envoy.yaml

admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  host_rewrite: www.google.com
                  cluster: service_google
          access_log:
            name: envoy.file_access_log
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
              path: /dev/stdout
              json_format:
                protocol: "%PROTOCOL%"
                cluster:  "%UPSTREAM_CLUSTER%"
                startTime:  "%START_TIME%"
                duration: "%RESPONSE_TX_DURATION%"
                response_code: "%RESPONSE_CODE%"
                upstream_serviceTime: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
                upstream_host: "%UPSTREAM_HOST%"
                path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
                bytes_received: "%BYTES_RECEIVED%"
                request_duration: "%REQUEST_DURATION%"
          http_filters:
#          - name: envoy.grpc_web
          - name: envoy.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
              grpc_service:
                envoy_grpc:
                  cluster_name: ext-authz
                # Default is 200ms; override if your server needs e.g. warmup time.
                timeout: 10s
#              include_peer_certificate: false
          - name: envoy.filters.http.lua
            typed_config:
              "@type": type.googleapis.com/envoy.config.filter.http.lua.v2.Lua
              inline_code: |
                function envoy_on_response(response_handle)
                  body_size = response_handle:body():length()
                  response_handle:headers():add("response-body-size", tostring(body_size))
                  response_handle:headers():add("upstream_foo", "foo")
                end
          - name: envoy.filters.http.tap
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.tap.v3.Tap
              common_config:
                static_config:
                  match_config:
                    http_response_headers_match:
                      headers:
                        - name: upstream_foo
                          exact_match: foo
                  output_config:
#                    streaming: true
                    sinks:
                      - format: JSON_BODY_AS_STRING
                        file_per_tap:
                          path_prefix: /taps/any
          - name: envoy.cors
            typed_config: {}
          - name: envoy.router
            config: {}
  clusters:
  - name: service_google
    connect_timeout: 0.25s
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_google
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: www.google.com
                port_value: 443
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
        sni: www.google.com
  - name: ext-authz
    type: static
    http2_protocol_options: {}
    load_assignment:
      cluster_name: ext-authz
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 172.17.0.1
                port_value: 8081

    # This timeout controls the initial TCP handshake timeout - not the timeout for the
    # entire request.
    connect_timeout: 0.25s

  - name: analytics
    connect_timeout: 1s
    type: static
    lb_policy: round_robin
    load_assignment:
      cluster_name: analytics
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 172.17.0.1
                port_value: 9806

stats_sinks:
  name: envoy.stat_sinks.statsd
  config:
    address:
      socket_address:
        address: 127.0.0.1
        port_value: 8125

#  - name: zipkin
#    connect_timeout: 1s
#    type: strict_dns
#    lb_policy: round_robin
#    load_assignment:
#      cluster_name: zipkin
#      endpoints:
#      - lb_endpoints:
#        - endpoint:
#            address:
#              socket_address:
#                address: 172.17.0.1
#                port_value: 9411