syntax = "proto3";

package envoy.extensions.clusters.dynamic_forward_proxy.v3;

import "envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto";

import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.clusters.dynamic_forward_proxy.v3";
option java_outer_classname = "ClusterProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/dynamic_forward_proxy/v3;dynamic_forward_proxyv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Dynamic forward proxy cluster configuration]

// Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
// <arch_overview_http_dynamic_forward_proxy>` for more information.
// [#extension: envoy.clusters.dynamic_forward_proxy]
message ClusterConfig {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig";

  // The DNS cache configuration that the cluster will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy HTTP filter configuration
  // <envoy_v3_api_field_extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig.dns_cache_config>`.
  common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1
      [(validate.rules).message = {required: true}];

  // If true allow the cluster configuration to disable the auto_sni and auto_san_validation options
  // in the :ref:`cluster's upstream_http_protocol_options
  // <envoy_v3_api_field_config.cluster.v3.Cluster.upstream_http_protocol_options>`
  bool allow_insecure_cluster_options = 2;

  // If true allow HTTP/2 and HTTP/3 connections to be reused for requests to different
  // origins than the connection was initially created for. This will only happen when the
  // resolved address for the new connection matches the peer address of the connection and
  // the TLS certificate is also valid for the new hostname. For example, if a connection
  // has previously been established to foo.example.com at IP 1.2.3.4 with a certificate
  // that is valid for `*.example.com`, then this connection could be used for requests to
  // bar.example.com if that also resolved to 1.2.3.4.
  //
  // .. note::
  //   By design, this feature will maximize reuse of connections. This means that instead
  //   opening a new connection when an existing connection reaches the maximum number of
  //   concurrent streams, requests will instead be sent to the existing connection.
  //
  // .. note::
  //   The coalesced connections might be to upstreams that would not be otherwise
  //   selected by Envoy. See the section `Connection Reuse in RFC 7540
  //   <https://datatracker.ietf.org/doc/html/rfc7540#section-9.1.1>`_
  //
  bool allow_coalesced_connections = 3;
}