Skip to content

.NET servers reject https gRPC requests terminated to plaintext by Envoy #7979

New issue
New issue
Closed
#7842
Closed
.NET servers reject https gRPC requests terminated to plaintext by Envoy#7979
#7842
Assignees
jukie
Labels
kind/featurenew feature
@jukie

Description

@jukie
jukie
opened on Jan 16, 2026

Description:
This appears to be the same behavior reported in istio/istio#34448 and has to do with the way Envoy preserves :scheme.

When an application makes an https gRPC request to a .NET server behind an Istio proxy or gateway and Envoy terminates the request to plaintext, starting in 1.10 Envoy preserves :scheme as https. .NET sees the mismatch between the scheme and the fact that the request from Envoy is plaintext and raises an error, rejecting the request.

My org runs a lot of .NET services and during the migration from ingress-nginx this has become an issue for grpc services. I think we should expose the ability to configure SchemeHeaderTransformation in BackendTrafficPolicy so that users can configure this. Since SchemeHeaderTransformation is an HCM level configuration ClientTrafficPolicy is right place to add this.

Repro steps:

  • Build a .NET backend with a gRPC listenter
  • GRPCRoute with TLS termination at the gateway and plaintext upstream

Metadata

Metadata

Assignees

Labels

kind/featurenew feature

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions