You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
I am attempting to use Envoy to pass traffic to various clusters based on SNI. I followed How do I setup SNI? but omitted the tls_context configuration as I do not want to terminate TLS in Envoy. When making requests, I get ERR_SSL_PROTOCOL_ERROR from my browser, and I see dispatch error: http/1.1 protocol error: HPE_INVALID_METHOD in the Envoy logs. I would expect the traffic to be routed to the appropriate cluster.
Looking at the request in wireshark, I believe I'm getting a plain HTTP 400 as a response to the client hello, but I'm not sure why. If I add the appropriate certificates in the tls_context configuration block, everything works as expected. If I make a direct request to my server, it also succeeds. Am I misunderstanding the functionality described in #1843 perhaps?
Repro steps:
Run the envoyproxy/envoy-dev:latest Docker image with the config below linked in and passed as the config param (something like sudo docker run --rm -it -p 443:443 -p 9901:9901 -v /path/to/config:/config envoyproxy/envoy-dev:latest -c /config/config.yaml -l debug).
Make an HTTPS request on 443 with the appropriate domain (curl -v https://www.foo.bar has been my test, or a call via Chrome)
I've removed the domain for privacy concerns, but foo.bar in the example is replaced by a domain that resolves to 127.0.0.1. Requests to https://www.foo.bar:8443 are successful.
Logs:
[2019-07-11 14:00:07.357][12][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:72] tls inspector: new connection accepted
[2019-07-11 14:00:07.358][13][debug][main] [source/server/connection_handler_impl.cc:80] [C1] adding to cleanup list
[2019-07-11 14:00:07.358][14][debug][main] [source/server/connection_handler_impl.cc:80] [C0] adding to cleanup list
[2019-07-11 14:00:07.358][12][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:118] tls:onServerName(), requestedServerName: www.foo.bar
[2019-07-11 14:00:07.359][12][debug][main] [source/server/connection_handler_impl.cc:280] [C2] new connection
[2019-07-11 14:00:07.360][12][debug][http] [source/common/http/conn_manager_impl.cc:281] [C2] dispatch error: http/1.1 protocol error: HPE_INVALID_METHOD
[2019-07-11 14:00:07.360][12][debug][connection] [source/common/network/connection_impl.cc:101] [C2] closing data_to_write=66 type=2
[2019-07-11 14:00:07.360][12][debug][connection] [source/common/network/connection_impl.cc:651] [C2] setting delayed close timer with timeout 1000 ms
[2019-07-11 14:00:07.360][12][debug][connection] [source/common/network/connection_impl.cc:580] [C2] write flush complete
[2019-07-11 14:00:07.361][12][debug][connection] [source/common/network/connection_impl.cc:477] [C2] remote early close
[2019-07-11 14:00:07.361][12][debug][connection] [source/common/network/connection_impl.cc:188] [C2] closing socket: 0
[2019-07-11 14:00:07.361][12][debug][main] [source/server/connection_handler_impl.cc:80] [C2] adding to cleanup list
[2019-07-11 14:00:09.475][1][debug][main] [source/server/server.cc:170] flushing stats
The text was updated successfully, but these errors were encountered:
@davidamin for SSL passthrough, you need to use tcp_proxy, and not http_connection_manager. The payload is encrypted, so there is no HTTP for Envoy to see.
HPE_INVALID_METHOD while using SSL passthrough
Description:
I am attempting to use Envoy to pass traffic to various clusters based on SNI. I followed How do I setup SNI? but omitted the
tls_context
configuration as I do not want to terminate TLS in Envoy. When making requests, I getERR_SSL_PROTOCOL_ERROR
from my browser, and I seedispatch error: http/1.1 protocol error: HPE_INVALID_METHOD
in the Envoy logs. I would expect the traffic to be routed to the appropriate cluster.Looking at the request in wireshark, I believe I'm getting a plain HTTP 400 as a response to the client hello, but I'm not sure why. If I add the appropriate certificates in the
tls_context
configuration block, everything works as expected. If I make a direct request to my server, it also succeeds. Am I misunderstanding the functionality described in #1843 perhaps?Repro steps:
envoyproxy/envoy-dev:latest
Docker image with the config below linked in and passed as the config param (something likesudo docker run --rm -it -p 443:443 -p 9901:9901 -v /path/to/config:/config envoyproxy/envoy-dev:latest -c /config/config.yaml -l debug
).curl -v https://www.foo.bar
has been my test, or a call via Chrome)Admin and Stats Output:
Config:
I've removed the domain for privacy concerns, but
foo.bar
in the example is replaced by a domain that resolves to127.0.0.1
. Requests tohttps://www.foo.bar:8443
are successful.Logs:
The text was updated successfully, but these errors were encountered: