http: websockets should interact with full http filter chain

[mikedanese]

Currently, the http connection manager immediately surrenders websocket requests to the websocket handler, bypassing all http_filters. This is problematic for API front proxies which need to terminate client TLS and pass authentication info in headers to upstream API servers. An Http::StreamDecoderFilter implementing such a proxy will not be called in the websocket handling code path, effectively disallowing TLS client auth on requests requiring websockets.

cc @rshriram @mattklein123

[mikedanese]

The websocket spec requires that the server responds with upgrade headers that pass the validation checked in isWebsocketUpgradeRequesrt:

Upgrade: websocket
Connection: Upgrade

A fairly general solution to this problem would be to defer handing off the connection to the websocket manager until after a successful response is received.

This would also allow recycling of http connections on failed upgrade requests to websocket handlers (e.g. when the upstream returns a 403 on a websocket upgrade request). Today, these failed connections need to be explicitly closed by the upstream.

[mattklein123]

@mikedanese the functionality change definitely makes sense to me. I think there are a few options here on how we could fix things. Unfortunately none of them are going to be easy.

1. Modify as you suggest so that we end up proxying the initial request all the way through to the router and back, and then do the hand off. There are some gotchas here that aren't immediately clear to me how to solve.
   a) Early data (this was fixed recently). I think the data would have to be held by the connection manager until the response is received.
   b) When the connection manager switches over to WS, the existing filters likely need to be destroyed. I generally have concerns about filters not being WS aware, and they may basically have to be reset to work properly (and then will that yield messed up stats, etc.). This in general makes me wonder if we need HTTP filters to actually be WS aware in some way.

2. Don't actually fully proxy the WS request to upstream, but allow filter iteration from the connection manager for WS requests. This would have to respect filter stop, deal with early data, and have all the same problems about filters being reset as (1), so it's probably about the same amount of work.

I will admit I don't have a very clear proposal right now without sitting down and doing some more thinking, so hopefully someone else can dig in and come up with a formal design proposal. @rshriram @ggreenway @alyssawilk for more comments.

[alyssawilk]

Matt, for b) were you thinking of handling the WS upgrade as a header only request/response, then handing off any data and the rest of the connection to the tcp proxy session as a "second request"? I think that could be done pretty cleanly but you're more familiar with the data plane than I am.

[mattklein123]

Matt, for b) were you thinking of handling the WS upgrade as a header only request/response, then handing off any data and the rest of the connection to the tcp proxy session as a "second request"? I think that could be done pretty cleanly but you're more familiar with the data plane than I am.

Yeah, I think this is exactly how it would have to work, and I think would be the cleanest solution. We can dispatch a "request" and then depending on the response, decide what to do from there inside the connection manager.

[rshriram]

One alternative is to add a new codec that supports the bare minimal websocket stuff framing. While http filters can be used with websockets, filters would typically see only the first req/resp and then the rest is opaque or even simply an extended decodeData()?

I haven’t revisited this in a while. But this was one initial line of thought.

[alyssawilk]

It'd be helpful to us if websocket ugrades traversing an H2 hop could have full header sanitation on the H2 hops and onData calls for the websocket payload (for say DoS byte accounting). I haven't looked at the websocket spec lately, but if we just allow pass-through of the upgrade header and make sure that bidirectional H2 works correctly, would this "Just Work"? Anyone object to allowing this as opposed to only supporting CONNECT style upgrades as suggested on #1630?

(obviously if we did this we'd need very clear documentation on the two modes of websocket: the "HTTP processing mode" and "TCP proxy handoff mode")

[PiotrSikora]

It'd be helpful to us if websocket ugrades traversing an H2 hop could have full header sanitation on the H2 hops and onData calls for the websocket payload (for say DoS byte accounting).

This is exactly what the "extended CONNECT method" suggested in #1630 does,
see: draft-ietf-httpbis-h2-websockets.

I haven't looked at the websocket spec lately, but if we just allow pass-through of the upgrade header and make sure that bidirectional H2 works correctly, would this "Just Work"?

No, because nghttp2 rejects requests with Upgrade header and responses with 101 status code.

But also, because you really want #1630 :)

[alyssawilk]

Ok, fair, maybe I do want #1630. I've filed nghttp2/nghttp2#1181 to see if we can get (or add) nghttp2 support for this.

That would leave us with H2 "websockets" being treated as HTTP for both header and data accounting and H1 being treated as HTTP for headers and TCP proxying for payload. Per 1) b) if I can sort out any bidi-HTTP/1 issues, would anyone object to at least having a configurable option for the HTTP/1.1 websockets for passing not just headers but also body through the HTTP filter chain rather than doing TCP proxy handoff? As Matt points out the filters need to be websocket-aware in any case, and I can't speak for others but given the current things we do onData (mostly byte counting to various data sinks) it's easier for us to apply existing HTTP filters to websocket payload than detach them and implement the same onData functions on the TCP side and it's nice to have things accounted for consistently.

[alyssawilk]

Also @ggreenway as he's been doing websocket changes and may have an opinion about adding more complex paths :-P

[ggreenway]

WebSockets is such an awkward thing to handle here. If we pass it through most of the http stack, you have to make all of those bits of the stack handle some non-http. If not all the filters support this, you'll have to carefully document which filters can be used with WebSockets. And we'll be adding complexity to all the filters that do handle WebSockets. If we don't go through the http code, we lose many of the benefits of WebSockets starting out as http.

I think I'd be more in favor of only handling the part of the data that really is http in the http-filters, to avoid complexity leaking into every filter. And then figure out some way to share the code, or at least make common the stats/accounting, for the bidirectional websocket data after the initial http handshake is complete.

[mattklein123]

@ggreenway that was my initial suggestion. I think if we do this the filters only see a header only request for the upgrade. That's all.

[ggreenway]

That seems reasonable. I don't think the code for http/1 WebSockets will be too bad. I think http/2 will be stranger because we can't drop to a TcpProxy; we'll still have to go through at the bottom part of the h2 stack.

[alyssawilk]

Yeah, that's precisely my concern. I'd started playing around with #1630 and I think we need some discussion of how we want to handle websockets in general in Envoy since I'd prefer we handle both paths consistently.

My assumption is if we went with an H2-H2 connect hop or H1-H2 websocket->CONNECT upgrade per #1630, the entire websocket payload would pass through the filters because that path is the only way we can send the data out through a single outbound H2 stream. If we went that route, each filter is going to have to handle websocket (and other CONNECT) payload anyway. I'd rather consistently pass things through onData for the current H1-H1 and the H2-H2 CONNECT->websocket downgrade (also per 1630) than have things handled significantly differently for H2 upstream and H1 upstream with the TCP proxy hand-off for one case and treating it like HTTP for the other.

The alternate is that we come up with some clever idea of how to jam a TCP proxy filter stack in the H2 path bridging the HttpConnectionManager directly to the H2 stream the router is writing to. Beyond not seeing a really clean way to do that, the TCP stack seems the wrong abstraction for this case. It's really not a standalone connection so for example doing idle timeouts if the stream stalls due to being preempted by higher priority streams (once we handle priorities) won't be correct.

For another way of looking at it, as TCP filters should support on[Raw]Data, HTTP filters should support onHeaders/on[HTTP]Data, and ideal websocket/connect filters should support onHeaders, on[Raw]Data. Right now we're bridging the two by trying to pass the headers through HTTP filters and data through TCP filters, but the data will have to pass through an HTTP onData for serialization H2 path regardless. Given this, maybe there's some clean way of making it clear if any HTTP filter is websocket-friendly and the HCM can just bypass any filter which should not apply?

Happy to schedule a quick chat over hangouts/zoom or we can discuss this on Tuesday if either would be easier.