Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

default ALPN settings break TLS-terminated TCP route #4456

Open
guydc opened this issue Oct 16, 2024 · 0 comments · May be fixed by #4460
Open

default ALPN settings break TLS-terminated TCP route #4456

guydc opened this issue Oct 16, 2024 · 0 comments · May be fixed by #4460
Labels
kind/bug Something isn't working

Comments

@guydc
Copy link
Contributor

guydc commented Oct 16, 2024

Description:

Envoy Gateway sets ALPN to h2, http/1.1 by default. When Envoy is not handling the application layer protocol (e.g. TLS termination for TCP), Envoy should not advertise application layer protocols that may not be supported by the backend, and keep the downstream TLS socket ALPN settings undefined.

In general, it seems that Envoy Gateway should perhaps support more flexibility around ALPN:

  • Supporting non-HTTP ALPN protos for TLS routes that proxy non-HTTP protos
  • Supporting ALPN disablement
  • Changing the defaults for non-HTTP routes

Repro steps:
Follow the the official guide: https://gateway.envoyproxy.io/docs/tasks/security/tls-termination/

curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1"  --cacert example.com.crt https://www.example.com:8443/get
* Added www.example.com:8443:127.0.0.1 to DNS cache
* Hostname www.example.com was found in DNS cache
*   Trying 127.0.0.1:8443...
* Connected to www.example.com (127.0.0.1) port 8443
* ALPN: server accepted h2
[...]
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.example.com:8443/get
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.example.com]
* [HTTP/2] [1] [:path: /get]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /get HTTP/2
> Host:www.example.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* Remote peer returned unexpected data while we expected SETTINGS frame.  Perhaps, peer does not support HTTP/2 properly.

Envoy encourages the client the use HTTP/2, which is not supported by the upstream server, leading to a failure. If the client is explicitly using HTTP/1, the request succeeds:

curl -v --http1.1 -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" --cacert example.com.crt https://www.example.com:8443/get
[...]
* using HTTP/1.x
> GET /get HTTP/1.1
> Host:www.example.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
@guydc guydc added the kind/bug Something isn't working label Oct 16, 2024
This was referenced Oct 16, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: disable ALPN for non-HTTP routes guydc/gateway
1 participant
@guydc