Each proxy is the sum total of all configurations that will be sent to each Grey Matter Proxy. This includes the listeners, domains, routes, shared_rules, and clusters. Each proxy object may be mapped to 0 or more physical instances; each of which will share the exact same configurations.

NOTE The name field in the object dictates which cluster in the mesh it gets applied to, see the discovery docs for more information.


  • Configure active filters

  • Set virtual domains

  • Directly set listeners

Multiple Listeners

Multiple listeners can be configured for each Proxy object, either inline or through the listener_keys field. Each one defines a new network interface to handle different traffic patterns and protocols, like the example diagram below.

How each Sidecar is configured to listen on the network comes from both both the domains and listeners. These objects are linked to a specific proxy using the domain_keys, listener_keys, and listeners fields below.

A listener is created for the sidecar on the port of every domain specified in domain_keys. If there are no referenced listeners on the same port, a default listener object is used with IP Otherwise, every domain/listener on the same port combine to configure the sidecar's listener at that port and the IP of the listener.

NOTE: In a SPIFFE/SPIRE installation, to enable ingress traffic to the sidecar, a listener object must be configured for the proxy on the ingress port. The only way to configure SSL for a listener with SPIRE is using the secret.

Example Object

"proxy_key": "catalog",
"zone_key": "default",
"name": "catalog",
"domain_keys": [
"listener_keys": [
"listeners": null,
"upgrades": "",
"active_proxy_filters": [
"proxy_filters": {
"envoy_rbac": null,
"gm_impersonation": {},
"gm_inheaders": {},
"gm_listauth": {},
"gm_metrics": {
"metrics_port": 8081,
"metrics_host": "",
"metrics_dashboard_uri_path": "/metrics",
"metrics_prometheus_uri_path": "/prometheus",
"prometheus_system_metrics_interval_seconds": 15,
"metrics_ring_buffer_size": 4096,
"metrics_key_function": "depth",
"metrics_key_depth": "1"
"gm_oauth": {},
"gm_observables": {
"useKafka": true,
"topic": "production-catalog-1.0",
"eventTopic": "events",
"kafkaServerConnection": "kafka-observables.observables.svc:9092"
"checksum": "9830e988dd93d560426e3ddff6758ca2976565b9e064e68f99661a39b3b17239"

Envoy Reference



A unique key to identify this proxy configuration in the Fabric API.


The zone in which this object will live. It will only be able to be referenced by objects or sent to Sidecars that live in the same zone.


The name of the service that this proxy configuration (and all linked objects) will be sent to. This name must exactly match the service announcement information when a sidecar registers in the mesh.


Array of domain keys to specify which domain objects should be included in this configuration.


Array of listener keys to specify which which objects should be included in this configuration. Listeners can also be specified in-line with the listeners field.


Array of listener definitions to create for this Sidecar.

NOTE: See Multiple Listeners for information on how the referenced domains and listeners are used to configure listeners for the sidecar.


String value to specify connection upgrades to all listeners on this Sidecar. The only currently supported option is "websocket".


DEPRECATION: This field has been deprecated and will be removed in the next major version release. Use listener.active_http_filters instead.

Array of http filters that should be active on this listener's filter chain. This list acts as a simple mechanism for turning specific filters on/off without needing to completely remove their configuration from the http_filter section.

NOTE: The order of filters in this array dictates the evaluation order of the filters in the chain.


DEPRECATION: This field has been deprecated and will be removed in the next major version release. Use listener.http_filters instead.

Array of filter configurations to be used when a filter is enabled.


An API calculated checksum. Can be used to verify that the API contains the expected object before performing a write.