envoyproxy
diff --git a/‎reverse_tunnel/Dockerfile.xds‎
Lines changed: 150 additions & 0 deletions b/‎reverse_tunnel/Dockerfile.xds‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎reverse_tunnel/README.md‎
Lines changed: 2 additions & 0 deletions b/‎reverse_tunnel/README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎reverse_tunnel/docker-compose.yaml‎
Lines changed: 45 additions & 0 deletions b/‎reverse_tunnel/docker-compose.yaml‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎reverse_tunnel/example.rst‎
Lines changed: 158 additions & 0 deletions b/‎reverse_tunnel/example.rst‎
Lines changed: 158 additions & 0 deletions
@@ -0,0 +1,150 @@
+FROM ubuntu:20.04
+
+# Prevent interactive prompts during package installation
+ENV DEBIAN_FRONTEND=noninteractive
+
+WORKDIR /app
+
+# Install Python and pip
+RUN apt-get update && apt-get install -y \
+    python3 \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install dependencies
+RUN pip3 install requests pyyaml
+
+# Create a simple xDS server script
+RUN echo '#!/usr/bin/env python3\n\
+import json\n\
+import time\n\
+import threading\n\
+import http.server\n\
+import socketserver\n\
+import logging\n\
+\n\
+logging.basicConfig(level=logging.INFO)\n\
+logger = logging.getLogger(__name__)\n\
+\n\
+class XDSServer:\n\
+    def __init__(self):\n\
+        self.listeners = {}\n\
+        self.version = 1\n\
+        self._lock = threading.Lock()\n\
+        self.server = None\n\
+    \n\
+    def start(self, port):\n\
+        class XDSHandler(http.server.BaseHTTPRequestHandler):\n\
+            def do_POST(self):\n\
+                if self.path == "/v3/discovery:listeners":\n\
+                    content_length = int(self.headers["Content-Length"])\n\
+                    post_data = self.rfile.read(content_length)\n\
+                    response_data = self.server.xds_server.handle_lds_request(post_data)\n\
+                    self.send_response(200)\n\
+                    self.send_header("Content-type", "application/json")\n\
+                    self.end_headers()\n\
+                    self.wfile.write(response_data.encode())\n\
+                elif self.path == "/add_listener":\n\
+                    content_length = int(self.headers["Content-Length"])\n\
+                    post_data = self.rfile.read(content_length)\n\
+                    data = json.loads(post_data.decode())\n\
+                    self.server.xds_server.add_listener(data["name"], data["config"])\n\
+                    self.send_response(200)\n\
+                    self.send_header("Content-type", "application/json")\n\
+                    self.end_headers()\n\
+                    self.wfile.write(json.dumps({"status": "success"}).encode())\n\
+                elif self.path == "/remove_listener":\n\
+                    content_length = int(self.headers["Content-Length"])\n\
+                    post_data = self.rfile.read(content_length)\n\
+                    data = json.loads(post_data.decode())\n\
+                    success = self.server.xds_server.remove_listener(data["name"])\n\
+                    if success:\n\
+                        self.send_response(200)\n\
+                        self.send_header("Content-type", "application/json")\n\
+                        self.end_headers()\n\
+                        self.wfile.write(json.dumps({"status": "success"}).encode())\n\
+                    else:\n\
+                        self.send_response(404)\n\
+                        self.send_header("Content-type", "application/json")\n\
+                        self.end_headers()\n\
+                        self.wfile.write(json.dumps({"status": "not_found"}).encode())\n\
+                elif self.path == "/state":\n\
+                    state = self.server.xds_server.get_state()\n\
+                    self.send_response(200)\n\
+                    self.send_header("Content-type", "application/json")\n\
+                    self.end_headers()\n\
+                    self.wfile.write(json.dumps(state).encode())\n\
+                else:\n\
+                    self.send_response(404)\n\
+                    self.end_headers()\n\
+            \n\
+            def log_message(self, format, *args):\n\
+                pass\n\
+        \n\
+        class XDSServer(socketserver.TCPServer):\n\
+            def __init__(self, server_address, RequestHandlerClass, xds_server):\n\
+                self.xds_server = xds_server\n\
+                super().__init__(server_address, RequestHandlerClass)\n\
+        \n\
+        self.server = XDSServer(("0.0.0.0", port), XDSHandler, self)\n\
+        self.server_thread = threading.Thread(target=self.server.serve_forever)\n\
+        self.server_thread.daemon = True\n\
+        self.server_thread.start()\n\
+        logger.info(f"xDS server started on port {port}")\n\
+    \n\
+    def handle_lds_request(self, request_data):\n\
+        with self._lock:\n\
+            response = {\n\
+                "version_info": str(self.version),\n\
+                "resources": [],\n\
+                "type_url": "type.googleapis.com/envoy.config.listener.v3.Listener"\n\
+            }\n\
+            for listener_name, listener_config in self.listeners.items():\n\
+                # Wrap the listener config in a proper Any message\n\
+                wrapped_config = {\n\
+                    "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",\n\
+                    **listener_config\n\
+                }\n\
+                response["resources"].append(wrapped_config)\n\
+            return json.dumps(response)\n\
+    \n\
+    def add_listener(self, listener_name, listener_config):\n\
+        with self._lock:\n\
+            self.listeners[listener_name] = listener_config\n\
+            self.version += 1\n\
+            logger.info(f"Added listener {listener_name}, version {self.version}")\n\
+    \n\
+    def remove_listener(self, listener_name):\n\
+        with self._lock:\n\
+            if listener_name in self.listeners:\n\
+                del self.listeners[listener_name]\n\
+                self.version += 1\n\
+                logger.info(f"Removed listener {listener_name}, version {self.version}")\n\
+                return True\n\
+            return False\n\
+\n\
+    def get_state(self):\n\
+        with self._lock:\n\
+            return {\n\
+                "version": self.version,\n\
+                "listeners": list(self.listeners.keys())\n\
+            }\n\
+\n\
+if __name__ == "__main__":\n\
+    xds_server = XDSServer()\n\
+    xds_server.start(18000)\n\
+    try:\n\
+        while True:\n\
+            time.sleep(1)\n\
+    except KeyboardInterrupt:\n\
+        print("Shutting down xDS server...")\n\
+' > /app/xds_server.py
+
+# Make the script executable
+RUN chmod +x /app/xds_server.py
+
+# Expose the xDS server port
+EXPOSE 18000
+
+# Run the xDS server
+CMD ["python3", "/app/xds_server.py"] 
@@ -0,0 +1,2 @@
+To learn about this sandbox and for instructions on how to run it please head over
+to the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/reverse_tunnel.html).
@@ -0,0 +1,45 @@
+version: '2'
+services:
+
+  downstream-envoy:
+    image: debug/envoy:latest
+    volumes:
+      - ./initiator-envoy.yaml:/etc/downstream-envoy.yaml
+    command: envoy -c /etc/downstream-envoy.yaml --concurrency 1 -l trace --drain-time-s 3
+    ports:
+      # Admin interface
+      - "8888:8888"
+      # Reverse connection API listener
+      - "9000:9000"
+      # Ingress HTTP listener
+      - "6060:6060"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    networks:
+      - envoy-network
+    depends_on:
+      - downstream-service
+
+  downstream-service:
+    image: nginxdemos/hello:plain-text
+    networks:
+      - envoy-network
+
+  upstream-envoy:
+    image: debug/envoy:latest
+    volumes:
+      - ./responder-envoy.yaml:/etc/upstream-envoy.yaml
+    command: envoy -c /etc/upstream-envoy.yaml --concurrency 1 -l trace --drain-time-s 3
+    ports:
+      # Admin interface
+      - "8889:8888"
+      # Reverse connection API listener
+      - "9001:9000"
+      # Egress listener
+      - "8085:8085"
+    networks:
+      - envoy-network
+
+networks:
+  envoy-network:
+    driver: bridge
@@ -0,0 +1,158 @@
+.. _install_sandboxes_reverse_tunnel:
+
+Reverse Tunnels
+===============
+
+.. sidebar:: Requirements
+
+   .. include:: _include/docker-env-setup-link.rst
+
+   :ref:`curl <start_sandboxes_setup_curl>`
+        Used to make HTTP requests.
+
+This sandbox demonstrates Envoy's :ref:`reverse tunnels <config_reverse_connection>` feature, which allows establishing long-lived connections from downstream to upstream in scenarios where direct connectivity from upstream to downstream is not possible, and using these cached connection sockets to send data traffic from upstream to downstream Envoy.
+
+In this example, a downstream Envoy proxy initiates reverse tunnels to an upstream Envoy using a custom address resolver. The configuration includes bootstrap extensions and reverse connection listeners with specialized address formats.
+
+Step 1: Build Envoy with reverse tunnels feature
+************************************************
+
+Build Envoy with the reverse tunnels feature enabled:
+
+.. code-block:: console
+
+  $ ./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release.server_only'
+
+Step 2: Build Envoy Docker image
+********************************
+
+Build the Envoy Docker image:
+
+.. code-block:: console
+
+  $ docker build -f ci/Dockerfile-envoy-image -t envoy:latest .
+
+Step 3: Understanding the configuration
+**************************************
+
+The reverse tunnel configuration is explained in the :ref:`Reverse Tunnels <config_reverse_connection>` section.
+
+Step 4: Launch test containers
+******************************
+
+Change to the ``reverse_tunnel`` directory and bring up the docker composition.
+
+.. code-block:: console
+
+  $ pwd
+  examples/reverse_tunnel
+  $ docker compose up
+
+.. note::
+   The docker-compose maps the following ports:
+   
+   - **downstream-envoy**: Host port 9000 → Container port 9000 (reverse connection API)
+   - **upstream-envoy**: Host port 9001 → Container port 9000 (reverse connection API)
+
+Verify the containers are running:
+
+.. code-block:: console
+
+  $ docker ps
+
+Expected output showing all containers are up:
+
+.. code-block:: console
+
+  CONTAINER ID   IMAGE                         COMMAND                  CREATED          STATUS         PORTS                                                                                                                                        NAMES
+  ae15eab504f8   debug/envoy:latest            "/docker-entrypoint.…"   27 seconds ago   Up 3 seconds   0.0.0.0:6060->6060/tcp, :::6060->6060/tcp, 0.0.0.0:8888->8888/tcp, :::8888->8888/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp, 10000/tcp   reverse_tunnel-downstream-envoy-1
+  58eba3678f20   nginxdemos/hello:plain-text   "/docker-entrypoint.…"   27 seconds ago   Up 3 seconds   80/tcp                                                                                                                                       reverse_tunnel-downstream-service-1
+  49145cc8a9d1   debug/envoy:latest            "/docker-entrypoint.…"   27 seconds ago   Up 3 seconds   0.0.0.0:8085->8085/tcp, :::8085->8085/tcp, 10000/tcp, 0.0.0.0:8889->8888/tcp, :::8889->8888/tcp, 0.0.0.0:9001->9000/tcp, :::9001->9000/tcp   reverse_tunnel-upstream-envoy-1
+
+Step 5: Validate reverse tunnel establishment
+*********************************************
+
+Verify that reverse tunnels have been successfully established by checking the stats counters on both downstream and upstream Envoy proxies.
+
+Check downstream Envoy stats (port 8888):
+
+.. code-block:: console
+
+  $ curl http://localhost:8888/stats | grep reverse_connection
+
+Expected downstream stats showing connected reverse tunnels:
+
+.. code-block:: console
+
+  downstream_reverse_connection.cluster.upstream-cluster.connected: 1
+  downstream_reverse_connection.cluster.upstream-cluster.connecting: 0
+  downstream_reverse_connection.host.172.27.0.2:9000.connected: 1
+  downstream_reverse_connection.host.172.27.0.2:9000.connecting: 0
+  downstream_reverse_connection.worker_0.cluster.upstream-cluster.connected: 1
+  downstream_reverse_connection.worker_0.cluster.upstream-cluster.connecting: 0
+  downstream_reverse_connection.worker_0.host.172.27.0.2:9000.connected: 1
+  downstream_reverse_connection.worker_0.host.172.27.0.2:9000.connecting: 0
+
+Check upstream Envoy stats (port 8889):
+
+.. code-block:: console
+
+  $ curl http://localhost:8889/stats | grep reverse_connections
+
+Expected upstream stats showing received reverse connections:
+
+.. code-block:: console
+
+  reverse_connections.clusters.downstream-cluster: 1
+  reverse_connections.nodes.downstream-node: 1
+  reverse_connections.worker_0.cluster.downstream-cluster: 1
+  reverse_connections.worker_0.node.downstream-node: 1
+
+The stats confirm that:
+
+- **Downstream Envoy**: Has successfully connected (``connected: 1``) to the upstream cluster with no pending connections (``connecting: 0``)
+- **Upstream Envoy**: Has received reverse connections from the downstream node and cluster, as indicated by the reverse connection counters
+
+Step 6: Test reverse tunnel
+***************************
+
+Perform an HTTP request for the service behind downstream Envoy, to upstream Envoy. This request will be sent over a reverse tunnel.
+
+.. code-block:: console
+
+  $ curl -H "x-remote-node-id: downstream-node" -H "x-dst-cluster-uuid: downstream-cluster" http://localhost:8085/downstream_service -v
+
+Expected response:
+
+.. code-block:: console
+
+  *   Trying ::1...
+  * TCP_NODELAY set
+  * Connected to localhost (::1) port 8085 (#0)
+  > GET /downstream_service HTTP/1.1
+  > Host: localhost:8085
+  > User-Agent: curl/7.61.1
+  > Accept: */*
+  > x-remote-node-id: downstream-node
+  > x-dst-cluster-uuid: downstream-cluster
+  > 
+  < HTTP/1.1 200 OK
+  < server: envoy
+  < date: Thu, 25 Sep 2025 21:25:38 GMT
+  < content-type: text/plain
+  < content-length: 159
+  < expires: Thu, 25 Sep 2025 21:25:37 GMT
+  < cache-control: no-cache
+  < x-envoy-upstream-service-time: 13
+  < 
+  Server address: 172.27.0.3:80
+  Server name: b490f264caf9
+  Date: 25/Sep/2025:21:25:38 +0000
+  URI: /downstream_service
+  Request ID: 41807e3cd1f6a0b601597b80f7e51513
+  * Connection #0 to host localhost left intact
+
+.. seealso::
+
+   :ref:`Reverse Tunnels architecture overview <config_reverse_connection>`
+      Learn more about Envoy's reverse tunnel functionality.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+To learn about this sandbox and for instructions on how to run it please head over`
	`2`	`+to the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/reverse_tunnel.html).`