Redirect loop on envoyproxy.io with default Docker image config on Safari/curl

[pkwarren]

Title: Getting 'Maximum redirects followed' with default Docker image config

Description:
Started envoy with docker run --pull=always --name=envoy -p 10000:10000 -p 9901:9901 envoyproxy/envoy:v1.19-latest.
When accessing in latest Safari via http://localhost:10000/ or curl -L http://localhost:10000/ I get a maximum redirects followed error.
I can also reproduce this from the command line with Curl directly to www.envoyproxy.io.
When I update curl to accept Brotli encoding, the redirect loop is fixed: -H "Accept-Encoding: gzip, deflate, br".
If I leave off br encoding, I get the loop.
Things work fine when using latest Chrome browser.

[optional Relevant Links:]

Not working:

$ curl -sSL -v https://www.envoyproxy.io
*   Trying 52.73.87.228:443...
* TCP_NODELAY set
* Connected to www.envoyproxy.io (52.73.87.228) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3841 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=envoyproxy.io
*  start date: Jul 27 03:00:15 2021 GMT
*  expire date: Oct 25 03:00:13 2021 GMT
*  subjectAltName: host "www.envoyproxy.io" matched cert's "www.envoyproxy.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x56192a974860)
} [5 bytes data]
> GET / HTTP/2
> Host: www.envoyproxy.io
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [81 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
} [5 bytes data]
< HTTP/2 301
< cache-control: public, max-age=0, must-revalidate
< content-length: 42
< content-security-policy: frame-ancestors 'self';
< content-type: text/plain
< date: Fri, 06 Aug 2021 20:26:53 GMT
< age: 81962
< location: https://www.envoyproxy.io/
< x-nf-request-id: 01FCH0GM62PKADXF5Q9EWJRKR3
< server: Netlify
<
* Ignoring the response-body
{ [42 bytes data]
* Connection #0 to host www.envoyproxy.io left intact
* Issue another request to this URL: 'https://www.envoyproxy.io/'
* Found bundle for host www.envoyproxy.io: 0x56192a968090 [can multiplex]
* Re-using existing connection! (#0) with host www.envoyproxy.io
...
* Ignoring the response-body
{ [42 bytes data]
* Connection #0 to host www.envoyproxy.io left intact
* Issue another request to this URL: 'https://www.envoyproxy.io/'
* Found bundle for host www.envoyproxy.io: 0x56192a968090 [can multiplex]
* Re-using existing connection! (#0) with host www.envoyproxy.io
* Connected to www.envoyproxy.io (52.73.87.228) port 443 (#0)
* Using Stream ID: 63 (easy handle 0x56192a974860)
} [5 bytes data]
> GET / HTTP/2
> Host: www.envoyproxy.io
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
< HTTP/2 301
< cache-control: public, max-age=0, must-revalidate
< content-length: 42
< content-security-policy: frame-ancestors 'self';
< content-type: text/plain
< date: Fri, 06 Aug 2021 20:26:53 GMT
< age: 81964
< location: https://www.envoyproxy.io/
< x-nf-request-id: 01FCH0GNRB5GA1C9S8RA35G40J
< server: Netlify
<
* Ignoring the response-body
{ [42 bytes data]
* Connection #0 to host www.envoyproxy.io left intact
* Issue another request to this URL: 'https://www.envoyproxy.io/'
* Found bundle for host www.envoyproxy.io: 0x56192a968090 [can multiplex]
* Re-using existing connection! (#0) with host www.envoyproxy.io
* Connected to www.envoyproxy.io (52.73.87.228) port 443 (#0)
* Using Stream ID: 65 (easy handle 0x56192a974860)
} [5 bytes data]
> GET / HTTP/2
> Host: www.envoyproxy.io
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
< HTTP/2 301
< cache-control: public, max-age=0, must-revalidate
< content-length: 42
< content-security-policy: frame-ancestors 'self';
< content-type: text/plain
< date: Fri, 06 Aug 2021 20:26:53 GMT
< age: 81964
< location: https://www.envoyproxy.io/
< x-nf-request-id: 01FCH0GNSCE01V3E0SCJQ03YFM
< server: Netlify
<
* Ignoring the response-body
{ [42 bytes data]
* Connection #0 to host www.envoyproxy.io left intact
* Maximum (50) redirects followed
curl: (47) Maximum (50) redirects followed

Working:

$ curl -sSL -H "Accept-Encoding: gzip, deflate, br" -v https://www.envoyproxy.io
*   Trying 52.203.36.44:443...
* TCP_NODELAY set
* Connected to www.envoyproxy.io (52.203.36.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3841 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=envoyproxy.io
*  start date: Jul 27 03:00:15 2021 GMT
*  expire date: Oct 25 03:00:13 2021 GMT
*  subjectAltName: host "www.envoyproxy.io" matched cert's "www.envoyproxy.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5591c9720860)
} [5 bytes data]
> GET / HTTP/2
> Host: www.envoyproxy.io
> user-agent: curl/7.68.0
> accept: */*
> accept-encoding: gzip, deflate, br
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [81 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
} [5 bytes data]
< HTTP/2 200
< cache-control: public, max-age=0, must-revalidate
< content-security-policy: frame-ancestors 'self';
< content-type: text/html; charset=UTF-8
< date: Fri, 06 Aug 2021 20:25:53 GMT
< etag: "9f0c574f1045a3a87a6ec0372b5b4913-ssl-df"
< strict-transport-security: max-age=31536000
< x-nf-request-id: 01FCH0F7M67NAMDS8Z0J2Y50QF
< vary: Accept-Encoding
< content-encoding: br
< server: Netlify
< content-length: 3840
< age: 81976
<
{ [5 bytes data]
* Connection #0 to host www.envoyproxy.io left intact

[mattklein123]

cc @alyssawilk who I think also saw this. I think this is an issue with Netlify (or our configuration of Netlify).

[alyssawilk]

yeah I'd tried to sort out what was maybe misconfigured with Netlify and failed to dig it up.
@richarddli do you have any ideas?

[alyssawilk]

cc @phlax as this was causing failures for one of our demo configs

[phlax]

yep, this is a dupe of #17105 which is closed, but probs shouldnt be

i have a proposed fix here #17296 which i think is not a bad resolution, altho the PR needs fixing

[phlax]

re netlify im not 100% clear whether there is a bug in netlify or whether Envoy is giving headers such that a 301 would be a valid/expected response

i think if netlify detects any hint of http its valid to redirect, and on the envoy side, as discussed previously, proxying http -> https is a bit of an anti-pattern - altho i would expect it to work

if we are not happy with the resolution in #17296 and/or want to get to the bottom of this i guess the next step is dumping the headers that get sent to netlify

[phlax]

(or maybe given the involvement of sni, its not strictly headers - beyond my immediate understanding)

[phlax]

just reading the ticket more thoroughly - iiuc adding the compression accept headers fixes the problem - if that is a correct understanding then i guess one possible resolution is to ensure envoy requests that way (i still prefer my proposed solution of a simple welcome page)

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.