envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

http inspector filter is not filling `server_name`

Open dhiaayachi opened this issue 2 years ago • 5 comments

Title: http inspector filter is not filling server_name which prevent from using it in conjunction with filter_chain_match

Description:

When using the HTTP inspector listener filter, the server_name is not filled which make it impossible to match on server_name in a listener filter match.

Repro steps:

Use a config that have a listener filter type.googleapis.com/envoy.extensions.filters.listener.http_inspector.v3.HttpInspector and a filter chain match on a server_name. Send HTTP traffic with the right host header. It will never match on the filter. The expected behaviour is to have the server_name being filled by the HttpInspector the same way it's filled by the TLSInspector extension.

Note: It seems to be as trivial as adding parsing the Host/Authority header and adding to the socket in here. Am I missing something? If it's as easy I can submit a PR to fix this.

dhiaayachi avatar Aug 08 '22 18:08 dhiaayachi

@dhiaayachi server_name refers to SNI in TLS and is populated by TlsInspector. HTTP inspector does not parse anything beyond the first line of HTTP requests.

kyessenov avatar Aug 08 '22 18:08 kyessenov

@kyessenov reading the comment about server_name it say:

// If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
  // a filter chain match. Those values will be compared against the server names of a new
  // connection, when detected by one of the listener filters.

It give SNI for TLS as an example and not necessarily the only supported protocol.

I see now that it only parse until the first header. Is there a reason not to change that to parse all the headers (up to certain size) to retrieve the HOST/Authority header?

dhiaayachi avatar Aug 08 '22 18:08 dhiaayachi

@dhiaayachi That doesn't work because multiple requests can be on the same connection (e.g. multiplexed streams in HTTP/2).

kyessenov avatar Aug 08 '22 18:08 kyessenov

I'm new to envoy so I'm probably understanding this wrong.

I thought that the http inspector filter is executed for every request before the filter chain match. From what you're saying I understand it's not, and executed only once for every connection. Is that right?

dhiaayachi avatar Aug 08 '22 19:08 dhiaayachi

Yes, listener filters are execute once per connection before the listener parses the bytes on that connection.

kyessenov avatar Aug 08 '22 19:08 kyessenov

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar Sep 07 '22 20:09 github-actions[bot]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

github-actions[bot] avatar Sep 14 '22 20:09 github-actions[bot]