1syntax = "proto3"; 2 3package envoy.config.core.v3; 4 5import "envoy/config/core/v3/extension.proto"; 6import "envoy/type/v3/percent.proto"; 7 8import "google/protobuf/duration.proto"; 9import "google/protobuf/wrappers.proto"; 10 11import "xds/annotations/v3/status.proto"; 12 13import "envoy/annotations/deprecation.proto"; 14import "udpa/annotations/status.proto"; 15import "udpa/annotations/versioning.proto"; 16import "validate/validate.proto"; 17 18option java_package = "io.envoyproxy.envoy.config.core.v3"; 19option java_outer_classname = "ProtocolProto"; 20option java_multiple_files = true; 21option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; 22option (udpa.annotations.file_status).package_version_status = ACTIVE; 23 24// [#protodoc-title: Protocol options] 25 26// [#not-implemented-hide:] 27message TcpProtocolOptions { 28 option (udpa.annotations.versioning).previous_message_type = 29 "envoy.api.v2.core.TcpProtocolOptions"; 30} 31 32// Config for keepalive probes in a QUIC connection. 33// Note that QUIC keep-alive probing packets work differently from HTTP/2 keep-alive PINGs in a sense that the probing packet 34// itself doesn't timeout waiting for a probing response. Quic has a shorter idle timeout than TCP, so it doesn't rely on such probing to discover dead connections. If the peer fails to respond, the connection will idle timeout eventually. Thus, they are configured differently from :ref:`connection_keepalive <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.connection_keepalive>`. 35message QuicKeepAliveSettings { 36 // The max interval for a connection to send keep-alive probing packets (with PING or PATH_RESPONSE). The value should be smaller than :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` to prevent idle timeout while not less than 1s to avoid throttling the connection or flooding the peer with probes. 37 // 38 // If :ref:`initial_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.initial_interval>` is absent or zero, a client connection will use this value to start probing. 39 // 40 // If zero, disable keepalive probing. 41 // If absent, use the QUICHE default interval to probe. 42 google.protobuf.Duration max_interval = 1 [(validate.rules).duration = { 43 lte {} 44 gte {seconds: 1} 45 }]; 46 47 // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`. And the probes afterwards will always use :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`. 48 // 49 // The value should be smaller than :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` to prevent idle timeout and smaller than max_interval to take effect. 50 // 51 // If absent or zero, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>` is also zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time. 52 google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = { 53 lte {} 54 gte {seconds: 1} 55 }]; 56} 57 58// QUIC protocol options which apply to both downstream and upstream connections. 59// [#next-free-field: 6] 60message QuicProtocolOptions { 61 // Maximum number of streams that the client can negotiate per connection. 100 62 // if not specified. 63 google.protobuf.UInt32Value max_concurrent_streams = 1 [(validate.rules).uint32 = {gte: 1}]; 64 65 // `Initial stream-level flow-control receive window 66 // <https://tools.ietf.org/html/draft-ietf-quic-transport-34#section-4.1>`_ size. Valid values range from 67 // 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). 68 // 69 // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. 70 // QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. 71 // 72 // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the 73 // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to 74 // stop the flow of data to the stream buffers. 75 google.protobuf.UInt32Value initial_stream_window_size = 2 76 [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; 77 78 // Similar to ``initial_stream_window_size``, but for connection-level 79 // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). 80 // window. Currently, this has the same minimum/default as ``initial_stream_window_size``. 81 // 82 // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default 83 // window size now, so it's also the minimum. 84 google.protobuf.UInt32Value initial_connection_window_size = 3 85 [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; 86 87 // The number of timeouts that can occur before port migration is triggered for QUIC clients. 88 // This defaults to 1. If set to 0, port migration will not occur on path degrading. 89 // Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO. 90 // This has no effect on server sessions. 91 google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4 92 [(validate.rules).uint32 = {lte: 5 gte: 0}]; 93 94 // Probes the peer at the configured interval to solicit traffic, i.e. ACK or PATH_RESPONSE, from the peer to push back connection idle timeout. 95 // If absent, use the default keepalive behavior of which a client connection sends PINGs every 15s, and a server connection doesn't do anything. 96 QuicKeepAliveSettings connection_keepalive = 5; 97} 98 99message UpstreamHttpProtocolOptions { 100 option (udpa.annotations.versioning).previous_message_type = 101 "envoy.api.v2.core.UpstreamHttpProtocolOptions"; 102 103 // Set transport socket `SNI <https://en.wikipedia.org/wiki/Server_Name_Indication>`_ for new 104 // upstream connections based on the downstream HTTP host/authority header or any other arbitrary 105 // header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>` 106 // is set, as seen by the :ref:`router filter <config_http_filters_router>`. 107 bool auto_sni = 1; 108 109 // Automatic validate upstream presented certificate for new upstream connections based on the 110 // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>` 111 // is set, as seen by the :ref:`router filter <config_http_filters_router>`. 112 // This field is intended to be set with ``auto_sni`` field. 113 bool auto_san_validation = 2; 114 115 // An optional alternative to the host/authority header to be used for setting the SNI value. 116 // It should be a valid downstream HTTP header, as seen by the 117 // :ref:`router filter <config_http_filters_router>`. 118 // If unset, host/authority header will be used for populating the SNI. If the specified header 119 // is not found or the value is empty, host/authority header will be used instead. 120 // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields. 121 // If none of these fields are set then setting this would be a no-op. 122 string override_auto_sni_header = 3 123 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; 124} 125 126// Configures the alternate protocols cache which tracks alternate protocols that can be used to 127// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for 128// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 129// for the "HTTPS" DNS resource record. 130// [#next-free-field: 6] 131message AlternateProtocolsCacheOptions { 132 // Allows pre-populating the cache with HTTP/3 alternate protocols entries with a 7 day lifetime. 133 // This will cause Envoy to attempt HTTP/3 to those upstreams, even if the upstreams have not 134 // advertised HTTP/3 support. These entries will be overwritten by alt-svc 135 // response headers or cached values. 136 // As with regular cached entries, if the origin response would result in clearing an existing 137 // alternate protocol cache entry, pre-populated entries will also be cleared. 138 // Adding a cache entry with hostname=foo.com port=123 is the equivalent of getting 139 // response headers 140 // alt-svc: h3=:"123"; ma=86400" in a response to a request to foo.com:123 141 message AlternateProtocolsCacheEntry { 142 // The host name for the alternate protocol entry. 143 string hostname = 1 144 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; 145 146 // The port for the alternate protocol entry. 147 uint32 port = 2 [(validate.rules).uint32 = {lt: 65535 gt: 0}]; 148 } 149 150 // The name of the cache. Multiple named caches allow independent alternate protocols cache 151 // configurations to operate within a single Envoy process using different configurations. All 152 // alternate protocols cache options with the same name *must* be equal in all fields when 153 // referenced from different configuration components. Configuration will fail to load if this is 154 // not the case. 155 string name = 1 [(validate.rules).string = {min_len: 1}]; 156 157 // The maximum number of entries that the cache will hold. If not specified defaults to 1024. 158 // 159 // .. note: 160 // 161 // The implementation is approximate and enforced independently on each worker thread, thus 162 // it is possible for the maximum entries in the cache to go slightly above the configured 163 // value depending on timing. This is similar to how other circuit breakers work. 164 google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; 165 166 // Allows configuring a persistent 167 // :ref:`key value store <envoy_v3_api_msg_config.common.key_value.v3.KeyValueStoreConfig>` to flush 168 // alternate protocols entries to disk. 169 // This function is currently only supported if concurrency is 1 170 // Cached entries will take precedence over pre-populated entries below. 171 TypedExtensionConfig key_value_store_config = 3; 172 173 // Allows pre-populating the cache with entries, as described above. 174 repeated AlternateProtocolsCacheEntry prepopulated_entries = 4; 175 176 // Optional list of hostnames suffixes for which Alt-Svc entries can be shared. For example, if 177 // this list contained the value ``.c.example.com``, then an Alt-Svc entry for ``foo.c.example.com`` 178 // could be shared with ``bar.c.example.com`` but would not be shared with ``baz.example.com``. On 179 // the other hand, if the list contained the value ``.example.com`` then all three hosts could share 180 // Alt-Svc entries. Each entry must start with ``.``. If a hostname matches multiple suffixes, the 181 // first listed suffix will be used. 182 // 183 // Since lookup in this list is O(n), it is recommended that the number of suffixes be limited. 184 // [#not-implemented-hide:] 185 repeated string canonical_suffixes = 5; 186} 187 188// [#next-free-field: 7] 189message HttpProtocolOptions { 190 option (udpa.annotations.versioning).previous_message_type = 191 "envoy.api.v2.core.HttpProtocolOptions"; 192 193 // Action to take when Envoy receives client request with header names containing underscore 194 // characters. 195 // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented 196 // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore 197 // characters. 198 enum HeadersWithUnderscoresAction { 199 // Allow headers with underscores. This is the default behavior. 200 ALLOW = 0; 201 202 // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests 203 // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter 204 // is incremented for each rejected request. 205 REJECT_REQUEST = 1; 206 207 // Drop the client header with name containing underscores. The header is dropped before the filter chain is 208 // invoked and as such filters will not see dropped headers. The 209 // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. 210 DROP_HEADER = 2; 211 } 212 213 // The idle timeout for connections. The idle timeout is defined as the 214 // period in which there are no active requests. When the 215 // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 216 // downstream connection a drain sequence will occur prior to closing the connection, see 217 // :ref:`drain_timeout 218 // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout>`. 219 // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. 220 // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0. 221 // 222 // .. warning:: 223 // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP 224 // FIN packets, etc. 225 // 226 // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts" 227 // is configured, this timeout is scaled for downstream connections according to the value for 228 // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE <envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_IDLE>`. 229 google.protobuf.Duration idle_timeout = 1; 230 231 // The maximum duration of a connection. The duration is defined as a period since a connection 232 // was established. If not set, there is no max duration. When max_connection_duration is reached 233 // and if there are no active streams, the connection will be closed. If the connection is a 234 // downstream connection and there are any active streams, the drain sequence will kick-in, 235 // and the connection will be force-closed after the drain period. See :ref:`drain_timeout 236 // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout>`. 237 google.protobuf.Duration max_connection_duration = 3; 238 239 // The maximum number of headers. If unconfigured, the default 240 // maximum number of request headers allowed is 100. Requests that exceed this limit will receive 241 // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2. 242 google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; 243 244 // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be 245 // reset independent of any other timeouts. If not specified, this value is not set. 246 google.protobuf.Duration max_stream_duration = 4; 247 248 // Action to take when a client request with a header name containing underscore characters is received. 249 // If this setting is not specified, the value defaults to ALLOW. 250 // Note: upstream responses are not affected by this setting. 251 // Note: this only affects client headers. It does not affect headers added 252 // by Envoy filters and does not have any impact if added to cluster config. 253 HeadersWithUnderscoresAction headers_with_underscores_action = 5; 254 255 // Optional maximum requests for both upstream and downstream connections. 256 // If not specified, there is no limit. 257 // Setting this parameter to 1 will effectively disable keep alive. 258 // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. 259 google.protobuf.UInt32Value max_requests_per_connection = 6; 260} 261 262// [#next-free-field: 11] 263message Http1ProtocolOptions { 264 option (udpa.annotations.versioning).previous_message_type = 265 "envoy.api.v2.core.Http1ProtocolOptions"; 266 267 // [#next-free-field: 9] 268 message HeaderKeyFormat { 269 option (udpa.annotations.versioning).previous_message_type = 270 "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat"; 271 272 message ProperCaseWords { 273 option (udpa.annotations.versioning).previous_message_type = 274 "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; 275 } 276 277 oneof header_format { 278 option (validate.required) = true; 279 280 // Formats the header by proper casing words: the first character and any character following 281 // a special character will be capitalized if it's an alpha character. For example, 282 // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are". 283 // Note that while this results in most headers following conventional casing, certain headers 284 // are not covered. For example, the "TE" header will be formatted as "Te". 285 ProperCaseWords proper_case_words = 1; 286 287 // Configuration for stateful formatter extensions that allow using received headers to 288 // affect the output of encoding headers. E.g., preserving case during proxying. 289 // [#extension-category: envoy.http.stateful_header_formatters] 290 TypedExtensionConfig stateful_formatter = 8; 291 } 292 } 293 294 // Handle HTTP requests with absolute URLs in the requests. These requests 295 // are generally sent by clients to forward/explicit proxies. This allows clients to configure 296 // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the 297 // ``http_proxy`` environment variable. 298 google.protobuf.BoolValue allow_absolute_url = 1; 299 300 // Handle incoming HTTP/1.0 and HTTP 0.9 requests. 301 // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 302 // style connect logic, dechunking, and handling lack of client host iff 303 // ``default_host_for_http_10`` is configured. 304 bool accept_http_10 = 2; 305 306 // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as 307 // Envoy does not otherwise support HTTP/1.0 without a Host header. 308 // This is a no-op if ``accept_http_10`` is not true. 309 string default_host_for_http_10 = 3; 310 311 // Describes how the keys for response headers should be formatted. By default, all header keys 312 // are lower cased. 313 HeaderKeyFormat header_key_format = 4; 314 315 // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. 316 // 317 // .. attention:: 318 // 319 // Note that this only happens when Envoy is chunk encoding which occurs when: 320 // - The request is HTTP/1.1. 321 // - Is neither a HEAD only request nor a HTTP Upgrade. 322 // - Not a response to a HEAD request. 323 // - The content length header is not present. 324 bool enable_trailers = 5; 325 326 // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` 327 // headers set. By default such messages are rejected, but if option is enabled - Envoy will 328 // remove Content-Length header and process message. 329 // See `RFC7230, sec. 3.3.3 <https://tools.ietf.org/html/rfc7230#section-3.3.3>`_ for details. 330 // 331 // .. attention:: 332 // Enabling this option might lead to request smuggling vulnerability, especially if traffic 333 // is proxied via multiple layers of proxies. 334 // [#comment:TODO: This field is ignored when the 335 // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>` 336 // is present.] 337 bool allow_chunked_length = 6; 338 339 // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate 340 // HTTP/1.1 connections upon receiving an invalid HTTP message. However, 341 // when this option is true, then Envoy will leave the HTTP/1.1 connection 342 // open where possible. 343 // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging 344 // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`. 345 google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; 346 347 // Allows sending fully qualified URLs when proxying the first line of the 348 // response. By default, Envoy will only send the path components in the first line. 349 // If this is true, Envoy will create a fully qualified URI composing scheme 350 // (inferred if not present), host (from the host/:authority header) and path 351 // (from first line or :path header). 352 bool send_fully_qualified_url = 8; 353 354 // [#not-implemented-hide:] Hiding so that field can be removed after BalsaParser is rolled out. 355 // If set, force HTTP/1 parser: BalsaParser if true, http-parser if false. 356 // If unset, HTTP/1 parser is selected based on 357 // envoy.reloadable_features.http1_use_balsa_parser. 358 // See issue #21245. 359 google.protobuf.BoolValue use_balsa_parser = 9 360 [(xds.annotations.v3.field_status).work_in_progress = true]; 361 362 // [#not-implemented-hide:] Hiding so that field can be removed. 363 // If true, and BalsaParser is used (either `use_balsa_parser` above is true, 364 // or `envoy.reloadable_features.http1_use_balsa_parser` is true and 365 // `use_balsa_parser` is unset), then every non-empty method with only valid 366 // characters is accepted. Otherwise, methods not on the hard-coded list are 367 // rejected. 368 // Once UHV is enabled, this field should be removed, and BalsaParser should 369 // allow any method. UHV validates the method, rejecting empty string or 370 // invalid characters, and provides :ref:`restrict_http_methods 371 // <envoy_v3_api_field_extensions.http.header_validators.envoy_default.v3.HeaderValidatorConfig.restrict_http_methods>` 372 // to reject custom methods. 373 bool allow_custom_methods = 10 [(xds.annotations.v3.field_status).work_in_progress = true]; 374} 375 376message KeepaliveSettings { 377 // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. 378 // If this is zero, interval PINGs will not be sent. 379 google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; 380 381 // How long to wait for a response to a keepalive PING. If a response is not received within this 382 // time period, the connection will be aborted. Note that in order to prevent the influence of 383 // Head-of-line (HOL) blocking the timeout period is extended when *any* frame is received on 384 // the connection, under the assumption that if a frame is received the connection is healthy. 385 google.protobuf.Duration timeout = 2 [(validate.rules).duration = { 386 required: true 387 gte {nanos: 1000000} 388 }]; 389 390 // A random jitter amount as a percentage of interval that will be added to each interval. 391 // A value of zero means there will be no jitter. 392 // The default value is 15%. 393 type.v3.Percent interval_jitter = 3; 394 395 // If the connection has been idle for this duration, send a HTTP/2 ping ahead 396 // of new stream creation, to quickly detect dead connections. 397 // If this is zero, this type of PING will not be sent. 398 // If an interval ping is outstanding, a second ping will not be sent as the 399 // interval ping will determine if the connection is dead. 400 // 401 // The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` and the current PTO of the connection to decide whether to probe before sending a new request. 402 google.protobuf.Duration connection_idle_interval = 4 403 [(validate.rules).duration = {gte {nanos: 1000000}}]; 404} 405 406// [#next-free-field: 17] 407message Http2ProtocolOptions { 408 option (udpa.annotations.versioning).previous_message_type = 409 "envoy.api.v2.core.Http2ProtocolOptions"; 410 411 // Defines a parameter to be sent in the SETTINGS frame. 412 // See `RFC7540, sec. 6.5.1 <https://tools.ietf.org/html/rfc7540#section-6.5.1>`_ for details. 413 message SettingsParameter { 414 option (udpa.annotations.versioning).previous_message_type = 415 "envoy.api.v2.core.Http2ProtocolOptions.SettingsParameter"; 416 417 // The 16 bit parameter identifier. 418 google.protobuf.UInt32Value identifier = 1 [ 419 (validate.rules).uint32 = {lte: 65535 gte: 0}, 420 (validate.rules).message = {required: true} 421 ]; 422 423 // The 32 bit parameter value. 424 google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; 425 } 426 427 // `Maximum table size <https://httpwg.org/specs/rfc7541.html#rfc.section.4.2>`_ 428 // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values 429 // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header 430 // compression. 431 google.protobuf.UInt32Value hpack_table_size = 1; 432 433 // `Maximum concurrent streams <https://httpwg.org/specs/rfc7540.html#rfc.section.5.1.2>`_ 434 // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) 435 // and defaults to 2147483647. 436 // 437 // For upstream connections, this also limits how many streams Envoy will initiate concurrently 438 // on a single connection. If the limit is reached, Envoy may queue requests or establish 439 // additional connections (as allowed per circuit breaker limits). 440 // 441 // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given 442 // connection based on upstream settings. Config dumps will reflect the configured upper bound, 443 // not the per-connection negotiated limits. 444 google.protobuf.UInt32Value max_concurrent_streams = 2 445 [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; 446 447 // `Initial stream-level flow-control window 448 // <https://httpwg.org/specs/rfc7540.html#rfc.section.6.9.2>`_ size. Valid values range from 65535 449 // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 450 // (256 * 1024 * 1024). 451 // 452 // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default 453 // window size now, so it's also the minimum. 454 // 455 // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the 456 // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to 457 // stop the flow of data to the codec buffers. 458 google.protobuf.UInt32Value initial_stream_window_size = 3 459 [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; 460 461 // Similar to ``initial_stream_window_size``, but for connection-level flow-control 462 // window. Currently, this has the same minimum/maximum/default as ``initial_stream_window_size``. 463 google.protobuf.UInt32Value initial_connection_window_size = 4 464 [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; 465 466 // Allows proxying Websocket and other upgrades over H2 connect. 467 bool allow_connect = 5; 468 469 // [#not-implemented-hide:] Hiding until envoy has full metadata support. 470 // Still under implementation. DO NOT USE. 471 // 472 // Allows metadata. See [metadata 473 // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more 474 // information. 475 bool allow_metadata = 6; 476 477 // Limit the number of pending outbound downstream frames of all types (frames that are waiting to 478 // be written into the socket). Exceeding this limit triggers flood mitigation and connection is 479 // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due 480 // to flood mitigation. The default limit is 10000. 481 google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; 482 483 // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, 484 // preventing high memory utilization when receiving continuous stream of these frames. Exceeding 485 // this limit triggers flood mitigation and connection is terminated. The 486 // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood 487 // mitigation. The default limit is 1000. 488 google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; 489 490 // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an 491 // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but 492 // might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood`` 493 // stat tracks the number of connections terminated due to flood mitigation. 494 // Setting this to 0 will terminate connection upon receiving first frame with an empty payload 495 // and no end stream flag. The default limit is 1. 496 google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; 497 498 // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number 499 // of PRIORITY frames received over the lifetime of connection exceeds the value calculated 500 // using this formula:: 501 // 502 // ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``) 503 // 504 // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when 505 // Envoy receives complete response headers from the upstream server. For upstream connection the 506 // ``opened_streams`` is incremented when Envoy send the HEADERS frame for a new stream. The 507 // ``http2.inbound_priority_frames_flood`` stat tracks 508 // the number of connections terminated due to flood mitigation. The default limit is 100. 509 google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; 510 511 // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number 512 // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated 513 // using this formula:: 514 // 515 // 5 + 2 * (``opened_streams`` + 516 // ``max_inbound_window_update_frames_per_data_frame_sent`` * ``outbound_data_frames``) 517 // 518 // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when 519 // Envoy receives complete response headers from the upstream server. For upstream connections the 520 // ``opened_streams`` is incremented when Envoy sends the HEADERS frame for a new stream. The 521 // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to 522 // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10. 523 // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, 524 // but more complex implementations that try to estimate available bandwidth require at least 2. 525 google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 526 [(validate.rules).uint32 = {gte: 1}]; 527 528 // Allows invalid HTTP messaging and headers. When this option is disabled (default), then 529 // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, 530 // when this option is enabled, only the offending stream is terminated. 531 // 532 // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging 533 // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>` 534 // iff present. 535 // 536 // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message 537 // <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.override_stream_error_on_invalid_http_message>` 538 // 539 // See `RFC7540, sec. 8.1 <https://tools.ietf.org/html/rfc7540#section-8.1>`_ for details. 540 bool stream_error_on_invalid_http_messaging = 12 541 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; 542 543 // Allows invalid HTTP messaging and headers. When this option is disabled (default), then 544 // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, 545 // when this option is enabled, only the offending stream is terminated. 546 // 547 // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging 548 // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>` 549 // 550 // See `RFC7540, sec. 8.1 <https://tools.ietf.org/html/rfc7540#section-8.1>`_ for details. 551 google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; 552 553 // [#not-implemented-hide:] 554 // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: 555 // 556 // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by 557 // Envoy. 558 // 559 // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field 560 // 'allow_connect'. 561 // 562 // Note that custom parameters specified through this field can not also be set in the 563 // corresponding named parameters: 564 // 565 // .. code-block:: text 566 // 567 // ID Field Name 568 // ---------------- 569 // 0x1 hpack_table_size 570 // 0x3 max_concurrent_streams 571 // 0x4 initial_stream_window_size 572 // 573 // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies 574 // between custom parameters with the same identifier will trigger a failure. 575 // 576 // See `IANA HTTP/2 Settings 577 // <https://www.iana.org/assignments/http2-parameters/http2-parameters.xhtml#settings>`_ for 578 // standardized identifiers. 579 repeated SettingsParameter custom_settings_parameters = 13; 580 581 // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer 582 // does not respond within the configured timeout, the connection will be aborted. 583 KeepaliveSettings connection_keepalive = 15; 584 585 // [#not-implemented-hide:] Hiding so that the field can be removed after oghttp2 is rolled out. 586 // If set, force use of a particular HTTP/2 codec: oghttp2 if true, nghttp2 if false. 587 // If unset, HTTP/2 codec is selected based on envoy.reloadable_features.http2_use_oghttp2. 588 google.protobuf.BoolValue use_oghttp2_codec = 16 589 [(xds.annotations.v3.field_status).work_in_progress = true]; 590} 591 592// [#not-implemented-hide:] 593message GrpcProtocolOptions { 594 option (udpa.annotations.versioning).previous_message_type = 595 "envoy.api.v2.core.GrpcProtocolOptions"; 596 597 Http2ProtocolOptions http2_protocol_options = 1; 598} 599 600// A message which allows using HTTP/3. 601// [#next-free-field: 6] 602message Http3ProtocolOptions { 603 QuicProtocolOptions quic_protocol_options = 1; 604 605 // Allows invalid HTTP messaging and headers. When this option is disabled (default), then 606 // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, 607 // when this option is enabled, only the offending stream is terminated. 608 // 609 // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging 610 // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`. 611 google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; 612 613 // Allows proxying Websocket and other upgrades over HTTP/3 CONNECT using 614 // the header mechanisms from the `HTTP/2 extended connect RFC 615 // <https://datatracker.ietf.org/doc/html/rfc8441>`_ 616 // and settings `proposed for HTTP/3 617 // <https://datatracker.ietf.org/doc/draft-ietf-httpbis-h3-websockets/>`_ 618 // Note that HTTP/3 CONNECT is not yet an RFC. 619 bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true]; 620} 621 622// A message to control transformations to the :scheme header 623message SchemeHeaderTransformation { 624 oneof transformation { 625 // Overwrite any Scheme header with the contents of this string. 626 string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; 627 } 628} 629