过滤器链匹配
过滤器链匹配是 Envoy 监听器的核心功能,用于根据连接属性选择适当的过滤器链处理流量。
过滤器链概念
过滤器链是一系列网络过滤器的有序组合,用于处理特定类型的连接。每个监听器可以配置多个过滤器链,通过匹配规则选择使用哪个过滤器链。
匹配规则
目的地端口匹配
根据连接的目标端口进行匹配:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filter_chain_match:
destination_port: 80
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: some_service
服务器名称匹配
根据 TLS SNI(Server Name Indication)进行匹配:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filter_chain_match:
server_names: ["example.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/ssl/certs/example.com.crt"
private_key:
filename: "/etc/ssl/private/example.com.key"
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: example_com
domains: ["example.com"]
routes:
- match:
prefix: "/"
route:
cluster: example_service
应用程序协议匹配
根据 ALPN(Application-Layer Protocol Negotiation)进行匹配:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filter_chain_match:
application_protocols: ["h2", "http/1.1"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
alpn_protocols: ["h2", "http/1.1"]
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: some_service
传输协议匹配
根据传输协议进行匹配:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filter_chain_match:
transport_protocol: "tls"
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/ssl/certs/cert.crt"
private_key:
filename: "/etc/ssl/private/key.key"
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: some_service
复杂匹配规则
组合匹配
可以组合多个匹配条件:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filter_chain_match:
destination_port: 443
server_names: ["api.example.com"]
application_protocols: ["h2"]
transport_protocol: "tls"
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/ssl/certs/api.example.com.crt"
private_key:
filename: "/etc/ssl/private/api.example.com.key"
alpn_protocols: ["h2"]
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: api_route
virtual_hosts:
- name: api_example_com
domains: ["api.example.com"]
routes:
- match:
prefix: "/"
route:
cluster: api_service
默认过滤器链
配置默认过滤器链处理不匹配的连接:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filter_chain_match:
server_names: ["example.com"]
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: example_route
virtual_hosts:
- name: example_com
domains: ["example.com"]
routes:
- match:
prefix: "/"
route:
cluster: example_service
- filter_chain_match: {} # 默认过滤器链
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: default_route
virtual_hosts:
- name: default_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: default_service
匹配优先级
过滤器链匹配按以下优先级进行:
- 最具体的匹配条件
- 匹配条件数量
- 配置顺序
最佳实践
匹配规则设计
- 使用明确的匹配条件
- 避免过于复杂的匹配规则
- 配置默认过滤器链
性能优化
- 合理组织过滤器链顺序
- 避免不必要的匹配条件
- 监控过滤器链匹配性能
安全考虑
- 为不同服务配置独立的过滤器链
- 使用 TLS 保护敏感流量
- 实施适当的访问控制
注意事项
- 过滤器链匹配会影响性能
- 复杂的匹配规则可能难以维护
- 需要确保所有流量都有匹配的过滤器链
- 配置变更需要谨慎测试
过滤器链匹配是 Envoy 流量管理的基础,合理配置可以实现精确的流量控制和路由。