Protocol detection after terminating CONNECT #13981
Comments
mpuncel
added
enhancement
|
agreed, if we had a way of dispatching to an "internal listener" that would be even better so that all of the normal listener filters could be used |
|
My experimental code at internal listener supports listener filter including tls inspector. It take time to land though |
mattklein123
added
area/http
and removed
enhancement
|
cc @alyssawilk I think this has come up multiple times. I'm not sure if we are tracking all of these requests in some holistic way. |
|
By this one do you mean protocol introspection, or for CONNECT specifically? I hadn't seen either so no tracking that I know of. I agree that while an HTTP filter inspecting data would be easiest, upstream TCP filters modeled off of the TLS inspector would be cleanest. |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
Title: Protocol detection after terminating CONNECT
Description:
When using Envoy as an outbound CONNECT-terminating proxy, it forwards the payload of the HTTP request to the upstream as raw TCP. It would be useful to be able to detect the tunneled protocol for telemetry purposes, or even to block certain protocols (e.g. to block any plaintext traffic).
I'd guess the easiest way to accomplish this would be with upstream network filters, perhaps reusing a lot of code from listener filters such as TLS inspector?
The text was updated successfully, but these errors were encountered: