gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

Allow ALPN opt-out

Open guydc opened this issue 1 year ago • 0 comments

Description: Many proxies and Ingress Controllers have an option to opt-out of ALPN:

  • Envoy: ALPN is disabled by default: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-commontlscontext
  • Nginx: ALPN in enabled only if HTTP2 is enabled: http://nginx.org/en/docs/http/ngx_http_v2_module.html
  • F5: ALPN is enabled if HTTP2 is enabled: https://my.f5.com/manage/s/article/K04412053
  • Emissary: ALPN is disabled by default: https://www.getambassador.io/docs/emissary/latest/topics/running/tls#alpn-protocols
  • Gloo Edge: ALPN can be explicitly disabled https://docs.solo.io/gloo-edge/1.7.23/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/ssl.proto.sk/

Envoy Gateway enables ALPN by default and only allows users to change the supported protocol list. In some cases, default ALPN settings can create issues: #4456. For compatibility reasons with other projects and legacy clients, consider supporting ALPN opt-out in ClientTrafficPolicy.

guydc avatar Oct 16 '24 20:10 guydc