Connection header illegal in HTTP/2: connection

[dwilliams782]

What is the issue?

Some of our production services are dropping requests with:

inbound:server{port=<port>}: hyper::proto::h2: Connection header illegal in HTTP/2: connection

and on the outbound / source pods we see 504s along with:

linkerd_app_outbound::http::proxy_connection_close: Closing application connection for remote proxy error=connect timed out after 100ms

As I understand it, this means the proxy is receiving a request with the a connection header set, which is invalid in H2. The only real reference I can see to this is here: #1407 which suggests the proxy is supposed to drop headers that are invalid rather than failing the request.

As it stands, we are dropping production requests between two services, I know the source of the traffic thanks to Linkerd logging out the client IP, but it doesn't log the failed request so I don't know what is happening between the services to try and fix it. Debug logs and tap do not show it either.

Ideally proxy would not fail these requests, and just strip out the illegal headers. If it has to fail them, more information to help identify the requests would be great, such as logging the request headers / body.

How can it be reproduced?

Will confirm this. I suspect sending any http/1 request with a connection header to a meshed pod will trigger it.

Logs, error output, etc

INFO ThreadId(02) inbound:server{port=8080}:rescue{client.addr=10.133.71.3:59588}: linkerd_app_core::errors::respond: Request failed error=error trying to connect: connect timed out after 100ms error.sources=[connect timed out after 100ms]

WARN ThreadId(02) inbound:server{port=8080}: hyper::proto::h2: Connection header illegal in HTTP/2: connection

output of linkerd check -o short

Status check results are √

Environment

Kubernetes - v1.22.15-gke.100
Linkerd - 2.12.2

Possible solution

No response

Additional context

No response

Would you like to work on fixing this bug?

None

[hawkw]

Interesting...the outbound proxy definitely should be stripping any connection header set by the client or server when performing a meshed HTTP/2 upgrade.

@dwilliams782, just to clarify a bit here, are the client and server (not the proxies, but the application services) speaking HTTP/1.1? Or are they speaking HTTP/2 with each other?

[olix0r]

@hawkw I believe the application traffic is HTTP/1

I suspect sending any http/1 request with a connection header to a meshed pod will trigger it.

[hawkw]

Whoops, I missed that line in the issue, thanks!

There is a proxy integration test (https://github.com/linkerd/linkerd2-proxy/blob/main/linkerd/app/integration/src/tests/transparency.rs#L358-L401) which (in the proxy_to_proxy case) should be exercising this behavior.

it's possible that test is missing something, though. I'll try to reproduce this in a test cluster.

[dwilliams782]

Hi both,

Yes, it's http1.

With a combination of debug logs and access logs, I can't see any signs or indications that a connection header is present in these requests, yet we are still seeing the log entries.

We essentially have a service calling another service which calls external services over http(s), and sometimes these partners slow down / timeout. I suspect what is happening is there is no connection header and instead the external request is failing which Linkerd is incorrectly reporting as this error?

I increased the proxy timeouts from the defaults up to 2s and it made no difference. This doesn't make much sense to me though as even if the onwards requests are failing, we shouldn't see it timeout trying to establish a tcp connection.

On the source service, I still see:

INFO ThreadId(02) outbound:proxy{addr=<ip>:8080}: linkerd_app_outbound::http::proxy_connection_close: Closing application connection for remote proxy error=connect timed out after 2s

And on the target proxy:

INFO ThreadId(02) inbound:server{port=8080}:rescue{client.addr=<ip>:49778}: linkerd_app_core::errors::respond: Request failed error=error trying to connect: connect timed out after 2s error.sources=[connect timed out after 2s]

WARN ThreadId(03) inbound:server{port=8080}: hyper::proto::h2: Connection header illegal in HTTP/2: connection

Right now I can see the error happening in our production systems, I'd be happy to swap out the proxy briefly for a modified one with additional logging if it helps.

[hawkw]

Oh, I think I see what's going on. The proxy_connection_close middleware is closing the accepted connection from the remote proxy due to the local client connection due to the application timing out.

This middleware sets a connection: close header when the error response is HTTP/1: https://github.com/linkerd/linkerd2-proxy/blob/08b77610d331fb16f4d27ddbfbacba3d9887cf26/linkerd/app/outbound/src/http/proxy_connection_close.rs#L102-L109
However, the upstream connection is HTTP/2. So, the server rejects the generated error response due to the presence of this header.

[dwilliams782]

Yes, that makes sense. Do you think there is something to be done to at least make it more clear in the logs this is happening? or be able to modify the proxy to not fail in this case? Thanks for investigating!

[hawkw]

I believe this is a bug, and I think we ought to be able to fix it so that the proxy won't hit that error and will instead surface the downstream error (in this case, the timeout) to the upstream proxy.