package envoy.extensions.filters.network.reverse_tunnel.v3
Get desktop application:
View/edit binary Protocol Buffers messages
message
reverse_tunnel.proto:87Configuration for the reverse tunnel network filter. This filter handles reverse tunnel connection acceptance and rejection by processing HTTP requests where required identification values are provided via HTTP headers. [#next-free-field: 6]
optional ping_interval = 1
Ping interval for health checks on established reverse tunnel connections. If not specified, defaults to ``2 seconds``.
bool auto_close_connections = 2
Whether to automatically close connections after processing reverse tunnel requests. * When set to ``true``, connections are closed after acceptance or rejection. * When set to ``false``, connections remain open for potential reuse. Defaults to ``false``.
string request_path = 3
HTTP path to match for reverse tunnel requests. If not specified, defaults to ``/reverse_connections/request``.
config.core.v3.RequestMethod request_method = 4
HTTP method to match for reverse tunnel requests. If not specified (``METHOD_UNSPECIFIED``), this defaults to ``GET``.
optional validation = 5
Optional validation configuration for node and cluster identifiers. If specified, the filter validates the ``x-envoy-reverse-tunnel-node-id`` and ``x-envoy-reverse-tunnel-cluster-id`` headers against expected values extracted using format strings. Requests that fail validation are rejected with HTTP ``403 Forbidden``.
message
reverse_tunnel.proto:25Validation configuration for reverse tunnel identifiers. Validates the node ID and cluster ID extracted from reverse tunnel handshake headers against expected values specified using format strings.
Used in:
string node_id_format = 1
Format string to extract the expected node identifier for validation. The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header from the incoming handshake request. If they do not match, the connection is rejected with HTTP ``403 Forbidden``. Supports Envoy's :ref:`command operators <config_access_log_command_operators>`: * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata. * ``%FILTER_STATE(key)%``: Extract expected value from filter state. * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address. * Plain strings: Use a static expected value. If empty, node ID validation is skipped. Example using dynamic metadata allowlist: .. code-block:: yaml node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
string cluster_id_format = 2
Format string to extract the expected cluster identifier for validation. The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header from the incoming handshake request. If they do not match, the connection is rejected with HTTP ``403 Forbidden``. Supports the same :ref:`command operators <config_access_log_command_operators>` as ``node_id_format``. If empty, cluster ID validation is skipped. Example using filter state: .. code-block:: yaml cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
bool emit_dynamic_metadata = 3
Whether to emit validation results as dynamic metadata. When enabled, the filter emits metadata under the namespace specified by ``dynamic_metadata_namespace`` containing: * ``node_id``: The actual node ID from the handshake request. * ``cluster_id``: The actual cluster ID from the handshake request. * ``validation_result``: Either ``allowed`` or ``denied``. This metadata can be used by subsequent filters or for access logging. Defaults to ``false``.
string dynamic_metadata_namespace = 4
Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``. If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.