listener: deprecate use_proxy_proto

api/envoy/config/listener/v3/listener_components.proto

@@ -218,7 +218,11 @@ message FilterChain {
   // load balancers including the AWS ELB support this option. If the option is
   // absent or set to false, Envoy will use the physical peer address of the
   // connection as the remote address.
-  google.protobuf.BoolValue use_proxy_proto = 4;
+  //
+  // This field is deprecated. Add a
+  // :ref:`PROXY protocol listener filter <config_listener_filters_proxy_protocol>`
+  // explicitly instead.
+  google.protobuf.BoolValue use_proxy_proto = 4 [deprecated = true];
 
   // [#not-implemented-hide:] filter chain metadata.
   core.v3.Metadata metadata = 5;

configs/envoy_double_proxy.template.yaml

@@ -5,6 +5,12 @@
       protocol: {{protocol}}
       address: {{address}}
       port_value: {{port_value}}
+  {% if proxy_proto %}
+  listener_filters:
+  - name: envoy.filters.listener.proxy_protocol
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+  {% endif %}
   filter_chains:
   - filter_chain_match: {}
     {% if tls %}
@@ -23,9 +29,6 @@
           - h2
           - http/1.1
     {% endif %}
-    {% if proxy_proto %}
-    use_proxy_proto: true
-    {%endif -%}
     filters:
     - name: envoy.filters.network.http_connection_manager
       typed_config:

configs/envoy_front_proxy.template.yaml

@@ -7,6 +7,12 @@
       protocol: {{protocol}}
       address: {{address}}
       port_value: {{port_value}}
+  {% if proxy_proto %}
+  listener_filters:
+  - name: envoy.filters.listener.proxy_protocol
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+  {% endif %}
   filter_chains:
   {% if tls %}
   - transport_socket:
@@ -28,9 +34,6 @@
             #double proxy configuration.
             verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000"
           {% endif %}
-    {%if proxy_proto%}
-    use_proxy_proto: true
-    {%endif%}
   {%endif %}
     filters:
     - name: envoy.filters.network.http_connection_manager

configs/google-vrp/envoy-edge.yaml

@@ -27,6 +27,11 @@ static_resources:
         address: 0.0.0.0
         port_value: 10000
     per_connection_buffer_limit_bytes: 32768 # 32 KiB
+    # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
+    # listener_filters:
+    # - name: envoy.filters.listener.proxy_protocol
+    #   typed_config:
+    #     "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
     filter_chains:
     - transport_socket:
         name: envoy.transport_sockets.tls
@@ -36,8 +41,6 @@ static_resources:
             tls_certificates:
             - certificate_chain: { filename: "certs/servercert.pem" }
               private_key: { filename: "certs/serverkey.pem" }
-      # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
-      # use_proxy_proto: true
       filters:
       - name: envoy.filters.network.http_connection_manager
         typed_config:

docs/root/configuration/best_practices/_include/edge.yaml

@@ -34,6 +34,10 @@ static_resources:
     listener_filters:
     - name: "envoy.filters.listener.tls_inspector"
       typed_config: {}
+    # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
+    # - name: envoy.filters.listener.proxy_protocol
+    #   typed_config:
+    #     "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
     per_connection_buffer_limit_bytes: 32768 # 32 KiB
     filter_chains:
     - filter_chain_match:
@@ -46,8 +50,6 @@ static_resources:
             tls_certificates:
             - certificate_chain: { filename: "certs/servercert.pem" }
               private_key: { filename: "certs/serverkey.pem" }
-      # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
-      # use_proxy_proto: true
       filters:
       - name: envoy.filters.network.http_connection_manager
         typed_config:

docs/root/configuration/http/http_conn_man/headers.rst

@@ -506,7 +506,7 @@ Supported variable names are:
     .. note::
 
       This may not be the physical remote address of the peer if the address has been inferred from
-      :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` or :ref:`x-forwarded-for
+      :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>` or :ref:`x-forwarded-for
       <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%

docs/root/configuration/observability/access_log/usage.rst

@@ -322,7 +322,7 @@ The following command operators are supported:
   .. note::
 
     This may not be the physical remote address of the peer if the address has been inferred from
-    :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` or :ref:`x-forwarded-for
+    :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>` or :ref:`x-forwarded-for
     <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%
@@ -332,7 +332,7 @@ The following command operators are supported:
   .. note::
 
     This may not be the physical remote address of the peer if the address has been inferred from
-    :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` or :ref:`x-forwarded-for
+    :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>` or :ref:`x-forwarded-for
     <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_DIRECT_REMOTE_ADDRESS%
@@ -342,7 +342,7 @@ The following command operators are supported:
   .. note::
 
     This is always the physical remote address of the peer even if the downstream remote address has
-    been inferred from :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>`
+    been inferred from :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>`
     or :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT%
@@ -352,7 +352,7 @@ The following command operators are supported:
   .. note::
 
     This is always the physical remote address of the peer even if the downstream remote address has
-    been inferred from :ref:`proxy proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>`
+    been inferred from :ref:`Proxy Protocol filter <config_listener_filters_proxy_protocol>`
     or :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>`.
 
 %DOWNSTREAM_LOCAL_ADDRESS%

docs/root/version_history/current.rst

@@ -104,6 +104,7 @@ Deprecated
 * compression: the fields :ref:`content_length <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.content_length>`, :ref:`content_type <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.content_type>`, :ref:`disable_on_etag_header <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.disable_on_etag_header>`, :ref:`remove_accept_encoding_header <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.remove_accept_encoding_header>` and :ref:`runtime_enabled <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.runtime_enabled>` of the :ref:`Compressor <envoy_v3_api_msg_extensions.filters.http.compressor.v3.Compressor>` message have been deprecated in favor of :ref:`response_direction_config <envoy_v3_api_field_extensions.filters.http.compressor.v3.Compressor.response_direction_config>`.
 * formatter: :ref:`text_format <envoy_v3_api_field_config.core.v3.SubstitutionFormatString.text_format>` is now deprecated in favor of :ref:`text_format_source <envoy_v3_api_field_config.core.v3.SubstitutionFormatString.text_format_source>`. To migrate existing text format strings, use the :ref:`inline_string <envoy_v3_api_field_config.core.v3.DataSource.inline_string>` field.
 * gzip: :ref:`HTTP Gzip filter <config_http_filters_gzip>` is rejected now unless explicitly allowed with :ref:`runtime override <config_runtime_deprecation>` `envoy.deprecated_features.allow_deprecated_gzip_http_filter` set to `true`.
+* listener: :ref:`use_proxy_proto <envoy_v3_api_field_config.listener.v3.FilterChain.use_proxy_proto>` has been deprecated in favor of adding a :ref:`PROXY protocol listener filter <config_listener_filters_proxy_protocol>` explicitly.
 * logging: the `--log-format-prefix-with-location` option is removed.
 * ratelimit: the :ref:`dynamic metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>` action is deprecated in favor of the more generic :ref:`metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.metadata>` action.
 * stats: the `--use-fake-symbol-table` option is removed.

test/server/listener_manager_impl_test.cc

@@ -4745,7 +4745,7 @@ TEST_F(ListenerManagerImplForInPlaceFilterChainUpdateTest,
 }
 
 TEST_F(ListenerManagerImplForInPlaceFilterChainUpdateTest,
-       TraditionalUpdateIfImplicitProxyProtocolChanges) {
+       DEPRECATED_FEATURE_TEST(TraditionalUpdateIfImplicitProxyProtocolChanges)) {
 
   EXPECT_CALL(*worker_, start(_));
   manager_->startWorkers(guard_dog_);