Support enable_ja3_fingerprinting and enable_ja4_fingerprinting in EnvoyTLS config

[WUMUXIAN]

Support TLS Fingerprinting
Today there's no way to config the envoy listeners to calculate tls fingerprinting.

As per
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto.html#extensions-filters-listener-tls-inspector-v3-tlsinspector

Both fields are default to False and the TlsInspector object is created with no parameters.

Below is a config_dump:

"listener_filters": [
        {
         "name": "envoy.filters.listener.tls_inspector",
         "typed_config": {
          "@type": "type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector"
         }
        }
       ],

Looking at the code that construct it:

// TLSInspector returns a new TLS inspector listener filter.
func TLSInspector() *envoy_config_listener_v3.ListenerFilter {
	return &envoy_config_listener_v3.ListenerFilter{
		Name: wellknown.TlsInspector,
		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
			TypedConfig: protobuf.MustMarshalAny(&envoy_filter_listener_tls_inspector_v3.TlsInspector{}),
		},
	}
}

it does not take any parameters

Can we make this configurable somewhere in the contour config or httpproxy specs?

Getting the TLS fingerprint is an important use case for our upstream service for bot fighting and etc.

[github-actions]

Hey @WUMUXIAN! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[gtriggiano]

Me too, I'd like to have this feature.

I think is a Contour configuration, not an HTTPProxy one, because it affects the setup of the TLS listener.

I opened a PR to add this feature.