Behavior on non-existent wildcard URLs

[moderation]

What steps did you take and what happened:
When requesting a non-existent wildcard URL Contour 1.3.0 returns a SSL error in the browser. In Contour 1.6.1 the connection hangs not returning a 404 which is expected behavior, and doesn't return a SSL error

Valid URL

NGINX

httpstat https://prometheus.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>/status

Connected to XXX.XX.XX.XX:443

HTTP/2.0 200 OK
Server: openresty/1.15.8.1
Content-Type: text/html; charset=utf-8
Date: Mon, 27 Jul 2020 20:32:42 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
TLS version: TLS 1.2
CipherSuite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
NegotiatedProtocol: h2

Envoy 1.3.0

httpstat https://prometheus.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>:8443/status

Connected to XXX.XX.XX.XX:8443

HTTP/2.0 200 OK
Server: envoy
Content-Type: text/html; charset=utf-8
Date: Mon, 27 Jul 2020 20:33:43 GMT
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 6
TLS version: TLS 1.3
CipherSuite: TLS_AES_128_GCM_SHA256
NegotiatedProtocol: h2

Envoy 1.6.1

httpstat https://prometheus.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>/status

Connected to XXX.XX.XX.XX:443

HTTP/2.0 200 OK
Server: envoy
Content-Type: text/html; charset=utf-8
Date: Mon, 27 Jul 2020 20:31:54 GMT
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 11
TLS version: TLS 1.3
CipherSuite: TLS_AES_128_GCM_SHA256
NegotiatedProtocol: h2

Invalid URL

NGINX

httpstat https://prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>/status

Connected to XXX.XX.XX.XX:443

HTTP/2.0 404 Not Found
Server: openresty/1.15.8.1
Content-Length: 159
Content-Type: text/html
Date: Mon, 27 Jul 2020 21:08:36 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
TLS version: TLS 1.2
CipherSuite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
NegotiatedProtocol: h2

Envoy 1.3.0

httpstat https://prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>:8443/status

Connected to XXX.XX.XX.XXX:8443
2020/07/27 21:09:47 failed to read response: Get "https://prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>:8443/status": read tcp XX.XXX.XXX.XX:44728->XXX.XX.XX.XXX:8443: read: connection reset by peer

In Chrome this shows an error page "This site can't be reached", "The connection was reset", "ERR_CONNECTION_RESET".

In Firefox this shows an error page "Secure Connection Failed", "PR_CONNECTION_RESET_ERROR".

Envoy 1.6.1

httpstat https://prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>/status

Connected to XXX.XX.XX.XX:443

It hangs here. A verbose curl shows it makes a HTTP connection, negotiates h2 and then hangs.

curl -v https://prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>/status
*   Trying XXX.XX.XX.XX...
* TCP_NODELAY set
* Connected to <proxy>.<domain>.<suffix> (XXX.XX.XX.XXX) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>:443
> CONNECT prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>:443 HTTP/1.1
> Host: prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=<COUNTRY>; ST=<STATE>; L=<STATE>; O=<ORG>; OU=<ORG>; CN=<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>
*  start date: Apr 29 22:27:09 2020 GMT
*  expire date: Apr 29 22:27:09 2022 GMT
*  subjectAltName: host "prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>" matched cert's "*.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>"
*  issuer: DC=<suffix>; DC=<domain>; DC=XXXXXX; CN=XXXXXXXXX
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x5601d5a5f740)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /status HTTP/2
> Host: prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>
> User-Agent: curl/7.61.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):

What did you expect to happen:
404 on non-existent wildcard URL

Environment:

• Contour version: 1.3.0 and 1.6.1
• Kubernetes version: (use kubectl version): 1.17.4
• Kubernetes installer & version: 1.17.4
• Cloud provider or hardware configuration: On-premise
• OS (e.g. from /etc/os-release): RHEL7

[moderation]

Original issue #982 was closed as a dupe of #320 which is still open.

[jpeach]

Original issue #982 was closed as a dupe of #320 which is still open.

These issues are for service custom error status pages. IIUC, that's not the problem you are describing here.

When requesting a non-existent wildcard URL Contour 1.3.0 returns a SSL error in the browser.

Can you please explain this more precisely? Is your config that you have a wildcard certificate for *.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>, but no HTTPProxy virtual host for prometheusdoestnotexist.<type>.<cluster>.<datacenter>.<platform>.<domain>.<suffix>? In this case, you get a TLS error rather than the HTTP error that you expected.

Is that right?

@moderation is this Contour 1.6.1 with a TLS fallback certificate enabled?

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack