Description
Title: starttls should set the ssl info (such as enabled, ssi, etc...) so that downstream filters can use it
Description:
I'm currently using the postgres proxy filter with ssl termination via starttls. This works really well for ssl connections, but I also want to disable cleartext connections. Since postgres connections start in cleartext and upgrade to tls, I can't just use a filter_chain_match for this. It would be really nice to be able to do something like this to confirm that a TLS handshake for "my-database-server" occurred before forwarding any traffic to the database cluster:
listener_filters:
- name: envoy.filters.listener.tls_inspector
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
filters:
- name: envoy.filters.network.postgres_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy
stat_prefix: postgres
terminate_ssl: true
- name: envoy.filters.network.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
stat_prefix: sql_rbac
rules:
action: ALLOW
policies:
"sni":
permissions:
- requested_server_name:
exact: "my-database-server"
principals:
- any: true
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: destination
cluster: my-db-cluster
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
transport_socket:
name: envoy.transport_sockets.starttls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig
tls_socket_config:
But this doesn't work because the starttls filter does not set the server name on the connection. As far as I can tell, it doesn't set any connection state or dynamic metadata based on the connections TLS properties.