http: switching from XFP to scheme

[alyssawilk]

Corrects all Envoy uses of ForwardedProto which actually want request URI over to :scheme

As a reminder, XFP indicates the encryption of the (original) downstream connection where :scheme is part of the URI and the resource requested. It's legal (though unusual) to request http:// urls over a TLS connection for HTTP/2. It's possible (if ill advised) to have an internal mesh forwarding https schemed requests in the clear.

Current uses of X-Forwarded-Proto are

1. in the HCM, clearing XFP from untrusted users (unchanged)
2. in the HCM, setting absent XFP based on downstream transport security (unchanged)
3. in the HCM setting absent :scheme to XFP (unchanged)
4. in buildOriginalUri, changing from using XFP to scheme (changed. new URIs should be based on original URIs not on transport security.
5. in the router, clearing default port based on XFP (unchanged)
6. in the router serving redirect URLs based on scheme (changed - used to be XFP but is now based on the scheme of the original URI)
7. in the router, applying SSL route redirect based on XFP (unchanged)
8. in the router, using :scheme for internal redirect url checks (changed - used to use XFP. new URIs should be based on original URI)
9. in the cache filter, using :scheme to serve content (changed we used to serve based on XFP but if http://foo.com/ differs from https://foo.com and the http version is requested over a TLS connection the http response should be served)
10. in oath2 serving redirect URLs based on scheme (changed this used to be based on SFP but URLs should be based on original URL scheme)

Risk Level: High
Testing: updated tests
Docs Changes: inline
Release Notes: inline
Runtime guard: envoy.reloadable_features.correct_scheme_and_xfp
Fixes #14587

[mattklein123]

Thanks for tackling this really tough set of changes. A few high level comments.

1. I would appreciate it if you could split out the rename from the other changes, since I think it would make the tricky stuff easier to review?
2. In terms of documentation, here is what I would recommend:
   1. Potential changes to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html#scheme
   2. Maybe a new HTTP FAQ section with a new entry on scheme/XFP handling?
   3. Maybe a new section here on scheme handling? https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http (FAQ and arch overview can cross link as you see fit.)

/wait

[mattklein123]

What are the cases in which scheme is not but XFP is set? I thought we should always set scheme now early on in the request lifecycle if it's not otherwise set? Can you add more comments?

[alyssawilk]

They're always set at the same point in the HCM so will only be absent with buggy filters.
I can remove the failover here and there and let folks with buggy filters get buggy behavior :-P

[mattklein123]

Not sure if this is worth co-locating with Utility::getScheme for comment clarity? At first glance I thought it was the same vs. the inverse.

[alyssawilk]

removed

[mattklein123]

The original intent here (from a very long time ago) was definitely to force TLS, not force the scheme. So I think this is probably correct?

[alyssawilk]

yeah the only weirdness is then if you have an https:// request in cleartext would you then not serve a redirect to https://foo.com and functionally end up in a redirect loop?

[mattklein123]

OK this answers my question above. Maybe just move those functions to next to each other and put this comment in each one?

[mattklein123]

This is hurting my brain (should have done this earlier in the day). How come this case isn't using the scheme header if we are preserving downstream scheme? More comments?

[mattklein123]

nit: not sure what would be better, but making this a bit more descriptive would be good.

[mattklein123]

Thanks this LGTM. Can you merge main?

/wait

[alyssawilk]

merged, but alas needs a merge stamp

[mattklein123]

🤞