github.com/google/fleetspeak@v0.1.15-0.20240426164851-4f31f62c1aea/sandboxes/cleartext-xfcc-mode/envoy-https-http.yaml (about) 1 static_resources: 2 listeners: 3 - address: 4 socket_address: 5 address: 0.0.0.0 6 port_value: 10000 7 filter_chains: 8 - filters: 9 - name: envoy.filters.network.http_connection_manager 10 typed_config: 11 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 12 codec_type: AUTO 13 stat_prefix: ingress_http 14 forward_client_cert_details: APPEND_FORWARD 15 set_current_client_cert_details: 16 cert: true 17 proxy_100_continue: true 18 access_log: 19 - name: envoy.access_loggers.stdout 20 typed_config: 21 "@type": type.googleapis.com/envoy/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog 22 log_format: { 23 "text_format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" PFP: \"%DOWNSTREAM_PEER_FINGERPRINT_256%\" CERT: \"%DOWNSTREAM_PEER_CERT%\" TLS \"%DOWNSTREAM_TLS_VERSION%\" Issuer \"%DOWNSTREAM_PEER_ISSUER%\"\n" 24 } 25 route_config: 26 name: local_route 27 virtual_hosts: 28 - name: app 29 domains: 30 - "*" 31 routes: 32 - match: 33 prefix: "/" 34 route: 35 cluster: fleetspeak-server 36 timeout: 0s 37 idle_timeout: 0s 38 http_filters: 39 - name: envoy.filters.http.router 40 typed_config: 41 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router 42 transport_socket: 43 name: envoy.transport_sockets.tls 44 typed_config: 45 "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext 46 require_client_certificate: true 47 common_tls_context: 48 validation_context: 49 trust_chain_verification: ACCEPT_UNTRUSTED 50 tls_certificates: 51 # The following self-signed certificate pair is generated using: 52 # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy' 53 # 54 # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy 55 # via filename. Reference: https://envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource. 56 # 57 # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via 58 # Secret Discovery Service (SDS). Reference: https://envoyproxy.io/docs/envoy/latest/configuration/security/secret. 59 - certificate_chain: 60 filename: /etc/cert.pem 61 private_key: 62 filename: /etc/key.pem 63 64 clusters: 65 - name: fleetspeak-server 66 type: STRICT_DNS 67 lb_policy: ROUND_ROBIN 68 load_assignment: 69 cluster_name: fleetspeak-server 70 endpoints: 71 - lb_endpoints: 72 - endpoint: 73 address: 74 socket_address: 75 address: fleetspeak-server 76 port_value: 9090