Support Envoy's forwarded_proto_config for PROXY Protocol destination port-based X-Forwarded-Proto #7392
Description
Summary:
Envoy recently added forwarded_proto_config to infer X-Forwarded-Proto from PROXY Protocol
destination port (envoyproxy/envoy#43031, merged via envoyproxy/envoy#43088).
This enables proper HTTP→HTTPS redirect when using AWS NLB TLS termination + PROXY Protocol v2.
Envoy Configuration (new feature in main, will be in next release):
http_connection_manager:
forwarded_proto_config:
https_destination_ports: [443, 8443]
http_destination_ports: [80, 8080]Requested Feature:
Expose this in ContourConfiguration, likely under envoy.listener alongside existing useProxyProtocol:
apiVersion: projectcontour.io/v1alpha1
kind: ContourConfiguration
spec:
envoy:
listener:
useProxyProtocol: true
forwardedProtoConfig: # NEW
httpsDestinationPorts: [443]
httpDestinationPorts: [80]Implementation Notes:
- Current PROXY Protocol handling:
internal/xdscache/v3/listener.go→proxyProtocol() - New config goes in:
internal/envoy/v3/listener.go→httpConnectionManagerBuilder - The
forwarded_proto_configis set on HCM, not on the listener filter
Use Case:
AWS NLB terminates TLS (ACM certificates) → PROXY Protocol v2 → Contour/Envoy.
Without this, X-Forwarded-Proto is always http, causing redirect loops with HTTPProxy's
tls.secretName (secure-first policy).
References:
- Envoy PR: http: Support inferring X-Forwarded-Proto from PROXY protocol destination port envoyproxy/envoy#43088
- Envoy Issue: Support inferring X-Forwarded-Proto from PROXY Protocol destination port envoyproxy/envoy#43031
- Related Contour docs issue: SSL Termination on AWS NLB to avoid managing certs in contour #2441