CONNECT support for HTTP/1.1 upstreams

[nhinds]

Description:

I attempted to configure the second scenario from #1451, where Envoy accepts a raw TCP connection and uses HTTP CONNECT to establish a tunnel through an upstream proxy. This currently works fine when the upstream proxy is also Envoy (e.g. connecting envoy --config-path configs/encapsulate_in_connect.v3.yaml --base-id 1 to envoy --config-path configs/terminate_connect.v3.yaml using the sample YAML files), as the Envoy proxies talk HTTP/2 to each other, but it does not work when the upstream proxy only supports HTTP/1.1 as mentioned on #1451:

Client --[plain HTTP]--> Envoy --[HTTP CONNECT]--> Upstream Proxy --[HTTPS]--> Server
We use some upstream non-envoy servers that only support HTTP/1 CONNECT, so HTTP/2 CONNECT wouldn't work for our use case.

It appears that removing http2_protocol_options from the cluster configuration is not sufficient to disable HTTP/2 when tunneling_config has been specified in the listener's TCP proxy filter. This matches the current .proto docs for TunnelingConfig:

Currently, only HTTP/2 is supported

Raising this as a separate feature request as it seems like the HTTP/2 support is working fine.

[mattklein123]

Yeah let's track this as an independent issue. I think either @alyssawilk or @lambdai are planning on implementing this but I'm not sure of the current thinking.

[alyssawilk]

@lambdai do folks on your end need this? AFIK @chradcliffe and co were interested too.

[froismo]

I'm interested in this feature.

[irozzo-1A]

I opened this issue #11569, which is related to this feature request. I would gladly propose my help to implement it.
Disclaimer, I have not lot of experience with C++ and Envoy code base so it may take some time, but I've plenty of motivation ;-). WDYT @alyssawilk @mattklein123 ?

[alyssawilk]

Feel free to give it a shot! It shouldn't be too bad with the HTTP/2 code and tests to model off of :-)

[irozzo-1A]

Ok thx I will give it a try. I will let you know if I encounter any issue.

[ggmm-0]

@irozzo-1A, is that in progress?

where Envoy accepts a raw TCP connection and uses HTTP CONNECT to establish a tunnel through an upstream proxy

I have a scenario where I'v got a plain HTTP request and I need to apply some path matching (HTTP Connection Manager), then route it to a cluster through upstream HTTPS (not Envoy) proxy.

It is basically a scenario similar to the one described by @chradcliffe:

Client --[plain HTTP]--> Envoy --[HTTP CONNECT]--> Upstream Proxy --[HTTPS]--> Server

It seems that tunneling_config is only for TCP proxy filter, not HTTP Connection Manager.

@alyssawilk
Am I right that the scenario above is currently not supported?

[irozzo-1A]

@irozzo-1A, is that in progress?

@grzegorz-mirek unfortunately I had to reshuffle my priorities and I did not manage to start working on this yet. I'm still interested on doing that but I cannot give an ETA right now. If you have urgency feel free to take it over.

[alyssawilk]

the config is connect_config on HCM, and tunneling config for TCP proxy.

but yeah, while you can "decap" HTTP/1 or HTTP/2 CONNECT requests into TCP, currently Envoy only "encapsulates" (instantiates CONNECT) for HTTP/2 so unless your upstream supports CONNECT-over-H2 (which Envoy does but many other servers do not) I don't think your use case will be supported until this issue is closed off as implemented.

[edits for correctness]

[chradcliffe]

Internally, we had an immediate requirement to inspect CONNECT-tunnelled traffic, but the solution we came up with isn't necessarily the best. We created an HTTP filter that pushes the CONNECT-tunnelled traffic into a Network::FilterManagerImpl that owns an "inner" HCM. We had to provide a Network::Connection implementation that forwards most of the calls to the real connection, which itself (sadly) requires a const_cast of the real connection.

I'm hoping that the work being done towards #11725 will be the better long-term solution -- I think it also means that we can also process TLS traffic carried by the CONNECT tunnel.

[alyssawilk]

I've been talking to @grzegorz-mirek about this and it turns out he needs to handle L7 HTTP, then encapsulate that in CONNECT, where previously we were talking about using the TCP proxy session to encapsulate CONNECT, which is a somewhat different thing.

I think the best way to do this long term would be to support TCP HTTP/1.1 CONNECT, then forward the normal upstream serialized HTTP traffic to a virtual TCP listener using the work @lambdai is doing. We'd have full CONNECT support for raw proxy more and HTTP/1 via L7, and it could do all the Envoy bells and whistles (say take the payload and wrap in TLS before encapsulating in the CONNECT)

Given that work isn't landed though, it may be worth an interim solution using a custom HTTP upstream (like http/http/upstream_request.cc) which serialized synthetic CONNECT headers before forwarding on [headers][body][data] so it would basically do [CONNECT][headers][body][data]. It would only work with raw HTTP/1.1 and we know we'd want to replace it. Just want to lay the options out here so we can weigh pros and cons.

[mattklein123]

I just synced up with @alyssawilk on this offline so I think I understand all the permutations now.

It's pretty ugly, but as a stopgap would looping back to a local TCP listener work for your use case? You would essentially use connect_config to loop back to local Envoy. On that listener, you can do whatever you want, and then initiate a CONNECT upstream. We would still need to implement HTTP/1.1 CONNECT for tunneling_config, but that seems like it wouldn't be that bad.

Later, the ugly loop back can be replaced with the internal listener work that @lambdai is doing as a perf optimization?