Cannot call https/tls upstream for grpc - wrong scheme header

[lukos]

Wrong scheme header sent to upstream grpc service

Description:
I understand that when using grpc, tls over http2 is preferred for performance reasons. I have setup an upstream grpc service for cluster discovery and this works with http2 and tls when called from a test client.

However, when it gets called from envoy, the grpc web service logs

The request :scheme header 'http' does not match the transport scheme 'https'

Which is correct because the service is https only. This error stops processing of the request.

I can see the following in the Envoy logs, which shows that despite being configured for https (as far as I can tell!), it is still sending the scheme header as http. If it is relevant, I don't have TLS enabled on the listeners, I am just trying to use it for the grpc service for CDS. I can't find any documentation that says that I can override the scheme in the configuration for the cluster.

[2021-04-30 15:55:05.297][1][debug][router] [source/common/router/router.cc:631] [C0][S7382542047916721558] router decoding headers:
':method', 'POST'
':path', '/envoy.service.cluster.v3.ClusterDiscoveryService/StreamClusters'
':authority', 'xds_cluster'
':scheme', 'http'
'te', 'trailers'
'content-type', 'application/grpc'
'x-envoy-internal', 'true'
'x-forwarded-for', '192.168.48.3'

Relevant part of the envoy.yaml file:

static_resources:
  clusters:
  - name: xds_cluster
    connect_timeout: 15s
    per_connection_buffer_limit_bytes: 32768 # 32 KiB
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http2_protocol_options:
            connection_keepalive:
              interval: 30s
              timeout: 5s
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        sni: manager.example.io
        common_tls_context:
          tls_certificates:
          - certificate_chain: { "filename": "/etc/ssl/certs/servercert.pem" }
            private_key: { "filename": "/etc/ssl/certs/serverkey.pem" }
          alpn_protocols:
            - h2
          validation_context:
            match_subject_alt_names:
            - suffix: "example.io"
            trusted_ca:
              filename: /etc/ssl/certs/ca-certificates.crt
    load_assignment:
      cluster_name: xds_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: manager.example.io
                port_value: 443

dynamic_resources:
  cds_config:
    resource_api_version: V3
    api_config_source:
      api_type: GRPC
      transport_api_version: V3
      grpc_services:
        - envoy_grpc:
            cluster_name: xds_cluster

[qinggniq]

cc @alyssawilk. might relate to #15321

[mattklein123]

See further discussion here: #14587 (comment). Definitely related.

[lukos]

There are a couple of differences between the complaint in the linked message and this bug 1) this problem is internal with the dynamic calls to xds, there is not downstream request at this point to match. 2) I am trying to use https internally, not switching https to http internally so I am already doing what the other poster suggested. at minimum it should be configurable but I guess it could also infer it from tls config to upstream. Like most proxies, x- headers are probably the correct way to pass the original scheme?

…

On Mon, May 3, 2021, at 4:11 AM, Matt Klein wrote: See further discussion here: #14587 (comment) <#14587 (comment)>. Definitely related. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#16255 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEN3GSWOQJUSZKOEFB65RTTLYH4LANCNFSM434UBSJA>.

[heatonmatthew]

This is a different scenario to my comment #14587 (comment). However, it's possible that the root cause is the same, namely that the :scheme header being used for outgoing calls from Envoy is now being set to the header from downstream (rather than matching the outgoing/upstream connection encryption level).

My theory is that, because there is no downstream in this case (i.e. because it is grpc for cluster discovery, not proxying any specific connection), the lack of a downstream :scheme header is being inferred to be HTTP and therefore set incorrectly. That seems to have been the original intention of #14587; ensuring that even for protocols like HTTP/1.1 which don't have a :scheme header, that one is inferred.

[alyssawilk]

The lack of downstream scheme is inferred as HTTP because the listener is not TLS. The whole point of the https scheme is to communicate that encryption is being used, and to verify the privacy and integrity of the data in transit. If you're sending in the clear to Envoy, it's not private and if Envoy has to infer scheme (which it does for H2) I believe http is correct. So I think this is the same issue and can be addressed with the same workaround, by explicitly telling Envoy to rewrite the scheme.

[lukos]

This breaks the principle of "Least surprise". If I setup a connection to use TLS, I would expect it to send the correct scheme header. Worst-case, I need to add a config item to tell it that my connection is https (but really should be inferred from TLS configuration).

Adding a rewrite filter is a horrible workaround to a non-obvious bug.

How it behaves with an downstream listener is a totally separate issue but where the connection is made from within Envoy and there is no downstream, scheme should either not be sent (might cause an issue with upstream, but could potentially add config property to add the scheme in) or it should be inferred from the TLS config (or not) of the upstream link. Especially in the case of grpc and http2, TLS is almost 100% required (even though I did not personally want to use it on an internal network).

[alyssawilk]

I agree that if you set up a TLS connection the scheme for connections originating over that connection should be https. I thought the case here was traffic coming in over the insecure listeners. Is is pure gRPC discovery requests originating at Envoy going out over the secure upstream? If so I agree that should be fixed.