Make use of :scheme and XForwardedProto clear and consistent in Envoy #14587
Comments
mattklein123
added
area/http
help wanted
|
Agreed we should be consistent here and fix this. cc @alyssawilk |
|
I thought the expectation was that ForwardedProto would represent the downstream scheme/security level internally, and :scheme was appended at the last minute for requests headed upstream, indicating the security of upstream requests. Let's sort out a plan offline. |
|
|
If filters use scheme, there's going to be issues where it means something different to upstream filters (where currently it would indicate upstream transport security) vs downstream filters (where it would be the downstream scheme if it exists, otherwise indicate downstream transport security). This extra complexity is not present for :method or :path, which is why I would like to put some thought into what solution is least likely to cause confusion (cc @mattklein123 right back =P) |
|
Yeah that's a good point that we swap |
|
That's what I've been telling people internally.
? |
|
I agree that ^ would be the right thing to do. |
alyssawilk
changed the title
|
I'll take on at least some of this when I get a chance. |
|
OK, having tried to standardize on ForwardedProto I am increasingly convinced that's going to cause problems. So, new plan, go the other way.
All data plane changes would be flag guarded. I think either 4) would have to go in its own release and/or we'd have to doc up how to safely upgrade with flags from (4) set false. @snowp @antoniovicente @PiotrSikora SG? I'd like explicit thumbs up from at least two of you before I dive into this. |
|
SGTM. Thanks! |
|
In general this sgtm but 2 things:
|
|
yeah, I think this is going to be a multi-release fix, with lots of envoy-announce and warnings. I plan on auditing all envoy use of XFP, and removing the XFP header accessors to help with downstream C++ filters but I don't think there's much we can do for wasm/lua other than envoy-annouce and slow guarded rollout. I think we can do 1-3 in this release, so in the next cut, :scheme should always be set and should be consistent with XFP. |
Commit Message: Setting :scheme for headers in-Envoy. Additional Description: This affects a number of components which do :scheme (rather than X-Forwarded-Proto) based logic for HTTP/1.1 traffic, up to but not exclusively wasm/lua filters looking for :scheme, gRPC access loggers, CSRF filter and oath2 filter Risk Level: High Testing: new unit tests, integration tests Release Notes: inline Runtime guard: envoy.reloadable_features.add_and_validate_scheme_header Part 1 of #14587 Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
This replaces prior logic where the :scheme header was consistently overwritten based on the encryption level of the upstream connection. Risk Level: High (l7 change) Testing: new integration tests, unit tests Docs Changes: api docs updated Release Notes: inline Runtime guard: envoy.reloadable_features.preserve_downstream_scheme Part of #14587 Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
|
No argument needed! I should have been more clear that the 6 month thing is more of a default bound on how long we have to find that workaround and make sure it's solid - it is extensible but I'm sure we'll find a way to make sure your deployment works without flipping that guard back. I'm not clear today what that will look like, to both fix your use case and ensure we don't have a giant security hole for the edge proxy case but we'll find something :-) I'm out today (just checking in to land the H3 alpha) but if you're around next week I'd be happy to sync in real time, to get a better understanding of your deployment set-up and either help sort out the rewrite case or find something else that works. Any chance you're on envoy slack? If so I can ping over there on Monday |
|
I've played around myself and agree I don't think there's a trivial way to revert this in Envoy today. |
|
Looking around more broadly I can see that this support will be needed for a long time. The .NET team agree that the spec is ambiguous but are working on the assumption that all proxies will need to support the previous behaviour as a configuration option into the future (see comment). I also note that the following workarounds are either in place or being requested:
If support was provided for a specific scheme rewrite option for each route, I believe that it will enable the desired outcome. What does concern me is that each solution (e.g. Google, AWS NLB, Istio, Gloo etc.) will need to either provide a mechanism to detect the downgrade and set the scheme rewrite for each route as part of their xDS plane implementation, or pass the additional configuration required onto their end-users. Deliberating on how they want to support the change is likely to take those teams a while, so I suspect that pushing out the timeframe for removal of the |
I would like to hear from @alyssawilk on this, but I continue to be concerned that we may be causing undo hardship on our users with this change, and I'm wondering if there are any compromise that are possible. (I don't know what that would be as I haven't spent enough time fully understanding this issue, and @alyssawilk has spent a ton of time, so hopefully she can summarize and educate us on the current thinking.) |
|
If we think per route config is too onerous, we could have a HCM option which allows switching for adding absent scheme based on upstream or downstream? @mattklein123 will sync with you offline and sort out a plan |
|
Here I like to summarize the issue ESPv2 is facing with this change: Setting correct :scheme header is important for Google IAP to work. Google IAP requires :scheme to be https, otherwise it will send 302 redirect. So I propose to add a config flag somewhere to keep the old behaviors. |
|
So Matt and I I discussed this offline and think the way to go about this is have a per-route scheme modifier, as we do for host and path, and also have a per-HCM option to set scheme. I think for ESPv2 you'd just set that to https, and get the behavior you want. Does that sound reasonable? |
|
Sound Good. Thanks |
|
Ok, way back in January I declared the last step as not adding XFP, as a forcing function to get folks to migrate over to :scheme |
Corrects all Envoy uses of ForwardedProto which actually want request URI over to :scheme As a reminder, XFP indicates the encryption of the (original) downstream connection where :scheme is part of the URI and the resource requested. It's legal (though unusual) to request http:// urls over a TLS connection for HTTP/2. It's possible (if ill advised) to have an internal mesh forwarding https schemed requests in the clear. Current uses of X-Forwarded-Proto are in the HCM, clearing XFP from untrusted users (unchanged) in the HCM, setting absent XFP based on downstream transport security (unchanged) in the HCM setting absent :scheme to XFP (unchanged) in buildOriginalUri, changing from using XFP to scheme (changed. new URIs should be based on original URIs not on transport security. in the router, clearing default port based on XFP (unchanged) in the router serving redirect URLs based on scheme (changed - used to be XFP but is now based on the scheme of the original URI) in the router, applying SSL route redirect based on XFP (unchanged) in the router, using :scheme for internal redirect url checks (changed - used to use XFP. new URIs should be based on original URI) in the cache filter, using :scheme to serve content (changed we used to serve based on XFP but if http://foo.com/ differs from https://foo.com and the http version is requested over a TLS connection the http response should be served) in oath2 serving redirect URLs based on scheme (changed this used to be based on SFP but URLs should be based on original URL scheme) Risk Level: High Testing: updated tests Docs Changes: inline Release Notes: inline Runtime guard: envoy.reloadable_features.correct_scheme_and_xfp Fixes #14587 Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Adding the option to override scheme Risk Level: low (config guarded code) Testing: unit testing Docs Changes: n/a Release Notes: inline Part of envoyproxy#14587 Fixes envoyproxy#17105 Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Corrects all Envoy uses of ForwardedProto which actually want request URI over to :scheme As a reminder, XFP indicates the encryption of the (original) downstream connection where :scheme is part of the URI and the resource requested. It's legal (though unusual) to request http:// urls over a TLS connection for HTTP/2. It's possible (if ill advised) to have an internal mesh forwarding https schemed requests in the clear. Current uses of X-Forwarded-Proto are in the HCM, clearing XFP from untrusted users (unchanged) in the HCM, setting absent XFP based on downstream transport security (unchanged) in the HCM setting absent :scheme to XFP (unchanged) in buildOriginalUri, changing from using XFP to scheme (changed. new URIs should be based on original URIs not on transport security. in the router, clearing default port based on XFP (unchanged) in the router serving redirect URLs based on scheme (changed - used to be XFP but is now based on the scheme of the original URI) in the router, applying SSL route redirect based on XFP (unchanged) in the router, using :scheme for internal redirect url checks (changed - used to use XFP. new URIs should be based on original URI) in the cache filter, using :scheme to serve content (changed we used to serve based on XFP but if http://foo.com/ differs from https://foo.com and the http version is requested over a TLS connection the http response should be served) in oath2 serving redirect URLs based on scheme (changed this used to be based on SFP but URLs should be based on original URL scheme) Risk Level: High Testing: updated tests Docs Changes: inline Release Notes: inline Runtime guard: envoy.reloadable_features.correct_scheme_and_xfp Fixes envoyproxy#14587 Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
|
@alyssawilk I'm still a little confused about this mechanism. envoy/source/common/router/router.cc Lines 93 to 102 in 345ffe3 |
|
the mechanism boils down to
This seems to have worked for all users for a couple of years now. If you have a concrete example of it not working let us know and we'll try to address. |
|
Hi @alyssawilk , thanks for you reply. My scenario is that Envoy receives gRPCs(encrypted) requests and proxies gRPC (not encrypted) request to a .NET service. The .NET gRPC framework checks the I solved the problem by setting the HCM option |
This mechanism is reasonable, but I think the |
|
yeah unfortunately many servers predate the x-forwarded-proto header, and so expect scheme to be the scheme of the original request. I think always setting scheme based on upstream crypto instead of defaulting to XFP is a reasonable request for a cluster configuration option but you'd probably need to find someone to sign on to implement it. Worth filing as its own feature request if you're interested. |
It looks that
:schemepseudo-header is missing in HTTP/1.x requests, which makes it impossible to use route-based actions based on HTTP vs HTTPS scheme.HTTP/1.1 request:
HTTP/2 request:
cc @howardjohn
The text was updated successfully, but these errors were encountered: