-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Envoy not removing HTTP/1.1 TE
and Connection
header for HTTP/2 backend.
#8623
Comments
I thought we had fixed this previously but maybe not. @alyssawilk @PiotrSikora any comment? |
I had a similar (edit: not quite the same) complaint over on #5541 |
I'll take a look at this |
I'm reading through #5541 and one comment stands out:
I feel we should limit the sanitization of the TE header only if the outbound connection is H2 and the header contains a value other than "trailers". This change would be a subset of what was proposed in #5541. Rfc7540 https://tools.ietf.org/html/rfc7540#section-8.1.2 does give some guidance on how these headers should be handled by a proxy, though I'd prefer to take a conservative approach:
|
If you only sanitize https://tools.ietf.org/html/rfc7230#section-4.3
The approach by the RFC for HTTP/1.1 and HTTP/2 seem to make sense to me. Remove the associated connection-option headers and optionally replace them with values that the intermediary/proxy understands because these are hop-by-hop parameters. re: conservative approach. Do you mean not doing the
|
For background, it turns out this happens in a default user agent configuration. I was seeing the values
|
What I meant by being conservative was that this change would strictly operate on and remove the TE, and Connection headers. In another RFC there were additional headers that it identified can be removed. In rfc7230 (https://tools.ietf.org/html/rfc7230#section-4.3), it says:
To me, this justifies the header removal if we find any value for it other than "trailers". I think my earlier idea of restricting this just to HTTP/2 might be too restrictive. I agree that HTTP/1 requests should be sanitized also. |
Based on your PR, it looks like headers nominated besides e.g. I think I was thinking of this process to handle the RFC requirements: For every token mentioned in the
If it's a HTTP/2 backend, remove the The above doesn't include the |
Yes, we should remove all headers nominated by the Regarding the |
Description: Sanitize headers nominated by the Connection header Risk Level: Medium Testing: Added several test cases to verify the header manipulation. Also executed bazel test //test/... Docs Changes: N/A Release Notes: N/A Fixes: #8623 Signed-off-by: Alvin Baptiste <alvinsb@gmail.com>
I'm having this problem with envoy version 1.25.4.
|
Looks like the same problem I reported here: #30362 |
Title: HTTP/1.1
TE
andconnection
headers are not being removed when making calls to HTTP/2 backends.Description:
If you make a HTTP/1.1 request than includes a
TE
header with a valid HTTP/1.1 value likeTE: gzip
orTE: deflate,gzip;q=0.3
along withConnection: TE, close
, it will be passed along to the HTTP/2 backend where it causes a503
since it's invalid for HTTP/2.Shouldn't Envoy be removing the
TE
andConnection
header when making the backend HTTP/2 request? The RFC mentionsRepro steps:
You can see this with a frontend and service envoy. A HTTP/1.1 request goes to the frontend and it creates a HTTP/2 connection to the backend with the
TE: gzip
header.HTTP/1.1 envoy front *:8080 -> HTTP/2 envoy service *:9080 (static response)
test-envoy-frontend.yaml
test-envoy-backend.yaml
Run the envoys (I happened to use this build from Oct 9th. It also happens in the v1.11.2 release):
Actual without TE header:
This works as expected.
Actual with TE trailers:
This works because
TE: trailers
is the only valid value in HTTP/2 per section 8.1.2.2.Actual with TE gzip
This does not work because Envoy is passing the
TE: gzip
header to a HTTP/2 backend and that's not valid.When running in trace on the backend Envoy, it is complaining about
gzip
:Workaround 1:
A simple workaround is to have the frontend Envoy strip out the
TE
header with therequest_headers_to_remove: ["TE"]
option so it isn't passed along to the HTTP/2 connection.That seems acceptable since RFC 7230 says:
Workaround 2
I could also disable the HTTP/2 backend connections via commenting out
http2_protocol_options: {}
.The text was updated successfully, but these errors were encountered: