http: Support inferring X-Forwarded-Proto from PROXY protocol destination port#43088
Merged
yanavlasov merged 9 commits intoenvoyproxy:mainfrom Jan 29, 2026
Merged
Conversation
… destination port When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior. This change adds a new HCM configuration option `set_forwarded_proto_from_proxy_protocol_destination_port` that allows mapping PROXY protocol destination ports to schemes (e.g., 443 -> https, 80 -> http). When enabled and the local address was restored from PROXY protocol, the x-forwarded-proto header is set based on the configured port-to-scheme mapping. Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
… destination port When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior. This change adds a new HCM configuration option `set_forwarded_proto_from_proxy_protocol_destination_port` that allows mapping PROXY protocol destination ports to schemes (e.g., 443 -> https, 80 -> http). When enabled and the local address was restored from PROXY protocol, the x-forwarded-proto header is set based on the configured port-to-scheme mapping. Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
… destination port When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior. This change adds a new HCM configuration option `set_forwarded_proto_from_proxy_protocol_destination_port` that allows mapping PROXY protocol destination ports to schemes (e.g., 443 -> https, 80 -> http). When enabled and the local address was restored from PROXY protocol, the x-forwarded-proto header is set based on the configured port-to-scheme mapping. Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
Contributor
Author
|
@mattklein123 and @yanavlasov can you please take a look at this PR |
wbpcode
reviewed
Jan 26, 2026
Member
wbpcode
left a comment
There was a problem hiding this comment.
Thanks for this contribution. Some comments to API first.
| // Configuration for setting x-forwarded-proto based on PROXY protocol destination port. | ||
| // This enables Envoy to infer the original protocol (HTTP/HTTPS) when behind an L4 load | ||
| // balancer that terminates TLS and uses PROXY protocol. | ||
| message SetForwardedProtoFromProxyProtocolDestinationPort { |
Member
There was a problem hiding this comment.
ForwardedProtoOptions or ForwardedProtoConfig. We may could support other more flexible solution in the future.
| // | ||
| // The scheme values must be either "http" or "https". | ||
| // Invalid scheme values will be rejected during configuration loading. | ||
| map<uint32, string> port_scheme_mappings = 1; |
Member
There was a problem hiding this comment.
Rather then a string, maybe https_destination_ports and http_destination_ports with type repeated uint32 be better?
Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
Contributor
Author
|
/retest |
Contributor
Author
|
@wbpcode I have addressed your comments can you please take a look |
wbpcode
reviewed
Jan 27, 2026
Member
wbpcode
left a comment
There was a problem hiding this comment.
LGTM overall with one last comment. Thanks for the update.
| // | ||
| // If not configured, defaults to disabled and the standard behavior applies (using connection | ||
| // TLS status or trusted downstream headers). | ||
| ForwardedProtoConfig forwarded_proto_config = 61; |
Member
There was a problem hiding this comment.
Sorry for the regression. May name the API to ForwardProtoConfig, to keep same style with exsiting ForwardClientCertConfig.
Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
Contributor
Author
|
/retest |
Contributor
Author
|
@wbpcode addressed your comments ! |
Member
|
Hello, @yanavlasov, i see you assign this to yourself? is there any additional concern from you? |
yanavlasov
approved these changes
Jan 29, 2026
shane-yuan
pushed a commit
to shane-yuan/envoy
that referenced
this pull request
Feb 11, 2026
…tion port (envoyproxy#43088) When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior. This change adds a new HCM configuration option `forwarded_proto_config` that allows specifying which PROXY protocol destination ports should be treated as HTTPS or HTTP. When enabled and the local address was restored from PROXY protocol, the `x-forwarded-proto` header is set based on whether the destination port is in `https_destination_ports` or `http_destination_ports`. Example configuration: ``` http_connection_manager: forwarded_proto_config: https_destination_ports: [443, 8443] http_destination_ports: [80, 8080] ``` Risk Level: Low - opt-in feature that only activates when explicitly configured and when localAddressRestored() is true Testing: Added 6 unit tests in conn_manager_utility_test.cc covering port 443/80 mapping, unmapped ports, empty config, non-restored address, and custom ports Docs Changes: N/A Release Notes: Added Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#43031 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] API Considerations: Added new message ForwardedProtoConfig and field forwarded_proto_config (envoyproxy#61) to HttpConnectionManager. The configuration uses two repeated uint32 fields (https_destination_ports and http_destination_ports) for type-safe port specification without requiring string validation. --------- Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com>
grnmeira
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Mar 20, 2026
…tion port (envoyproxy#43088) When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior. This change adds a new HCM configuration option `forwarded_proto_config` that allows specifying which PROXY protocol destination ports should be treated as HTTPS or HTTP. When enabled and the local address was restored from PROXY protocol, the `x-forwarded-proto` header is set based on whether the destination port is in `https_destination_ports` or `http_destination_ports`. Example configuration: ``` http_connection_manager: forwarded_proto_config: https_destination_ports: [443, 8443] http_destination_ports: [80, 8080] ``` Risk Level: Low - opt-in feature that only activates when explicitly configured and when localAddressRestored() is true Testing: Added 6 unit tests in conn_manager_utility_test.cc covering port 443/80 mapping, unmapped ports, empty config, non-restored address, and custom ports Docs Changes: N/A Release Notes: Added Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#43031 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] API Considerations: Added new message ForwardedProtoConfig and field forwarded_proto_config (envoyproxy#61) to HttpConnectionManager. The configuration uses two repeated uint32 fields (https_destination_ports and http_destination_ports) for type-safe port specification without requiring string validation. --------- Signed-off-by: Prashanth Josyula <prashanth.16@gmail.com> Signed-off-by: Gustavo <grnmeira@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: http: add support for inferring x-forwarded-proto from PROXY protocol destination port
Additional Description:
When using Layer 4 load balancers (like AWS NLB) that terminate TLS and forward traffic using PROXY protocol, Envoy receives unencrypted traffic but needs to know the original protocol for correct redirect behavior.
This change adds a new HCM configuration option
forwarded_proto_configthat allows specifying which PROXY protocol destination ports should be treated as HTTPS or HTTP. When enabled and the local address was restored from PROXY protocol, thex-forwarded-protoheader is set based on whether the destination port is inhttps_destination_portsorhttp_destination_ports.Example configuration:
Risk Level: Low - opt-in feature that only activates when explicitly configured and when localAddressRestored() is true
Testing: Added 6 unit tests in conn_manager_utility_test.cc covering port 443/80 mapping, unmapped ports, empty config, non-restored address, and custom ports
Docs Changes: N/A
Release Notes: Added
Platform Specific Features:
[Optional Runtime guard:]
Fixes #43031
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
API Considerations: Added new message ForwardedProtoConfig and field forwarded_proto_config (#61) to HttpConnectionManager. The configuration uses two repeated uint32 fields (https_destination_ports and http_destination_ports) for type-safe port specification without requiring string validation.