disable http/2 for websockets

[calebdoxsey]

Summary

I guess you can't use http/2 with websockets because they use the same header field. This PR updates the envoy config to explicitly disable http/2 when using web sockets.

Related issues

• Websocket not working if the upstream is HTTPS #2388

Checklist

• reference any related issues
• updated docs
• updated unit tests
• updated UPGRADING.md
• add appropriate tag (improvement / bug / etc)
• ready for review

[codeclimate]

Code Climate has analyzed commit 101c29c and detected 0 issues on this pull request.

View more on Code Climate.

[coveralls]

Coverage decreased (-0.05%) to 65.358% when pulling 101c29c on cdoxsey/2388-fix-websockets into d9bc9d7 on master.

[wasaga]

I tried that; it did not fix my test using streamlit.io as websocket server

policy:
  - name: ws-1
    from: https://ws1.localhost.pomerium.io
    to: http://localhost:8501
    allow_websockets: true
    allow_public_unauthenticated_access: true
  - name: ws-2
    from: https://ws2.localhost.pomerium.io
    to: https://ws1.localhost.pomerium.io
    allow_websockets: true
    allow_public_unauthenticated_access: true
    tls_custom_ca_file: "/path/to/mkcert/rootCA.pem"

[calebdoxsey]

It works for me. Can you provide concrete feedback. Or should I just close this PR too?

[calebdoxsey]

FWIW https://gist.github.com/calebdoxsey/b2040f758c91fa306178fa3fff3e2162

[wasaga]

your test environment is different, and yes this PR fixes it for that case.

the reason my configuration still does not work is different, I'll file a separate ticket about it.

[desimone]

Could we abstract out into a little sub function?

[desimone]

Could you add some contextualizing comments to this case? The fallthrough and empty default is uncommon enough where I'm not sure what it does without searching.

[calebdoxsey]

there are already comments. I don't know what else to add. I will remove the default case.

[desimone]

Can we add a log message to make clear we are using HTTP1 on this policy because websockets was set?

[desimone]

To that point, I think we could abstract this little loop into a small function and call it directly in buildPolicyEndpoints and buildCluster?

[calebdoxsey]

This will be very noisy, but ok.

[desimone]

Having an additional function argument for upstreamProtocol here feels weird to me since we already have the info we need in policy *config.Policy to determine the upstreamProtocol.

[desimone]

Welp, guess I missed the bus on this PR. 😆

edit: I think the code is fine, but would prefer not to keep adding to the list of function arguments if the information we need (upstreamProtocol) is already available available in another function argument (policy) and is deterministic and insignificant perf impact.