Proxy returns 404 when HTTP connection is marked as opaque

[adleong]

What is the issue?

If a HTTP is sent to a port which is marked as opaque, the proxy returns a 404 response with no route found for request as the error, even if no Server resource is defined for that port.

How can it be reproduced?

1. Install Linkerd and inject emojivoto
2. Edit the deploy/web pod template to add the config.linkerd.io/opauqe-ports: "8080" annotation
3. Exec into another meshed pod kubectl -n emojivoto exec -it emoji-696d9d8f95-sg25b -c emoji-svc -- /bin/sh
4. Issue a curl request to web:

# curl -v web-svc.emojivoto.svc.cluster.local
[...]
*   Trying 10.96.92.112...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55fded8edf50)
* Connected to web-svc.emojivoto.svc.cluster.local (10.96.92.112) port 80 (#0)
> GET / HTTP/1.1
> Host: web-svc.emojivoto.svc.cluster.local
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< l5d-proxy-error: no route found for request
< date: Thu, 17 Nov 2022 22:53:06 GMT
< content-length: 0
< 

Logs, error output, etc

Proxy logs from the web (incoming) proxy:

[    34.704855s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_tls::server: Peeked bytes from TCP stream sz=0
[    34.704877s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_tls::server: Attempting to buffer TLS ClientHello after incomplete peek
[    34.704881s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_tls::server: Reading bytes from TCP stream buf.capacity=8192
[    34.704888s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_tls::server: Read bytes from TCP stream buf.len=288
[    34.706722s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_meshtls_rustls::server: Accepted TLS connection client.id=Some(ClientId(Name("default.emojivoto.serviceaccount.identity.linkerd.cluster.local"))) alpn=Some("transport.l5d.io/v1")
[    34.706828s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_transport_header::server: Read transport header header=TransportHeader { port: 8080, name: None, protocol: Some(Http2) }
[    34.706839s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_proxy_http::server: Creating HTTP service version=H2
[    34.708448s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct: linkerd_proxy_http::server: Handling as HTTP version=H2
[    34.709905s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct:http{v=h2}: linkerd_proxy_http::orig_proto: translating HTTP2 to orig-proto: "HTTP/1.1"
[    34.709985s]  INFO ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct:http{v=h2}:http{client.addr=10.244.125.138:51892 client.id="default.emojivoto.serviceaccount.identity.linkerd.cluster.local" timestamp=2022-11-17T22:48:04.342423441Z method="GET" uri=http://10.244.125.130/ version=HTTP/2.0 trace_id="" request_bytes="" user_agent="curl/7.64.0" host="10.244.125.130"}:rescue{client.addr=10.244.125.138:51892}: linkerd_app_core::errors::respond: Request failed error=no route found for request
[    34.710006s] DEBUG ThreadId(01) inbound:accept{client.addr=10.244.125.138:51892}:server{port=4143}:direct:http{v=h2}:http{client.addr=10.244.125.138:51892 client.id="default.emojivoto.serviceaccount.identity.linkerd.cluster.local" timestamp=2022-11-17T22:48:04.342423441Z method="GET" uri=http://10.244.125.130/ version=HTTP/2.0 trace_id="" request_bytes="" user_agent="curl/7.64.0" host="10.244.125.130"}: linkerd_app_core::errors::respond: Handling error on HTTP connection status=404 Not Found version=HTTP/2.0 close=false

output of linkerd check -o short

Status check results are √

Environment

kubectl version --short
Client Version: v1.24.3
Kustomize Version: v4.5.4
Server Version: v1.21.1

Possible solution

No response

Additional context

Notice that the inbound proxy is operating in "direct" mode because of the opaque ports annotation.

This issue was originally reported in #9811

Would you like to work on fixing this bug?

No response

[bjoernw]

Just hit this today. I keep incurring protocol detection delays and my hands are tied if I can't mark the port as opaque. Is there a workaround other than the extreme of skipping the port entirely?

[bjoernw]

I tried the latest edge version edge-23.1.1 and had the same problem as on 2.12.3

[hawkw]

Okay, I've figured out what's going on here, and written a proxy integration test that reproduces the issue. Here's an explanation of what's going on here, and some thoughts on how to fix it.

What's going on here, anyway?

This issue occurs because setting the config.linkerd.io/opaque-ports annotation on a workload results in a number of things happening.

When the annotation is set on a workload, this tells the Destination controller to include an opaque protocol hint when an outbound proxy discovers a destination that would send traffic to that endpoint, with the port included in the hint's opaque_port field. When the outbound proxy sends traffic to an endpoint that has this hint, it will connect directly to the inbound proxy's inbound listener port, rather than to the target port on that pod, and the outbound proxy will prefix data sent on that connection with a transport header protobuf message that contains the original target port, and an optional session protocol, if one is known. In this case, since the traffic is HTTP, the outbound proxy detects that it's HTTP, and includes an HTTP hint in its transport header.

However, adding the opaque-ports annotation doesn't just configure the service discovery that's returned to outbound proxies discovering that workload. It also causes the proxy-injector to add an environment variable LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION to the proxy container with that list of ports (see the proxy template. When this environment variable is set, the proxy sets a default ServerPolicy for these ports that disables protocol detection. When the proxy constructs these default policies, it changes the protocol for opaque ports from Detect (which may include an HTTPRoute) to Opaque (which does not include an HTTPRoute). When a policy does not have an HTTPRoute, the Gateway API spec requires that a 404 error be returned for HTTP traffic.

Normally, the lack of an HTTPRoute on these ports wouldn't be an issue, since we have disabled protocol detection, and should be treating HTTP as a raw opaque TCP stream. However, the presence of the transport header sent by the outbound proxy, which contains an explicit HTTP protocol hint, changes the inbound proxy's behavior from handling this traffic as a raw byte stream to handling it as HTTP. The inbound proxy handles this traffic as HTTP, and because there's no matching HTTPRoute, it returns a 404 error.

So, how do we fix this?

Well, fortunately, the parsing of inbound default ServerPolicies from an environment variable will likely be removed in Linkerd 2.13. So, once this behavior is removed from the proxy, we will just have to ensure that the policy controller returns a ServerPolicy that includes a default HTTPRoute on ports that are marked as opaque, while still disabling protocol detection on those ports.

However, it may also be desirable to fix this issue in a patch release of Linkerd 2.12.x. In that case, we might want to change the inbound proxy's behavior to treat an HTTP request on a port that has a default-opaque policy as though it has an HTTPRoute.

And, another thing...

An additional question here, though, is whether the behavior of the outbound proxy in this case is actually correct. This port is marked as opaque, so do we actually want the outbound proxy to be sending a transport header that tells the inbound proxy to handle the traffic as HTTP, just because it detected HTTP on the outbound side? The presence of a protocol hint in the transport header is primarily intended for use when the proxy is receiving a connection from a multicluster gateway, which should not be treated as opaque. But when the transport header is there to indicate the original target port of an opaque connection, do we really even want it to include an HTTP protocol hint?

On the other hand, the inbound proxy is still skipping its own protocol detection, and is instead relying on the outbound proxy's detected protocol. So, the question is: does the opaque-ports annotation just mean that we should not try to detect HTTP? Or does it mean that we should always be treating any connection on an opaque port as an opaque byte stream with no protocol awareness, even if another proxy just told us that it's actually HTTP?