transport_socket(http_11_proxy): Add config for default proxy address (#42914)

tonya11en · web-flow · commit 7f86810cf4b4 · 2026-03-16T12:45:09.000-07:00
This patch adds an optional config parameter for specifying a default
proxy address to be used by the transport socket if a proxy address is
not found in the filter state metadata. If the parameter is not set,
behavior of the transport socket remains identical to before this patch.

Risk Level: Low. New parameter.
Testing: unit/integration
Docs Changes: config documented
Release Notes: done
Platform Specific Features: n/a

---------

Signed-off-by: Tony Allen &lt;txallen@google.com&gt;
Signed-off-by: Tony Allen &lt;tony@allen.gg&gt;
diff --git a/api/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto b/api/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.transport_sockets.http_11_proxy.v3;
 
+import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/base.proto";
 
 import "udpa/annotations/status.proto";
@@ -32,7 +33,14 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // using the key ``envoy.http11_proxy_transport_socket.proxy_address`` and the
 // proxy address in ``config::core::v3::Address`` format.
 //
+// If the ``default_proxy_address`` is set and proxy address is not found in
+// ``typed_filter_metadata``, the default proxy address is used.
+//
 message Http11ProxyUpstreamTransport {
   // The underlying transport socket being wrapped. Defaults to plaintext (raw_buffer) if unset.
   config.core.v3.TransportSocket transport_socket = 1;
+
+  // Specifies the default proxy address to use if the proxy address is not present in the
+  // ``typed_filter_metadata`` of the endpoint.
+  config.core.v3.Address default_proxy_address = 2;
 }
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -277,6 +277,10 @@ new_features:
   change: |
     Added custom metrics (counters, gauges, histograms) support to load balancer dynamic modules.
     Modules can now define metrics during configuration and record them during host selection.
+- area: http_11_proxy
+  change: |
+    Added ability to configure a default proxy address that is used when the proxy address is not
+    configured via metadata.
 - area: golang
   change: |
     Added ``DownstreamSslConnection()`` method to the Golang HTTP filter's ``StreamInfo`` interface,
diff --git a/envoy/network/transport_socket.h b/envoy/network/transport_socket.h
@@ -314,6 +314,13 @@ class UpstreamTransportSocketFactory : public virtual TransportSocketFactoryBase
   createTransportSocket(TransportSocketOptionsConstSharedPtr options,
                         std::shared_ptr<const Upstream::HostDescription> host) const PURE;
 
+  /**
+   * @return the default Http11ProxyInfo if configured, or nullopt.
+   */
+  virtual OptRef<const TransportSocketOptions::Http11ProxyInfo> defaultHttp11ProxyInfo() const {
+    return {};
+  }
+
   /**
    * Returns true if the transport socket created by this factory supports some form of ALPN
    * negotiation.
diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc
@@ -575,7 +575,8 @@ Host::CreateConnectionData HostImplBase::createHealthCheckConnection(
 
 absl::optional<Network::Address::InstanceConstSharedPtr> HostImplBase::maybeGetProxyRedirectAddress(
     const Network::TransportSocketOptionsConstSharedPtr transport_socket_options,
-    HostDescriptionConstSharedPtr host) {
+    HostDescriptionConstSharedPtr host,
+    const Network::UpstreamTransportSocketFactory& socket_factory) {
   if (transport_socket_options && transport_socket_options->http11ProxyInfo().has_value()) {
     return transport_socket_options->http11ProxyInfo()->proxy_address;
   }
@@ -618,6 +619,11 @@ absl::optional<Network::Address::InstanceConstSharedPtr> HostImplBase::maybeGetP
     return resolve_status.value();
   }
 
+  // Proxy address was not found in the metadata. If a default proxy address is set, return that.
+  if (socket_factory.defaultHttp11ProxyInfo().has_value()) {
+    return socket_factory.defaultHttp11ProxyInfo()->proxy_address;
+  }
+
   return absl::nullopt;
 }
 
@@ -632,7 +638,7 @@ Host::CreateConnectionData HostImplBase::createConnection(
   auto source_address_selector = cluster.getUpstreamLocalAddressSelector();
 
   absl::optional<Network::Address::InstanceConstSharedPtr> proxy_address =
-      maybeGetProxyRedirectAddress(transport_socket_options, host);
+      maybeGetProxyRedirectAddress(transport_socket_options, host, socket_factory);
 
   Network::ClientConnectionPtr connection;
   // If the transport socket options or endpoint/locality metadata indicate the connection should
diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h
@@ -450,7 +450,8 @@ class HostImplBase : public Host,
                    HostDescriptionConstSharedPtr host);
   static absl::optional<Network::Address::InstanceConstSharedPtr> maybeGetProxyRedirectAddress(
       const Network::TransportSocketOptionsConstSharedPtr transport_socket_options,
-      HostDescriptionConstSharedPtr host);
+      HostDescriptionConstSharedPtr host,
+      const Network::UpstreamTransportSocketFactory& socket_factory);
 
 private:
   // Helper function to check multiple health flags at once.
diff --git a/source/extensions/transport_sockets/http_11_proxy/BUILD b/source/extensions/transport_sockets/http_11_proxy/BUILD
@@ -22,6 +22,7 @@ envoy_cc_extension(
         "//envoy/registry",
         "//envoy/server:transport_socket_config_interface",
         "//source/common/config:utility_lib",
+        "//source/common/network:resolver_lib",
         "@envoy_api//envoy/extensions/transport_sockets/http_11_proxy/v3:pkg_cc_proto",
     ],
 )
diff --git a/source/extensions/transport_sockets/http_11_proxy/config.cc b/source/extensions/transport_sockets/http_11_proxy/config.cc
@@ -5,6 +5,8 @@
 #include "envoy/registry/registry.h"
 
 #include "source/common/config/utility.h"
+#include "source/common/network/address_impl.h"
+#include "source/common/network/resolver_impl.h"
 #include "source/extensions/transport_sockets/http_11_proxy/connect.h"
 
 namespace Envoy {
@@ -16,17 +18,30 @@ absl::StatusOr<Network::UpstreamTransportSocketFactoryPtr>
 UpstreamHttp11ConnectSocketConfigFactory::createTransportSocketFactory(
     const Protobuf::Message& message,
     Server::Configuration::TransportSocketFactoryContext& context) {
+
   const auto& outer_config = MessageUtil::downcastAndValidate<
       const envoy::extensions::transport_sockets::http_11_proxy::v3::Http11ProxyUpstreamTransport&>(
       message, context.messageValidationVisitor());
+
+  absl::optional<Network::TransportSocketOptions::Http11ProxyInfo> proxy_info;
+  if (outer_config.has_default_proxy_address()) {
+    auto address_or_error =
+        Network::Address::resolveProtoAddress(outer_config.default_proxy_address());
+    RETURN_IF_NOT_OK_REF(address_or_error.status());
+    // Hostname is unknown here, so we leave it empty. It will be filled in
+    // UpstreamHttp11ConnectSocket constructor from the host.
+    proxy_info.emplace("", address_or_error.value());
+  }
+
   auto& inner_config_factory = Config::Utility::getAndCheckFactory<
       Server::Configuration::UpstreamTransportSocketConfigFactory>(outer_config.transport_socket());
   ProtobufTypes::MessagePtr inner_factory_config = Config::Utility::translateToFactoryConfig(
       outer_config.transport_socket(), context.messageValidationVisitor(), inner_config_factory);
   auto factory_or_error =
       inner_config_factory.createTransportSocketFactory(*inner_factory_config, context);
   RETURN_IF_NOT_OK_REF(factory_or_error.status());
-  return std::make_unique<UpstreamHttp11ConnectSocketFactory>(std::move(factory_or_error.value()));
+  return std::make_unique<UpstreamHttp11ConnectSocketFactory>(std::move(factory_or_error.value()),
+                                                              proxy_info);
 }
 
 ProtobufTypes::MessagePtr UpstreamHttp11ConnectSocketConfigFactory::createEmptyConfigProto() {
diff --git a/source/extensions/transport_sockets/http_11_proxy/connect.cc b/source/extensions/transport_sockets/http_11_proxy/connect.cc
@@ -32,12 +32,24 @@ bool UpstreamHttp11ConnectSocket::isValidConnectResponse(absl::string_view respo
 UpstreamHttp11ConnectSocket::UpstreamHttp11ConnectSocket(
     Network::TransportSocketPtr&& transport_socket,
     Network::TransportSocketOptionsConstSharedPtr options,
-    std::shared_ptr<const Upstream::HostDescription> host)
+    std::shared_ptr<const Upstream::HostDescription> host,
+    absl::optional<Network::TransportSocketOptions::Http11ProxyInfo> proxy_info)
     : PassthroughSocket(std::move(transport_socket)), options_(options) {
   // If the filter state metadata has populated the relevant entries in the transport socket
   // options, we want to maintain the original behavior of this transport socket.
   if (options_ && options_->http11ProxyInfo()) {
-    handleProxyInfoConnect();
+    handleProxyInfoConnect(options_->http11ProxyInfo().value());
+    return;
+  }
+
+  if (proxy_info.has_value()) {
+    Network::TransportSocketOptions::Http11ProxyInfo actual_info = proxy_info.value();
+    if (actual_info.hostname.empty() && host) {
+      actual_info.hostname = host->hostname().empty() ? host->address()->asStringView()
+                                                      : absl::StrCat(host->hostname(), ":",
+                                                                     host->address()->ip()->port());
+    }
+    handleProxyInfoConnect(actual_info);
     return;
   }
 
@@ -61,11 +73,11 @@ std::string UpstreamHttp11ConnectSocket::formatConnectRequest(absl::string_view
   return absl::StrCat("CONNECT ", target, " HTTP/1.1\r\n", "Host: ", target, "\r\n\r\n");
 }
 
-inline void UpstreamHttp11ConnectSocket::handleProxyInfoConnect() {
+inline void UpstreamHttp11ConnectSocket::handleProxyInfoConnect(
+    const Network::TransportSocketOptions::Http11ProxyInfo& proxy_info) {
   if (transport_socket_->ssl()) {
     std::string target = absl::StrCat(
-        options_->http11ProxyInfo()->hostname,
-        Http::HeaderUtility::hostHasPort(options_->http11ProxyInfo()->hostname) ? "" : ":443");
+        proxy_info.hostname, Http::HeaderUtility::hostHasPort(proxy_info.hostname) ? "" : ":443");
 
     if (!Runtime::runtimeFeatureEnabled(
             "envoy.reloadable_features.http_11_proxy_connect_legacy_format")) {
@@ -192,8 +204,9 @@ Network::IoResult UpstreamHttp11ConnectSocket::writeHeader() {
 }
 
 UpstreamHttp11ConnectSocketFactory::UpstreamHttp11ConnectSocketFactory(
-    Network::UpstreamTransportSocketFactoryPtr transport_socket_factory)
-    : PassthroughFactory(std::move(transport_socket_factory)) {}
+    Network::UpstreamTransportSocketFactoryPtr transport_socket_factory,
+    absl::optional<Network::TransportSocketOptions::Http11ProxyInfo> proxy_info)
+    : PassthroughFactory(std::move(transport_socket_factory)), proxy_info_(proxy_info) {}
 
 Network::TransportSocketPtr UpstreamHttp11ConnectSocketFactory::createTransportSocket(
     Network::TransportSocketOptionsConstSharedPtr options,
@@ -202,7 +215,8 @@ Network::TransportSocketPtr UpstreamHttp11ConnectSocketFactory::createTransportS
   if (inner_socket == nullptr) {
     return nullptr;
   }
-  return std::make_unique<UpstreamHttp11ConnectSocket>(std::move(inner_socket), options, host);
+  return std::make_unique<UpstreamHttp11ConnectSocket>(std::move(inner_socket), options, host,
+                                                       proxy_info_);
 }
 
 void UpstreamHttp11ConnectSocketFactory::hashKey(
diff --git a/source/extensions/transport_sockets/http_11_proxy/connect.h b/source/extensions/transport_sockets/http_11_proxy/connect.h
@@ -32,9 +32,11 @@ class UpstreamHttp11ConnectSocket : public TransportSockets::PassthroughSocket,
   // @return a properly formatted CONNECT request string per RFC 9110 section 9.3.6.
   static std::string formatConnectRequest(absl::string_view target);
 
-  UpstreamHttp11ConnectSocket(Network::TransportSocketPtr&& transport_socket,
-                              Network::TransportSocketOptionsConstSharedPtr options,
-                              std::shared_ptr<const Upstream::HostDescription> host);
+  UpstreamHttp11ConnectSocket(
+      Network::TransportSocketPtr&& transport_socket,
+      Network::TransportSocketOptionsConstSharedPtr options,
+      std::shared_ptr<const Upstream::HostDescription> host,
+      absl::optional<Network::TransportSocketOptions::Http11ProxyInfo> proxy_info = absl::nullopt);
 
   void setTransportSocketCallbacks(Network::TransportSocketCallbacks& callbacks) override;
   Network::IoResult doWrite(Buffer::Instance& buffer, bool end_stream) override;
@@ -44,7 +46,8 @@ class UpstreamHttp11ConnectSocket : public TransportSockets::PassthroughSocket,
   void generateHeader();
   Network::IoResult writeHeader();
 
-  inline void handleProxyInfoConnect();
+  inline void
+  handleProxyInfoConnect(const Network::TransportSocketOptions::Http11ProxyInfo& proxy_info);
   inline void handleHostMetadataConnect(std::shared_ptr<const Upstream::HostDescription> host);
 
   Network::TransportSocketOptionsConstSharedPtr options_;
@@ -56,14 +59,26 @@ class UpstreamHttp11ConnectSocket : public TransportSockets::PassthroughSocket,
 class UpstreamHttp11ConnectSocketFactory : public PassthroughFactory {
 public:
   UpstreamHttp11ConnectSocketFactory(
-      Network::UpstreamTransportSocketFactoryPtr transport_socket_factory);
+      Network::UpstreamTransportSocketFactoryPtr transport_socket_factory,
+      absl::optional<Network::TransportSocketOptions::Http11ProxyInfo> proxy_info = absl::nullopt);
 
   // Network::TransportSocketFactory
   Network::TransportSocketPtr
   createTransportSocket(Network::TransportSocketOptionsConstSharedPtr options,
                         std::shared_ptr<const Upstream::HostDescription> host) const override;
   void hashKey(std::vector<uint8_t>& key,
                Network::TransportSocketOptionsConstSharedPtr options) const override;
+
+  OptRef<const Network::TransportSocketOptions::Http11ProxyInfo>
+  defaultHttp11ProxyInfo() const override {
+    if (!proxy_info_.has_value()) {
+      return {};
+    }
+    return {proxy_info_.value()};
+  }
+
+private:
+  const absl::optional<Network::TransportSocketOptions::Http11ProxyInfo> proxy_info_;
 };
 
 // This is a utility class for isValidConnectResponse. It is only exposed for
diff --git a/test/extensions/transport_sockets/http_11_proxy/BUILD b/test/extensions/transport_sockets/http_11_proxy/BUILD
@@ -34,6 +34,7 @@ envoy_extension_cc_test(
     extension_names = ["envoy.transport_sockets.http_11_proxy"],
     rbe_pool = "2core",
     deps = [
+        "//source/common/network:utility_lib",
         "//source/extensions/clusters/dynamic_forward_proxy:cluster",
         "//source/extensions/filters/http/dynamic_forward_proxy:config",
         "//source/extensions/filters/network/tcp_proxy:config",
diff --git a/test/extensions/transport_sockets/http_11_proxy/connect_integration_test.cc b/test/extensions/transport_sockets/http_11_proxy/connect_integration_test.cc
@@ -3,6 +3,8 @@
 #include "envoy/extensions/key_value/file_based/v3/config.pb.h"
 #include "envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.pb.h"
 
+#include "source/common/network/utility.h"
+
 #include "test/integration/http_integration.h"
 #include "test/integration/integration.h"
 
@@ -77,6 +79,21 @@ name: envoy.clusters.dynamic_forward_proxy
     } else if (upstream_tls_) {
       config_helper_.configureUpstreamTls(use_alpn_, try_http3_);
     }
+
+    if (pre_create_upstreams_) {
+      setUpstreamCount(0);
+      config_helper_.skipPortUsageValidation();
+      if (upstream_tls_) {
+        addFakeUpstream(createUpstreamTlsContext(upstreamConfig()), upstreamProtocol(), false);
+        addFakeUpstream(createUpstreamTlsContext(upstreamConfig()), upstreamProtocol(), false);
+      } else {
+        addFakeUpstream(upstreamProtocol());
+        addFakeUpstream(upstreamProtocol());
+      }
+      fake_upstreams_[1]->setDisableAllAndDoNotEnable(true);
+      default_proxy_address_ = fake_upstreams_[1]->localAddress();
+    }
+
     config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) {
       auto* transport_socket =
           bootstrap.mutable_static_resources()->mutable_clusters(0)->mutable_transport_socket();
@@ -88,6 +105,10 @@ name: envoy.clusters.dynamic_forward_proxy
       transport_socket->set_name("envoy.transport_sockets.http_11_proxy");
       envoy::extensions::transport_sockets::http_11_proxy::v3::Http11ProxyUpstreamTransport
           transport;
+      if (default_proxy_address_ != nullptr) {
+        Network::Utility::addressToProtobufAddress(*default_proxy_address_,
+                                                   *transport.mutable_default_proxy_address());
+      }
       transport.mutable_transport_socket()->MergeFrom(inner_socket);
       transport_socket->mutable_typed_config()->PackFrom(transport);
 
@@ -151,6 +172,9 @@ name: envoy.clusters.dynamic_forward_proxy
   // If true, we'll explicitly set the inner "transport_socket" field to raw buffer if it is not
   // configured.
   bool set_inner_transport_socket_ = true;
+
+  bool pre_create_upstreams_ = false;
+  Network::Address::InstanceConstSharedPtr default_proxy_address_;
 };
 
 INSTANTIATE_TEST_SUITE_P(IpVersions, Http11ConnectHttpIntegrationTest,
@@ -569,5 +593,41 @@ TEST_P(Http11ConnectHttpIntegrationTest, HostWithPort) {
   EXPECT_EQ("200", response->headers().getStatusValue());
 }
 
+TEST_P(Http11ConnectHttpIntegrationTest, ConfiguredProxy) {
+  pre_create_upstreams_ = true;
+  initialize();
+
+  // With a default proxy configured, the request gets proxied to fake upstream 1.
+  default_request_headers_.setCopy(Envoy::Http::LowerCaseString("foo"), "bar");
+  default_response_headers_.setCopy(Envoy::Http::LowerCaseString("foo"), "bar");
+  codec_client_ = makeHttpConnection(lookupPort("http"));
+  auto response = codec_client_->makeHeaderOnlyRequest(default_request_headers_);
+
+  // The request should be sent to fake upstream 1, due to the default proxy address.
+  ASSERT_TRUE(fake_upstreams_[1]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_));
+
+  // Verify the CONNECT request format. Since we are using a static cluster and
+  // default_proxy_address, the CONNECT target is the physical address of the upstream.
+  std::string prefix_data;
+  ASSERT_TRUE(fake_upstream_connection_->waitForInexactRawData("\r\n\r\n", prefix_data));
+  const std::string target = fake_upstreams_[0]->localAddress()->asString();
+  std::string expected_connect =
+      absl::StrCat("CONNECT ", target, " HTTP/1.1\r\n", "Host: ", target, "\r\n\r\n");
+  EXPECT_EQ(expected_connect, prefix_data);
+
+  // Ship the CONNECT response.
+  fake_upstream_connection_->writeRawData("HTTP/1.1 200 OK\r\n\r\n");
+
+  ASSERT_TRUE(fake_upstream_connection_->readDisable(false));
+  ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_));
+  ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_));
+  upstream_request_->encodeHeaders(default_response_headers_, true);
+
+  ASSERT_TRUE(response->waitForEndStream());
+  EXPECT_EQ("200", response->headers().getStatusValue());
+  ASSERT_FALSE(upstream_request_->headers().get(Http::LowerCaseString("foo")).empty());
+  ASSERT_FALSE(response->headers().get(Http::LowerCaseString("foo")).empty());
+}
+
 } // namespace
 } // namespace Envoy
diff --git a/test/extensions/transport_sockets/http_11_proxy/connect_test.cc b/test/extensions/transport_sockets/http_11_proxy/connect_test.cc

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ envoy_cc_extension(`
`22`	`22`	`"//envoy/registry",`
`23`	`23`	`"//envoy/server:transport_socket_config_interface",`
`24`	`24`	`"//source/common/config:utility_lib",`
	`25`	`+ "//source/common/network:resolver_lib",`
`25`	`26`	`"@envoy_api//envoy/extensions/transport_sockets/http_11_proxy/v3:pkg_cc_proto",`
`26`	`27`	`],`
`27`	`28`	`)`