3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-11 23:32:45 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: support http2 prior knowledge for insecure upstream targets (#5205)

Browse source 
This allows using the scheme 'h2c' to indicate http2 prior knowledge for
insecure upstream servers. This can be used to perform TLS termination for
GRPC servers configured with insecure credentials.

As an example, this allows the following route configuration:

routes:
  - from: https://grpc.localhost.pomerium.io
    to: h2c://localhost:9090
This commit is contained in:
Joe Kralicky 2024-08-13 13:40:44 -04:00 committed by GitHub
parent 554e77bc7c
commit e3e7de741c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 224 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

25
config/envoyconfig/protocols.go
View file

@ -54,6 +54,7 @@ var http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
InitialStreamWindowSize: wrapperspb.UInt32(initialStreamWindowSizeLimit),
InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
}
var http2ProtocolOptionsWithKeepalive = WithKeepalive(http2ProtocolOptions)
func WithKeepalive(src *envoy_config_core_v3.Http2ProtocolOptions) *envoy_config_core_v3.Http2ProtocolOptions {
dst := proto.Clone(src).(*envoy_config_core_v3.Http2ProtocolOptions)
@ -81,12 +82,12 @@ func buildUpstreamProtocolOptions(
upstreamProtocol upstreamProtocolConfig,
keepalive Keepalive,
) *envoy_extensions_upstreams_http_v3.HttpProtocolOptions {
h2opt := http2ProtocolOptions
if keepalive {
h2opt = http2ProtocolOptionsWithKeepalive
}
switch upstreamProtocol {
case upstreamProtocolHTTP2:
h2opt := http2ProtocolOptions
if keepalive {
h2opt = WithKeepalive(http2ProtocolOptions)
}
// when explicitly configured, force HTTP/2
return &envoy_extensions_upstreams_http_v3.HttpProtocolOptions{
UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{
@ -99,10 +100,12 @@ func buildUpstreamProtocolOptions(
}
case upstreamProtocolAuto:
// when using TLS use ALPN auto config
tlsCount := 0
var tlsCount, h2cCount int
for _, e := range endpoints {
if e.transportSocket != nil {
tlsCount++
} else if e.url.Scheme == "h2c" {
h2cCount++
}
}
if tlsCount > 0 && tlsCount == len(endpoints) {
@ -110,7 +113,17 @@ func buildUpstreamProtocolOptions(
UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_AutoConfig{
AutoConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_AutoHttpConfig{
HttpProtocolOptions: http1ProtocolOptions,
Http2ProtocolOptions: http2ProtocolOptions,
Http2ProtocolOptions: h2opt,
},
},
}
} else if h2cCount > 0 && h2cCount == len(endpoints) {
return &envoy_extensions_upstreams_http_v3.HttpProtocolOptions{
UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{
ExplicitHttpConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig{
ProtocolConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{
Http2ProtocolOptions: h2opt,
},
},
},
}