-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linkerd 2.10 regression when meshing a forward-proxy #5951
Comments
@Esardes It would be helpful if you are able to test a more recent edge such as Meanwhile I started working on trying to reproduce this myself and don't have a significant update yet. While I work on setting up a repro, it'd be helpful if you can update me that this issue does or does not persist on |
@Esardes I have created an Nginx forward proxy and tested this on The forward proxy image is apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-1
spec:
replicas: 1
selector:
matchLabels:
app: nginx-1
template:
metadata:
labels:
app: nginx-1
spec:
containers:
- name: nginx-1
image: ghcr.io/kleimkuhler/nginx-forward-proxy:v0.0.1
imagePullPolicy: Always
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30 $ kubectl exec nginx-1-bff6c67cf-m84vs -it -- bash -il
# curl httpbin.org directly
root@nginx-1-bff6c67cf-m84vs:/# curl https://httpbin.org/ip
{
"origin": "34.86.52.153"
}
# curl httpbin.org through forward-proxy port 3128
root@nginx-1-bff6c67cf-m84vs:/# curl -x localhost:3128 https://httpbin.org/ip
{
"origin": "34.86.52.153"
}
# pass -v to confirm CONNECT frame is sent/received correctly
root@nginx-1-bff6c67cf-m84vs:/# curl -x localhost:3128 -v https://httpbin.org/ip
...
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> User-Agent: curl/7.64.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
... So this confirms
Please let me know if you can provide any additional details or confirm that this works for you as well. Also, it would be really helpful if you can still test |
Closing due to inactivity. |
Bug Report
What is the issue?
In linkerd < 2.10, I could mesh a pod and a forward proxy and use my proxy from my pod as any other service.
Now I get different errors in different cases.
How can it be reproduced?
Have a meshed forward proxy, an unmeshed one, a meshed pod, and an unmeshed one at the ready.
Errors mentioned below can be found here
Tests return:
curl -x proxy-unmeshed:80 --insecure https://httpbin.org/ip
WORKScurl -x proxy-meshed:80 --insecure https://httpbin.org/ip
FAILS with ERROR1curl -x proxy-unmeshed:80 --insecure https://httpbin.org/ip
FAILS with ERROR2curl -x proxy-meshed:80 --insecure https://httpbin.org/ip
FAILS with ERROR2Now same if I try to reach http://httpbin.org/ip (no ssl)
Unauthorized
- my proxy auth headers seem to never reach our proxy-pod behind linkerd-proxyLogs, error output, etc
I capture some logs with level debug when trying to reach an unmeshed proxy from a meshed-pod
linkerd check
outputEnvironment
Possible solution
@olix0r mentionned it could be "I'm not immediately sure what's going on but we might be handling CONNECT poorly?" but I am clueless
Additional context
The text was updated successfully, but these errors were encountered: