HTTP/2 CONNECT does not return CONNECT_ERROR on upstream RST

[mhoran]

Title: HTTP/2 CONNECT does not return CONNECT_ERROR on upstream RST

Description:
I've have a downstream proxy that tunnels TCP via HTTP/2 to a backend service. Envoy is in front of the service and provides an HTTP/2 endpoint which supports the CONNECT method. The backend (Envoy upstream) service sometimes shuts down a connection by sending a TCP RST. According to the HTTP/2 spec, "[a] proxy treats any error in the TCP connection, which includes receiving a TCP segment with the RST bit set, as a stream error [...] of type CONNECT_ERROR." While Envoy does send RST_STREAM, the error is NO_ERROR instead of CONNECT_ERROR.

The spec goes on to state that any error (stream or connection) must result in a TCP RST being sent to downstream clients, so I can work around this. However, I wanted to check if this was intended behavior.

Repro steps:
This is reproducible with Envoy v1.15.0 configured with support for HTTP/2 CONNECT as per https://github.com/envoyproxy/envoy/blob/master/configs/terminate_connect.v3.yaml (substituting the upstream socket_address as appropriate). My upstream service is MySQL. I can likely set up a more easily reproducible example if needed.

When the upstream service sends a TCP RST (in the case of MySQL, after there is no authentication within 10 seconds of connect by default), then Envoy will send RST_STREAM with NO_ERROR as the error. However, this error should be set to CONNECT_ERROR as per the spec.

Config:
https://github.com/envoyproxy/envoy/blob/master/configs/terminate_connect.v3.yaml

Logs:
Logs indicate a success (200).

[mattklein123]

Thanks for raising this. Agreed this is a bug and we can fix. cc @alyssawilk