linkerd-proxy blocks actual proxy requests #6035
Comments
|
@divanikus What Linkerd version are you observing this on? This is probably a duplicate of #5951. I left my reproduction steps on that issue but was not able to see the CONNECT requests fail; they were going through for me. Since you are observing this, is there any chance you could try the latest edge |
|
Problem was observed at 2.10.0, nothing changed on egde-21.4.3. |
|
To be clear, I'm talking about outgoing requests, not the incoming ones. Proxy, by itself, is outside of the k8s cluster. |
|
@divanikus Can you share more details about the HTTP proxy? Does it require authentication? If so, how is authentication implemented? Can you share proxy logs with the annotation |
|
Closing due to inactivity. |
|
I bet it wasn't fixed. Unfortunately I didn't had time to reproduce the thing due my own vacation. Hopefully will post you more info this week. Didn't you tried at least curl something using an external proxy? |
|
@divanikus I mentioned my attempt at reproducing this that I left in a comment here. I confirmed that with an injected Nginx forward proxy, CONNECT requests were going through it fine. If you can provide a reproducible example where this fails that would be super helpful. We're glad to keep looking into it, but we'll definitely need more information to make progress. |
|
So, here's the thing. Everything works if you try to access a plain HTTP site behind a proxy. But if you would try to access HTTPS site, things do break. Outside of the cluster (or with disabled linkerd-proxy): Inside the cluster, with linkerd-proxy: |
|
I'm hitting this at the moment. For one particular outbound URL, I get the EXACT same curl output as @divanikus - does anyone have a fix, patch, or workaround for this? |
|
@trentmurray Do you have manifests for reproducing this? I attempted to reproduce this and was unable to. I observed the linkerd-proxy proxy requests to http/https sites. What forward proxy are you using? |
|
Mine proxies are outside of k8s cluster, try something like tinyproxy etc.
I can observe them too, but my app isn't getting any response. Eventhough all requests are ok on linkerd-web. |
|
@kleimkuhler - I'm not sure what forward proxies are to be honest. I have a very simple k8s cluster; Traefik ingress, linkerd meshing our application namespace, and that's it. We are experiencing this SSL handshake failure only on one URL, all others are completely fine. I'm trying to track down what on earth it could be, but not having much luck. Postman works, local curl works. I have to try outside of the namespace (or at least a pod not meshed); then I'll come back with the results. |
|
OK, @divanikus @kleimkuhler - my issue ended up being the NACL in AWS not having an egress rule for port 444 for the URL I was trying to access. The error from Linkerd was a red herring. My application container tried a python requests.post(), linkerd-proxy grabs that requests, and returns a SSL handshake issue, rather than connection time out. When I took the pod out of the mesh, it just sat there trying to connect to the server until it eventually timed out. |
|
Okay thanks for the update @trentmurray that is helpful and good to hear. @divanikus if Trent was seeing the same errors as you I'd be curious if you have the same issue going on? |
|
@kleimkuhler nope, i'm running on private cloud infrastructure, no restrictions on egresses. |
|
Hello everyone! |
|
@andronux There is no update from my side of things. I have still not been able to reproduce this with the steps I've provided above (linked in #5951). I'd be happy to look into this more, but until I receive reproduction steps or additional information that helps with me trying to reproduce it myself, I'm not sure there is more I can do. |
What happens when you unmesh the pod and then try to make an http request to the endpoint/port your trying to access? Do you still get SSL, or is it a timeout or other HTTP error? |
|
I have the same issue: everything works well when the pod is outside of the linked mesh. The test was done on the same cluster, but outside the linkerd, no extra egress rules on the cloud level added - and everything works well I've done some tests for pods inside linkerd mesh and results are following: Simple request - works: Proxied request works as well, when it's HTTP: HTTPS doesn't work: The error is : |
|
We have unsuccessfully attempted to reproduce this in the past. We're most likely to resolve this if someone can help provide kubernetes manifests that we can use to reproduce the issue locally. |
|
#8539 describes a similar problem which may cover some of the reports in this issue--it hard to say without more details. I've pushed a proxy image (which will be included in this week's edge release) that can be used for testing: |
|
Hi @olix0r , I've tested this with edge-22.6.2 and can still reproduce it. Here's a write up and steps for you to hopefully also reproduce it 🤞 https://github.com/jon-walton/linkerd2-repro-6035 |
|
@jon-walton I'll look into this again with your repo. Thanks for putting it together! |
|
After some investigation it looks like the issue has been figured out, but it'd be great to have some confirmation from the participants of this issue. The issue is related to the HTTP version that the forward proxy is responding with. The CONNECT method was introduced in HTTP/1.1; when a forward proxy responds with that version, the Linkerd proxy knows that the forward proxy supports the request and it completes successfully. However, there seem to be cases where the forward proxy is responding to CONNECT requests with HTTP/1.0. When the Linkerd proxy sees it's interacting with server with that version, it doesn't attempt to send the request because the server shouldn't support that HTTP method. We can see this happen with the tinyproxy example @jon-walton provided. When we This is surprising because if tinyproxy is correctly serving HTTP/1.0, it shouldn't be responding to CONNECT requests with Earlier in this issue I referenced when I last tried to reproduce this (comment) without success. This is because the forward proxy I was using was properly responding with HTTP/1.1. @divanikus based off the original issue description this seems to be the issue for you as well. Are you able to confirm this using a forward proxy that responds with the expected server version? @jon-walton @AKishchak @trentmurray it'd be helpful if you can provide the forward proxies that you were using when you encountered this issue. It's easy to say that this issue is actually with the forward proxies and not Linkerd proxy, but if this is a common enough issue it may be worth enumerating the forward proxies that are responding with incorrect versions for future debugging. |
|
@kleimkuhler for my test, I'm using tinyproxy 1.11.0. version 1.11.1 adds support for returning the correct http version (tinyproxy/tinyproxy@a869e71) which seems promising but not quite... Unfortunately it looks like it's hard coded to respond with If I hard code it to I'll update the issue on the tinyproxy side tinyproxy/tinyproxy#152 (too dangerous for me to try fix 😉), but our infra is also running an older version which I probably won't be able to update quickly 🤔 |
|
@kleimkuhler i've also updated my repro-repo with the "fix" for tinyproxy https://github.com/jon-walton/linkerd2-repro-6035 for you to confirm on your side if you need |
|
Awesome thanks for the quick reply and updating the repro @jon-walton! This checks out with what I observed and I'm glad to see the fix is at least in progress on tinyproxy. I'm going to leave this open for additional replies, but this does seem like something that more than one forward proxies handle incorrectly. I don't think we'll be making any changes to the Linkerd proxy to close this. |
The issue linkerd/linkerd2#6035 describes a situation where Linkerd rejects HTTP/1.1 CONNECT requests because the remote (non-Linkerd) forward proxy returns a successful response that erroneously has the wrong HTTP version (HTTP/1.0). Since the CONNECT method does not exist in the HTTP/1.0 protocol, Linkerd does not treat this response as a CONNECT. It turns out that in the accursed Real World, some HTTP forward proxies actually do return the wrong protocol version when successfully handling CONNECT requests. We don't want to remove the check that the protocol version is correct, because it could lead to us incorrectly treating responses to CONNECTs as establishing a tunnel when they don't actually do that. However, in order to make it easier for future users who encounter issues where other proxies return wrong HTTP versions for CONNECT responses, it might be nice to log a warning, so that users can determine *why* their CONNECT requests aren't working. This branch changes the proxy to log a warning if a successful response to a CONNECT request had the wrong HTTP version. We won't log the warning if the response is not a success or if the request was not a CONNECT, so it should only cover this specific case.
|
Closing this for now. You'll see from the change above (linkerd/linkerd2-proxy#1827) that we will also log these responses when they occur. |
) * http: log a warning when a CONNECT response has the wrong version The issue linkerd/linkerd2#6035 describes a situation where Linkerd rejects HTTP/1.1 CONNECT requests because the remote (non-Linkerd) forward proxy returns a successful response that erroneously has the wrong HTTP version (HTTP/1.0). Since the CONNECT method does not exist in the HTTP/1.0 protocol, Linkerd does not treat this response as a CONNECT. It turns out that in the accursed Real World, some HTTP forward proxies actually do return the wrong protocol version when successfully handling CONNECT requests. We don't want to remove the check that the protocol version is correct, because it could lead to us incorrectly treating responses to CONNECTs as establishing a tunnel when they don't actually do that. However, in order to make it easier for future users who encounter issues where other proxies return wrong HTTP versions for CONNECT responses, it might be nice to log a warning, so that users can determine *why* their CONNECT requests aren't working. This branch changes the proxy to log a warning if a successful response to a CONNECT request had the wrong HTTP version. We won't log the warning if the response is not a success or if the request was not a CONNECT, so it should only cover this specific case. * format version with debug Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Bug Report
What is the issue?
We have several apps which access resources behind our corporate proxy. They use HTTP Proxy requests (CONNECT, etc) for that. It appears that linkerd-proxy sidecars effectively block all proxy request, so the simply doesn't get any responses. However, linkerd-viz shows that requests as actually happening and successfully finished.
How can it be reproduced?
Just run chromium browser with http proxy enabled.
The text was updated successfully, but these errors were encountered: