Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PROXY Protocol and SNI do not work together #5116

Closed
sam-heilbron opened this issue Aug 5, 2021 · 1 comment
Closed

PROXY Protocol and SNI do not work together #5116

sam-heilbron opened this issue Aug 5, 2021 · 1 comment
Assignees
@sam-heilbron
Labels
Size: L 1 - 2 weeks Type: Bug Something isn't working

Comments

@sam-heilbron
Copy link
Contributor

PROXY Protocol

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol#config-listener-filters-proxy-protocol

https://www.haproxy.org/download/1.9/doc/proxy-protocol.txt

Background:

The PROXY protocol provides a convenient way to safely transport connection
   information such as a client's address across multiple layers of NAT or TCP
   proxies. It is designed to require little changes to existing components and
   to limit the performance impact caused by the processing of the transported
   information.

Import implementation detail:

In both cases, the protocol simply consists in an easily parsable header placed
by the connection initiator at the beginning of each connection. The protocol
is intentionally stateless in that it does not expect the sender to wait for
the receiver before sending the header, nor the receiver to send anything back.

TLS Inspector

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/tls_inspector

TLS Inspector listener filter allows detecting whether the transport appears to be TLS or plaintext, and if it is TLS, it detects the Server Name Indication (SNI) qnd/or Application-Layer Protocol Negotion (ALPN) from the client.

Problem Background

Envoy exposes a field use_proxy_proto (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain). This field is deprecated and recommends that users add a PROXY protocol listener filter explicitly.

We rely on this field. The effect is that the PROXY protocol listener filter is appended to the filter chain. However, we need the PROXY protocol listener filter to be executed before the TLS inspector filter. Since the PROXY protocol adds bytes to the beginning of the connection, the SNI will not be parsed correctly if the PROXY protocol listener filter is not executed first. Without SNI matching, you would get the wrong certificate, and traffic would drop.

How To Reproduce The Problem

1. Create a Virtual Service with SNI 
2. Turn on PROXY protocol

How To Fix The Problem

1. Add PROXY protocol as a listener filter
2. Ensure it is placed before the TLS inspector in the listener filters
3. Remove the usage of `use_proxy_proto`

Which Versions are Affected?

Only Gloo versions since we introduced the TLS inspector as a listener filter (#4188). This was added in Gloo 1.7.0 and Gloo Enterprise 1.7.0.
@sam-heilbron sam-heilbron added the Type: Bug Something isn't working label Aug 5, 2021
@sam-heilbron sam-heilbron self-assigned this Aug 5, 2021
This was referenced Aug 5, 2021
Merged
Merged
Merged
Merged
@sam-heilbron
Copy link
Contributor Author

sam-heilbron commented Aug 6, 2021
edited

This fix has been released to branches v1.9.x, v1.8.x and v1.7.x of Gloo Edge OSS and Enterprise

@sam-heilbron sam-heilbron added the Size: L 1 - 2 weeks label Aug 6, 2021
@sam-heilbron sam-heilbron mentioned this issue Oct 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sam-heilbron sam-heilbron

Labels
Size: L 1 - 2 weeks Type: Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sam-heilbron