Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http: using CONNECT_ERROR for HTTP/2 #13519

Merged
merged 2 commits into from
Oct 13, 2020
Merged

http: using CONNECT_ERROR for HTTP/2 #13519

merged 2 commits into from
Oct 13, 2020

Conversation

alyssawilk
Copy link
Contributor

@alyssawilk alyssawilk commented Oct 12, 2020
edited
Loading

Commit Message: http: using CONNECT_ERROR for HTTP/2
Risk Level: Low (changing rst code on the wire)
Testing: new unit, integration tests
Docs Changes: n/a
Release Notes: inline
Fixes #13055

@alyssawilk
http: using CONNECT_ERROR for HTTP/1
b8b1d45 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
mattklein123
mattklein123 requested changes Oct 13, 2020
View reviewed changes
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, LGTM with small comment.

/wait

source/common/http/conn_manager_impl.cc
// Per https://tools.ietf.org/html/rfc7540#section-8.3 if there was an error
// with the TCP connection during a CONNECT request, it should be
// communicated via CONNECT_ERROR
if (requestWasConnect(stream.request_headers_, codec_->protocol()) &&
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a vague sense that we do many header type checks to see if something is a connect request. Would it be better for perf if did this check once and stored this somewhere? Not a big deal but maybe something to think about in a follow up.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do, but this case is quite special as most are looking at HTTP/1 style CONNECT requests (HTTP/1 connect and HTTP/2 CONNECTs-excluding-upgrades) and this particular one is doing all CONNECT methods (including HTTP/2 upgrades)

source/common/http/http2/codec_impl.cc Outdated
@@ -984,6 +993,9 @@ int ConnectionImpl::onStreamClose(int32_t stream_id, uint32_t error_code) {
if (error_code == NGHTTP2_REFUSED_STREAM) {
reason = StreamResetReason::RemoteRefusedStreamReset;
stream->setDetails(Http2ResponseCodeDetails::get().remote_refused);
} else if (error_code == NGHTTP2_CONNECT_ERROR) {
reason = StreamResetReason::ConnectError;
stream->setDetails(Http2ResponseCodeDetails::get().remote_reset);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use a different details string here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eh, I think it's not worth the detail here (I only split out the reason because otherwise it was impossible to unit test) but I will restructure the code so we only setDetails with it once as a matter of principle :-)

@alyssawilk
details once
7bbd137 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
mattklein123
mattklein123 approved these changes Oct 13, 2020
View reviewed changes
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mattklein123 mattklein123 merged commit cfaefef into envoyproxy:master Oct 13, 2020
mpuncel added a commit to mpuncel/envoy that referenced this pull request Oct 14, 2020
@mpuncel
Merge branch 'master' into mpuncel/secret-hc-sequence
ef3dbab 
* master: (22 commits)
  http: using CONNECT_ERROR for HTTP/2 (envoyproxy#13519)
  listener: respect address.pipe.mode (it didn't work) (envoyproxy#13493)
  examples: Fix more deprecations/warnings in configs (envoyproxy#13529)
  overload: tcp connection refusal overload action (envoyproxy#13311)
  tcp: towards pluggable upstreams (envoyproxy#13331)
  conn_pool: fixing comments (envoyproxy#13520)
  Prevent SEGFAULT when disabling listener (envoyproxy#13515)
  Convert overload manager config literals to YAML (envoyproxy#13518)
  Fix runtime feature variable name (envoyproxy#13533)
  dependencies: refactor repository location schema utils, cleanups. (envoyproxy#13452)
  router:  fix an invalid ASSERT when encoding metadata frames in the router. (envoyproxy#13511)
  http2: Proactively disconnect connections flooded when resetting stream (envoyproxy#13482)
  ci use azp to sync filter example (envoyproxy#13501)
  mongo_proxy: support configurable command list for metrics (envoyproxy#13494)
  http local rate limit: note token bucket is shared (envoyproxy#13525)
  wasm/extensions: Wasm extension policy. (envoyproxy#13526)
  http: removing envoy.reloadable_features.http1_flood_protection (envoyproxy#13508)
  build: update ppc64le CI build status shield (envoyproxy#13521)
  dependencies: enforce dependency shepherd sign-off via RepoKitteh. (envoyproxy#13522)
  Add no_traffic_healthy_interval (envoyproxy#13336)
  ...

Signed-off-by: Michael Puncel <mpuncel@squareup.com>
@alyssawilk alyssawilk deleted the connect branch June 10, 2021 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattklein123 mattklein123 mattklein123 approved these changes

Assignees

@mattklein123 mattklein123

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HTTP/2 CONNECT does not return CONNECT_ERROR on upstream RST
2 participants
@alyssawilk @mattklein123