Dynamic forward proxy

HTTP dynamic forward proxy support should be considered alpha and not production ready.

The following is a complete configuration that configures both the dynamic forward proxy HTTP filter as well as the . Both filter and cluster must be configured together and point to the same DNS cache parameters for Envoy to operate as an HTTP dynamic forward proxy.

This filter supports host rewrite via the or the route’s per_filter_config. This can be used to rewrite the host header with the provided value before DNS lookup, thus allowing to route traffic to the rewritten host when forwarding. See the example below within the configured routes.

Note

Configuring a on the cluster with trusted_ca certificates instructs Envoy to use TLS when connecting to upstream hosts and verify the certificate chain. Additionally, Envoy will automatically perform SAN verification for the resolved host name as well as specify the host name via SNI.

The dynamic forward proxy DNS cache outputs statistics in the dns_cache.<dns_cache_name>.* namespace.