Support Envoy's `forwarded_proto_config` for PROXY Protocol destination port-based X-Forwarded-Proto

[zezaeoh]

Summary:
Envoy recently added forwarded_proto_config to infer X-Forwarded-Proto from PROXY Protocol
destination port (envoyproxy/envoy#43031, merged via envoyproxy/envoy#43088).

This enables proper HTTP→HTTPS redirect when using AWS NLB TLS termination + PROXY Protocol v2.

Envoy Configuration (new feature in main, will be in next release):

http_connection_manager:
  forwarded_proto_config:
    https_destination_ports: [443, 8443]
    http_destination_ports: [80, 8080]

Requested Feature:
Expose this in ContourConfiguration, likely under envoy.listener alongside existing useProxyProtocol:

apiVersion: projectcontour.io/v1alpha1
kind: ContourConfiguration
spec:
  envoy:
    listener:
      useProxyProtocol: true
      forwardedProtoConfig:           # NEW
        httpsDestinationPorts: [443]
        httpDestinationPorts: [80]

Implementation Notes:

• Current PROXY Protocol handling: internal/xdscache/v3/listener.go → proxyProtocol()
• New config goes in: internal/envoy/v3/listener.go → httpConnectionManagerBuilder
• The forwarded_proto_config is set on HCM, not on the listener filter

Use Case:
AWS NLB terminates TLS (ACM certificates) → PROXY Protocol v2 → Contour/Envoy.
Without this, X-Forwarded-Proto is always http, causing redirect loops with HTTPProxy's
tls.secretName (secure-first policy).

References:

• Envoy PR: http: Support inferring X-Forwarded-Proto from PROXY protocol destination port envoyproxy/envoy#43088
• Envoy Issue: Support inferring X-Forwarded-Proto from PROXY Protocol destination port envoyproxy/envoy#43031
• Related Contour docs issue: SSL Termination on AWS NLB to avoid managing certs in contour #2441

[github-actions]

Hey @zezaeoh! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[zezaeoh]

@tsaarni Hi, I'm the author of the upstream Envoy feature referenced in this issue (envoyproxy/envoy#43088). The forwarded_proto_config has been merged into Envoy main and is scheduled to ship in Envoy v1.38.0 (expected around April 2026).
Since Contour v1.33.1 currently ships with Envoy v1.35.8, adopting this feature would require Contour to bump its Envoy dependency through v1.36, v1.37, and v1.38 — three minor versions.
Before I invest time in a Contour-side implementation (exposing forwarded_proto_config in ContourConfiguration and wiring it into the HCM builder), I'd like to understand the project's roadmap regarding Envoy version tracking:

Does Contour plan to keep following Envoy upstream minor releases? Looking at recent history, each Contour minor has picked up the latest Envoy at the time (v1.32→Envoy 1.34, v1.33→Envoy 1.35), which is a healthy pace. Is there an expectation this cadence will continue?
Is there a rough timeline for when Contour might adopt Envoy v1.38? For example, would it be reasonable to expect it in a Contour v1.35 or v1.36 timeframe?

This context would help me plan accordingly. I'm happy to contribute the Contour-side implementation once the Envoy version dependency is within reach — I'm already familiar with the relevant code paths (httpConnectionManagerBuilder in internal/envoy/v3/listener.go).
For additional context: this feature solves a long-standing pain point for AWS NLB + TLS termination + PROXY Protocol v2 users (see also #2441), where X-Forwarded-Proto is always http, causing infinite redirect loops with HTTPProxy's secure-first policy.

[tsaarni]

Does Contour plan to keep following Envoy upstream minor releases? Looking at recent history, each Contour minor has picked up the latest Envoy at the time (v1.32→Envoy 1.34, v1.33→Envoy 1.35), which is a healthy pace. Is there an expectation this cadence will continue?
Is there a rough timeline for when Contour might adopt Envoy v1.38? For example, would it be reasonable to expect it in a Contour v1.35 or v1.36 timeframe?

Unfortunately we lack the resources to maintain a formal roadmap, but intention is to follow the latest release track as time allows. We are currently behind on releases. I just verified that no changes were needed for Contour and updated main to Envoy v1.37.1 in #7459. We should also move to v1.38.0 once it is released, hoping this will not require any, or at least significant changes to existing functionality.