You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Title: HTTP/2 CONNECT does not return CONNECT_ERROR on upstream RST
Description:
I've have a downstream proxy that tunnels TCP via HTTP/2 to a backend service. Envoy is in front of the service and provides an HTTP/2 endpoint which supports the CONNECT method. The backend (Envoy upstream) service sometimes shuts down a connection by sending a TCP RST. According to the HTTP/2 spec, "[a] proxy treats any error in the TCP connection, which includes receiving a TCP segment with the RST bit set, as a stream error [...] of type CONNECT_ERROR." While Envoy does send RST_STREAM, the error is NO_ERROR instead of CONNECT_ERROR.
The spec goes on to state that any error (stream or connection) must result in a TCP RST being sent to downstream clients, so I can work around this. However, I wanted to check if this was intended behavior.
Repro steps:
This is reproducible with Envoy v1.15.0 configured with support for HTTP/2 CONNECT as per https://github.com/envoyproxy/envoy/blob/master/configs/terminate_connect.v3.yaml (substituting the upstream socket_address as appropriate). My upstream service is MySQL. I can likely set up a more easily reproducible example if needed.
When the upstream service sends a TCP RST (in the case of MySQL, after there is no authentication within 10 seconds of connect by default), then Envoy will send RST_STREAM with NO_ERROR as the error. However, this error should be set to CONNECT_ERROR as per the spec.
Title: HTTP/2 CONNECT does not return CONNECT_ERROR on upstream RST
Description:
I've have a downstream proxy that tunnels TCP via HTTP/2 to a backend service. Envoy is in front of the service and provides an HTTP/2 endpoint which supports the CONNECT method. The backend (Envoy upstream) service sometimes shuts down a connection by sending a TCP RST. According to the HTTP/2 spec, "[a] proxy treats any error in the TCP connection, which includes receiving a TCP segment with the RST bit set, as a stream error [...] of type CONNECT_ERROR." While Envoy does send RST_STREAM, the error is NO_ERROR instead of CONNECT_ERROR.
The spec goes on to state that any error (stream or connection) must result in a TCP RST being sent to downstream clients, so I can work around this. However, I wanted to check if this was intended behavior.
Repro steps:
This is reproducible with Envoy v1.15.0 configured with support for HTTP/2 CONNECT as per https://github.com/envoyproxy/envoy/blob/master/configs/terminate_connect.v3.yaml (substituting the upstream
socket_address
as appropriate). My upstream service is MySQL. I can likely set up a more easily reproducible example if needed.When the upstream service sends a TCP RST (in the case of MySQL, after there is no authentication within 10 seconds of connect by default), then Envoy will send RST_STREAM with NO_ERROR as the error. However, this error should be set to CONNECT_ERROR as per the spec.
Config:
https://github.com/envoyproxy/envoy/blob/master/configs/terminate_connect.v3.yaml
Logs:
Logs indicate a success (200).
The text was updated successfully, but these errors were encountered: