-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
inbound: Use ALPN to determine transport header #895
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The inbound proxy does not need to transparently detect transport headers. The header is always indicated by TLS protocol negotiation. This change decouples the `transport-header` module from the `Detect` trait. The inbound direct stack is modified to require a transport header when ALPN has determined that a header should be expected. Legacy HTTP gateway support is attempted when no header is negotiated. This sets up changes to the `Detect` server implementation.
hawkw
approved these changes
Feb 2, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm overall! commented on a couple of nits
@@ -238,13 +242,22 @@ impl TryFrom<(tls::ConditionalServerTls, listen::Addrs)> for ClientInfo { | |||
} | |||
} | |||
|
|||
impl ClientInfo { | |||
fn header_negotiated(&self) -> bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit/TIOLI: i might prefer
Suggested change
fn header_negotiated(&self) -> bool { | |
fn is_header_negotiated(&self) -> bool { |
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Feb 3, 2021
This release changes HTTP protocol detection to prevent timeout errors in two ways: 1. HTTP detection no longer blocks until a newline is read. We've reverted to relying on a single read to make a determination. 2. Detection timeouts are no longer terminal. When a timeout is encountered, we continue forwarding the connection as an opaque TCP connection. These changes may lead to false-negatives--we may fail to detect some HTTP streams--but it should prevent many avoidable detection errors. This release also makes improvements for multicluster gateways, improving caching so that profile lookups are only performed once per target service. Diagnostic `stack_*` metrics have been moved so that they track underlying services, ignoring fail-fast. This should help us get better insights into services that are in failfast. Finally, the opencensus exporter has been improved to ensure that trace events are flushed if the trace buffer is not filled within a timeout. --- * actions: Update actions to use full SHAs (linkerd/linkerd2-proxy#885) * http: Parameterize normalize_ur::DefaultAuthority (linkerd/linkerd2-proxy#886) * http: Parameterize the HTTP server (linkerd/linkerd2-proxy#887) * opencensus: rewrite span exporter using async/await (linkerd/linkerd2-proxy#789) * Update http::Insert to use `Param` (linkerd/linkerd2-proxy#889) * Update crate dependencies (linkerd/linkerd2-proxy#892) * stack: Make the router fallible (linkerd/linkerd2-proxy#888) * Track stack metrics within failfast (linkerd/linkerd2-proxy#891) * outbound: Avoid building balancers when no concrete name (linkerd/linkerd2-proxy#890) * inbound: Cache HTTP gateways per destination (linkerd/linkerd2-proxy#893) * Reorganize the gateway crate (linkerd/linkerd2-proxy#897) * Bias HTTP detection towards availability (linkerd/linkerd2-proxy#894) * inbound: Use ALPN to determine transport header (linkerd/linkerd2-proxy#895) * detect: Return unknown protocol on detection timeout (linkerd/linkerd2-proxy#896) * Extract protocol detection into the gateway crate (linkerd/linkerd2-proxy#898)
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Feb 3, 2021
This release changes HTTP protocol detection to prevent timeout errors in two ways: 1. HTTP detection no longer blocks until a newline is read. We've reverted to relying on a single read to make a determination. 2. Detection timeouts are no longer terminal. When a timeout is encountered, we continue forwarding the connection as an opaque TCP connection. These changes may lead to false-negatives--we may fail to detect some HTTP streams--but it should prevent many avoidable detection errors. This release also makes improvements for multicluster gateways, improving caching so that profile lookups are only performed once per target service. Diagnostic `stack_*` metrics have been moved so that they track underlying services, ignoring fail-fast. This should help us get better insights into services that are in failfast. Finally, the opencensus exporter has been improved to ensure that trace events are flushed if the trace buffer is not filled within a timeout. --- * actions: Update actions to use full SHAs (linkerd/linkerd2-proxy#885) * http: Parameterize normalize_ur::DefaultAuthority (linkerd/linkerd2-proxy#886) * http: Parameterize the HTTP server (linkerd/linkerd2-proxy#887) * opencensus: rewrite span exporter using async/await (linkerd/linkerd2-proxy#789) * Update http::Insert to use `Param` (linkerd/linkerd2-proxy#889) * Update crate dependencies (linkerd/linkerd2-proxy#892) * stack: Make the router fallible (linkerd/linkerd2-proxy#888) * Track stack metrics within failfast (linkerd/linkerd2-proxy#891) * outbound: Avoid building balancers when no concrete name (linkerd/linkerd2-proxy#890) * inbound: Cache HTTP gateways per destination (linkerd/linkerd2-proxy#893) * Reorganize the gateway crate (linkerd/linkerd2-proxy#897) * Bias HTTP detection towards availability (linkerd/linkerd2-proxy#894) * inbound: Use ALPN to determine transport header (linkerd/linkerd2-proxy#895) * detect: Return unknown protocol on detection timeout (linkerd/linkerd2-proxy#896) * Extract protocol detection into the gateway crate (linkerd/linkerd2-proxy#898)
jijeesh
pushed a commit
to jijeesh/linkerd2
that referenced
this pull request
Mar 23, 2021
This release changes HTTP protocol detection to prevent timeout errors in two ways: 1. HTTP detection no longer blocks until a newline is read. We've reverted to relying on a single read to make a determination. 2. Detection timeouts are no longer terminal. When a timeout is encountered, we continue forwarding the connection as an opaque TCP connection. These changes may lead to false-negatives--we may fail to detect some HTTP streams--but it should prevent many avoidable detection errors. This release also makes improvements for multicluster gateways, improving caching so that profile lookups are only performed once per target service. Diagnostic `stack_*` metrics have been moved so that they track underlying services, ignoring fail-fast. This should help us get better insights into services that are in failfast. Finally, the opencensus exporter has been improved to ensure that trace events are flushed if the trace buffer is not filled within a timeout. --- * actions: Update actions to use full SHAs (linkerd/linkerd2-proxy#885) * http: Parameterize normalize_ur::DefaultAuthority (linkerd/linkerd2-proxy#886) * http: Parameterize the HTTP server (linkerd/linkerd2-proxy#887) * opencensus: rewrite span exporter using async/await (linkerd/linkerd2-proxy#789) * Update http::Insert to use `Param` (linkerd/linkerd2-proxy#889) * Update crate dependencies (linkerd/linkerd2-proxy#892) * stack: Make the router fallible (linkerd/linkerd2-proxy#888) * Track stack metrics within failfast (linkerd/linkerd2-proxy#891) * outbound: Avoid building balancers when no concrete name (linkerd/linkerd2-proxy#890) * inbound: Cache HTTP gateways per destination (linkerd/linkerd2-proxy#893) * Reorganize the gateway crate (linkerd/linkerd2-proxy#897) * Bias HTTP detection towards availability (linkerd/linkerd2-proxy#894) * inbound: Use ALPN to determine transport header (linkerd/linkerd2-proxy#895) * detect: Return unknown protocol on detection timeout (linkerd/linkerd2-proxy#896) * Extract protocol detection into the gateway crate (linkerd/linkerd2-proxy#898) Signed-off-by: Jijeesh <jijeesh.ka@gmail.com>
jijeesh
pushed a commit
to jijeesh/linkerd2
that referenced
this pull request
Apr 21, 2021
This release changes HTTP protocol detection to prevent timeout errors in two ways: 1. HTTP detection no longer blocks until a newline is read. We've reverted to relying on a single read to make a determination. 2. Detection timeouts are no longer terminal. When a timeout is encountered, we continue forwarding the connection as an opaque TCP connection. These changes may lead to false-negatives--we may fail to detect some HTTP streams--but it should prevent many avoidable detection errors. This release also makes improvements for multicluster gateways, improving caching so that profile lookups are only performed once per target service. Diagnostic `stack_*` metrics have been moved so that they track underlying services, ignoring fail-fast. This should help us get better insights into services that are in failfast. Finally, the opencensus exporter has been improved to ensure that trace events are flushed if the trace buffer is not filled within a timeout. --- * actions: Update actions to use full SHAs (linkerd/linkerd2-proxy#885) * http: Parameterize normalize_ur::DefaultAuthority (linkerd/linkerd2-proxy#886) * http: Parameterize the HTTP server (linkerd/linkerd2-proxy#887) * opencensus: rewrite span exporter using async/await (linkerd/linkerd2-proxy#789) * Update http::Insert to use `Param` (linkerd/linkerd2-proxy#889) * Update crate dependencies (linkerd/linkerd2-proxy#892) * stack: Make the router fallible (linkerd/linkerd2-proxy#888) * Track stack metrics within failfast (linkerd/linkerd2-proxy#891) * outbound: Avoid building balancers when no concrete name (linkerd/linkerd2-proxy#890) * inbound: Cache HTTP gateways per destination (linkerd/linkerd2-proxy#893) * Reorganize the gateway crate (linkerd/linkerd2-proxy#897) * Bias HTTP detection towards availability (linkerd/linkerd2-proxy#894) * inbound: Use ALPN to determine transport header (linkerd/linkerd2-proxy#895) * detect: Return unknown protocol on detection timeout (linkerd/linkerd2-proxy#896) * Extract protocol detection into the gateway crate (linkerd/linkerd2-proxy#898) Signed-off-by: Jijeesh <jijeesh.ka@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The inbound proxy does not need to transparently detect transport
headers. The header is always indicated by TLS protocol negotiation.
This change decouples the
transport-header
module from theDetect
trait. The inbound direct stack is modified to require a transport
header when ALPN has determined that a header should be expected. Legacy
HTTP gateway support is attempted when no header is negotiated.
This sets up changes to the
Detect
server implementation.