17][debug][filter] [source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted [2021-03-06 23:12:23.656][17][debug][conn_handler] [source/server/connection_handler_impl.cc:469] closing connection: no matching filter chain found ```
dio commented 3 years ago

cc. @lambdai

lambdai commented 3 years ago

i suspect the l4 original address is what localhost is resolved to. The 192.168 ip in the curl is not particiing the L4 address match. I can give it a try and update later today

aSapien commented 3 years ago

@lambdai thanks! I was able to confirm your suspicion by doing the following:

  1. Change the filter_chain_match to:
        prefix_ranges:
        - address_prefix: 127.0.0.1
          prefix_len: 24
  2. Exec in the Envoy container and install curl:
    docker exec -it <container_id> /bin/bash
    apt update && apt install curl
  3. Test with curl:

    # Matches
    curl --proxy http://127.0.0.1:10000 http://google.com
    curl --proxy http://127.0.0.254:10000 http://google.com
    
    # Does not match
    curl --proxy http://127.0.1.1:10000 http://google.com

Can you advise how to filter the destination IP CIDRs when the Envoy cluster acts as a dynamic_forward_proxy ?


aSapien commented 3 years ago

To add more context, I would like to add what is my final goal:

I want Envoy to forward HTTP requests that are resolved to a private subnet destination IP via one dynamic forward cluster, and all the requests that resolve to public IP subnets via another.

lambdai commented 3 years ago

@aSapien Thank you for the update! Filter chain matching procedure happens immediately after envoy receives the tcp connection. I wouldn't expect to extend the functionality to parse the http request.

I don't see the solution that you can combine multiple httpfilter/cluster/router to reach your goal. Other smarter people can add.

I probably choose one from a) or b) a) Use 2+ routes to select the target cluster from the 2 dynamic forward clusters Since you are using dynamic_forward_proxy http filter and you expect branches after the dns resolve, you can write a new filter and insert after dynamic_forward_proxy. The new filter can

  1. consume the destination ip and map to route recognisable token, e.g. adding http header "X-ip-pool: private" or "x-ip-pool: public"
  2. refresh the route Of course, you also to populate the routes, one route with "X-ip-pool:"

b) Use dynamic forward cluster but different behaviors upon ip pool. Alternatively, you can choose the same cluster for both private and public ip pool. And use the subset/match/upstream_config to choose different behavior. I had an example in https://github.com/envoyproxy/envoy/pull/13915 . I am not sure if the example code could work with dynamic_foward_cluster though.

aSapien commented 3 years ago

One more thing I just tried is using the domains list to match on the virtual_hosts configuration, instead of the filter_chain_match.

I was able to match the destination IP on the domains with a wildcard list using the http_connection_manager configuration below and running

          route_config:
            internal_only_headers: [] # TODO: Set intrnal headers
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "127.*"
              routes:
              - match: 
                  prefix: "/"
                direct_response:
                  status: 200
                  body:
                    inline_string: |
                      Filter match!

However, since domains wildcards cannot really describe or enforce target CIDR filters, this configuration is not suited to solve the above issue that occurs when Envoy is configured to be a dynamic forward proxy.

aSapien commented 3 years ago

@lambdai thank you for the suggestions! I'm optimistic again :)

a) ... consume the destination ip and map to route recognisable token

Can you please point me to any docs that would describe the process of implementing a new filter and how I can consume the destination IP from it?

b) Use dynamic forward cluster but different behaviors upon ip pool.

Is it possible to configure the target IP "filter" from within the cluster configuration?

lambdai commented 3 years ago

Can you please point me to any docs that would describe the process of implementing a new filter and how I can consume the destination IP from it?

I don't have the quick answer. You probably need to forge the existing https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc

lambdai commented 3 years ago

Is it possible to configure the target IP "filter" from within the cluster configuration?

The upstream network filter within cluster: https://github.com/envoyproxy/envoy/blob/main/api/envoy/config/cluster/v3/cluster.proto#L963

aSapien commented 3 years ago

@lambdai I was thinking about this idea:

Create 2 listeners:

  1. Listener1 that directs all the traffic to the dynamic_forward_proxy cluster.
  2. Listener2 that has the filter_chain_match configured to match on specific IP CIDRs as in my example.

Then configure the dynamic_forward_proxy cluster use Listener2 as the only available upstream.

Will the dynamic_forward_proxy resolve the DNS and the "target" IP (resolved from the host header domain) will be the match candidate on the Listener2 filter chain?

lambdai commented 3 years ago

This generally works but there is a critical missing piece. The filter chain match is always attached to a listener(in your example listener2) which listens on some L4 address "*:80", or ":443".

To complete the last piece, you can

  1. Use iptables to redirect traffic to a port. Istio use this machenism, and redirect traffic to localport 15001. Thus you can use the listener "*:15001" and the filter chain matches there.
  2. I am creating a short path between cluster and listener in the same envoy process. See https://github.com/envoyproxy/envoy/issues/11725 The listener is WIP. But the wip listener allows the listener2 listening on a EnvoyInternalAddress(underlying is a string) and the destination address "public or private address" passed by metadata. When my part of work is done, the downstream filter chain match and upstream cluster can be stitched together at almost 0 cost.
aSapien commented 3 years ago

@lambdai thanks for explaining. I see now that there's quite the missing piece there.

  1. Use iptables to redirect traffic to a port. Istio use this machenism, and redirect traffic to localport 15001. Thus you can use the listener "*:15001" and the filter chain matches there.

Wow, I was reading through this blog post assuming it might help me understand, but I'm not very experienced with iptables and this solution is too-advanced-for-production in my use-case. However, it looks very interesting and I will try to understand it fully.

  1. I am creating a short path between cluster and listener in the same envoy process. See #11725 The listener is WIP. But the wip listener allows the listener2 listening on a EnvoyInternalAddress(underlying is a string) and the destination address "public or private address" passed by metadata.

From what I understand, in my use case a listener (listener2) will be able to act as a router/gateway for outgoing traffic from dynamic_forward_proxy cluster? So it will use the filter_chain_match and pass requests to any (public or private) upstream, given that the filter chain matched?

I really need the dynamic_forward_proxy to somehow respect a filter chain prefix_ranges and act similar to a squid-proxy acl dst.

I think that restricting the destination IPs is an important feature in forward proxies. It seems like (2) will require some wiring/configuration support on dynamic_forward_proxy side. Should I open a feature request?

lambdai commented 3 years ago

Wow, I was reading through this blog post assuming it might help me understand, but I'm not very experienced with iptables and this solution is too-advanced-for-production in my use-case. However, it looks very interesting and I will try to understand it fully.

Yeah... It is somewhat overkill.

lambdai commented 3 years ago

I really need the dynamic_forward_proxy to somehow respect a filter chain prefix_ranges and act similar to a squid-proxy acl dst.

+1. It can be done by adding functionality in dynamic_forward_proxy cluster, or by chaining the dynamic_forward_proxy and the internal listener I am proposing in https://github.com/envoyproxy/envoy/pull/15376

Both require a few changes in dynamic_forward_proxy. It's up to you whether you want to create a dedicated issue or CC more people in this one.

aSapien commented 3 years ago

Adding @mattklein123 @alyssawilk, the code owners of dynamic_forward_proxy 🙂

Dear code owners, I would love to have your blessing on the idea of enabling the filter-chain-match functionality (or equivalent) in the dynamic_forward_proxy. Any objections? Limitations? Complexity? WDYT?

mattklein123 commented 3 years ago

Dear code owners, I would love to have your blessing on the idea of enabling the filter-chain-match functionality (or equivalent) in the dynamic_forward_proxy. Any objections? Limitations? Complexity? WDYT?

Is there a TL/DR summary of the changes you would like to see?

aSapien commented 3 years ago

@mattklein123

The idea is to have an ability to configure an ACL to filter the target upstream of a request coming out of the dynamic_forward_proxy cluster. So that when a client connects through Envoy's dynamic_forward_proxy, I would be able to configure allowed/disallowed upstream IPs/ports.

For example:

curl http://<envoy_ip>:10000 http://<allowed_ip>:<allowed_port> # Should pass

curl http://<envoy_ip>:10000 http://<disallowed_ip>:<or_allowed_port> # Should not pass

curl http://<envoy_ip>:10000 http://<domain_resolving_to_disallowed_ip> # Should not pass

The cluster configuration could look as follows:

  clusters:
  - name: dynamic_forward_proxy_cluster
    connect_timeout: 1s
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
+       upstream_filters:
+         - upstream_filter_match:
+           prefix_ranges:
+           - address_prefix: 10.0.0.0
+             prefix_len: 8
+           filters:
+             - direct_response:
+               status: 403
+               body:
+                 inline_string: |
+                   Forbidden
+         - upstream_filter_match:
+           prefix_ranges:
+           - address_prefix: 0.0.0.0
+             prefix_len: 0
+           filters:
+             - proxy_pass: {}
mattklein123 commented 3 years ago

Would a more general solution for ^ be upstream HTTP filters? https://github.com/envoyproxy/envoy/issues/10455 cc @snowp

snowp commented 3 years ago

Yeah I think it would be a good fit, we'd be able to couple this with the unified matching and composite filters to provide per match filter application

aSapien commented 3 years ago

@mattklein123 Of course, I would always prefer the general solution as long as it provides the building blocks to compose for a specific use-case :)

@snowp I see that there hadn't been much activity in #10455 recently. What can be done to push it forward?

snowp commented 3 years ago

I haven't had the time to work on it in a bit, though if someone wants to pick it up I would happily review. There is still quite a bit of work left, I had https://github.com/envoyproxy/envoy/pull/13095 open as a POC of integrating the filter manager with the router, which opens up for making upstream HTTP filters configurable via the API.

aSapien commented 3 years ago

I would pick it up but I'm afraid I need to catch up on my cpp first 😅

github-actions[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] commented 3 years ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.