Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP2 request on port 8080 with prior knowledge is being forwarded as HTTP1.1 by istio-proxy. #16059

Open
sanamsarath opened this issue Aug 5, 2019 · 2 comments

Comments

@sanamsarath
Copy link

commented Aug 5, 2019

Bug description
We have development cluster deployed with istio 1.1.11, and all the outbound traffic from applications are rerouted via istio-proxy sidecars. We observed that the HTTP2 requests with prior knowledge on port 8080 are being forwarded as HTTP1.1 requests instead of HTTP2.

Tested running the same traffic on some random ports (e.g port 15021) and on app containers with no proxy side cars, it seem to run fine(HTTP2 requests are not modified to HTTP1.1).

Note: There are no virtual services or policies configured for this traffic.

attributes in configmap files:
outboundTrafficPolicy: ALLOW_ANY (istio/templates/configmap.yaml)
traffic.sidecar.istio.io/includeOutboundIPRanges: "*" (istio/templates/sidecar-injector-configmap.yaml)

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Expected behavior
The HTTP2 requests with prior knowledge should be forwarded as HTTP/2 requests.

Steps to reproduce the bug
Run some curl request with http2-prior-knowledge on port 8080.

Version (include the output of istioctl version --remote and kubectl version)
1.1.11

How was Istio installed?
Using helm charts

Environment where bug was observed (cloud vendor, OS, etc)
Bare metal, Kubernetes , CentOS

curl response logs
[root@smfcc-0-209-0-dbg-696dcbd484-76ch4 /]# curl -H "Content-Type: application/json" -X PUT "http:/10.71.33.249:8080/nudm-uecm/v1/imsi-456123000000586/registrations/smf-registrations/15" -d '{"dnn":"dnn1.att","pduSessionId":15,"plmnId":{"mcc":"456","mnc":"123"},"singleNssai":{"sst":1},"smfInstanceId":"46bb3328-41da-4662-8523-e1b6b84ee19a","supportedFeatures":"1"}' --http2-prior-knowledge -vvv

  • Unwillingly accepted illegal URL using 1 slash!
  • Trying 10.71.33.249...
  • TCP_NODELAY set
  • Connected to 10.71.33.249 (10.71.33.249) port 8080 (#0)
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x558c27e0e440)

PUT /nudm-uecm/v1/imsi-456123000000586/registrations/smf-registrations/15 HTTP/2
Host: 10.71.33.249:8080
User-Agent: curl/7.59.0
Accept: /
Content-Type: application/json
Content-Length: 174

  • We are completely uploaded and fine
  • Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
    < HTTP/2 503
    < content-length: 95
    < content-type: text/plain
    < date: Mon, 05 Aug 2019 14:50:32 GMT
    < server: envoy
    <
  • Connection #0 to host 10.71.33.249 left intact
    upstream connect error or disconnect/reset before headers. reset reason: connection termination[root@smfcc-0-209-0-dbg-696dcbd484-76ch4 /]#
    [root@smfcc-0-209-0-dbg-696dcbd484-76ch4 /]#

[root@smfcc-0-209-0-dbg-696dcbd484-76ch4 /]# curl -H "Content-Type: application/json" -X PUT "http:/10.71.33.249:15021/nudm-uecm/v1/imsi-456123000000586/registrations/smf-registrations/15" -d '{"dnn":"dnn1.att","pduSessionId":15,"plmnId":{"mcc":"456","mnc":"123"},"singleNssai":{"sst":1},"smfInstanceId":"46bb3328-41da-4662-8523-e1b6b84ee19a","supportedFeatures":"1"}' --http2-prior-knowledge -vvv

  • Unwillingly accepted illegal URL using 1 slash!
  • Trying 10.71.33.249...
  • TCP_NODELAY set
  • Connected to 10.71.33.249 (10.71.33.249) port 15021 (#0)
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x55d03fe6c440)

PUT /nudm-uecm/v1/imsi-456123000000586/registrations/smf-registrations/15 HTTP/2
Host: 10.71.33.249:15021
User-Agent: curl/7.59.0
Accept: /
Content-Type: application/json
Content-Length: 174

  • We are completely uploaded and fine
  • Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
    < HTTP/2 200
    < content-type: application/json
    < content-length: 174
    < server: asyncio-h2
    <
  • Connection #0 to host 10.71.33.249 left intact
    {"dnn":"dnn1.att","pduSessionId":15,"plmnId":{"mcc":"456","mnc":"123"},"singleNssai":{"sst":1},"smfInstanceId":"46bb3328-41da-4662-8523-e1b6b84ee19a","supportedFeatures":"1"}[root@smfcc-0-209-0-dbg-696dcbd484-76ch4 /]#
    [root@smfcc-0-209-0-dbg-696dcbd484-76ch4 /]#

Adding pcaps , pkts (407 - 436) for traffic on 8080 and (694-731) for traffic ran on port 15021.
http2.zip

@mandarjog

This comment has been minimized.

Copy link
Contributor

commented Aug 6, 2019

How did you name your service port to indicate that it was h2?

@sanamsarath

This comment has been minimized.

Copy link
Author

commented Aug 6, 2019

The traffic is destined to server external to my cluster and we don't have egress gateway configured yet and so no service port exists. The curl request has hard coded ip address of the destination server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.