contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Add ability to optionally disable gRPC-Web filter

Open sunjayBhatia opened this issue 3 years ago • 25 comments

Currently Contour configures all HTTP Connection Manager filter chains with the gRPC-Web filter which means that Envoy attempts to proxy/translate any gRPC traffic over HTTP/1.1 as actual gRPC (converted to HTTP/2 etc.).

However, as we can see in this issue some applications explicitly do not want a proxy to translate gRPC-Web traffic and would rather it is left as-is.

The general feature request from the linked issue is to optionally disable the gRPC-Web filter.

However, given how Contour constructs filter chains this is a little tricky. There is only one filter chain for all HTTP virtualhosts, whereas for HTTPS there is a HTTP Connection Manager/filter chain for each HTTPS virtualhost (and a catchall for requests with no TLS SNI).

It may be possible to per-TLS enabled Ingress/HTTPProxy disable the gRPC-Web filter, but for plain HTTP it is not. We would likely rather have to have a global toggle. This may or may not be desirable in a multi-tenant environment where Contour provides ingress capabilities for many applications. If it is a global configuration the operator of Contour opts into this may be a feasible solution. Also adding a per-TLS vhost toggle may be overkill if we implement that, but that is up for debate. Only implementing a per-vhost toggle doesn't sound like a full solution, but that is also up for debate.

The still-alpha Envoy matching APIs may offer a way out of this. These would enable us to skip the gRPC-Web filter if for example requests contained a certain header, or some other attribute. However, of course this feature is still alpha (as of this issue creation).

Links:

  • Contour default filters: https://github.com/projectcontour/contour/blob/dbaa2a6f89acf714ed42e0904d455d2696abba38/internal/envoy/v3/listener.go#L245-L252
  • Envoy gPRC protocol docs: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_protocols/grpc
  • Envoy matching API: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api

sunjayBhatia avatar Jan 21 '22 21:01 sunjayBhatia