Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

when proxying gRPC, Kong does not set the HTTP2 :authority header #6236

Closed
mflendrich opened this issue Aug 17, 2020 · 7 comments
Closed

when proxying gRPC, Kong does not set the HTTP2 :authority header #6236

mflendrich opened this issue Aug 17, 2020 · 7 comments
Labels

Comments

@mflendrich
Copy link

Summary

When proxying gRPC requests, Kong sets the Host header of an outgoing request but not the :authority header.

To me, this is incorrect behavior, because:

  • per RFC 7540 section 8.1.2.3:

    Clients that generate HTTP/2 requests directly SHOULD use the ":authority" pseudo-header field instead of the Host header field.

    and gRPC requests can be considered "directly generated HTTP/2 requests";

  • at least some upstream gRPC applications that rely on the :authority header to perform host-based request routing fail to route such requests (for example Istio 1.7.0-rc.1 where routing is performed by Envoy)

Expected behavior: Kong setting :authority on gRPC requests to the upstream servers. Possibly this should extend to all HTTP/2 requests.

Steps To Reproduce

  1. Run an nginx with debug logging as a dummy upstream gRPC server:

    sudo docker run --rm -it --name nginx -v $PWD/nginx.conf:/etc/nginx/nginx.conf:ro nginx:1.19.2 nginx-debug

    nginx.conf:

    worker_processes 1;
    daemon off;
    
    events {
    	use           epoll;
    	worker_connections  128;
    }
    
    http {
      log_format debug_format '$remote_addr - $remote_user [$time_local] '
    											'"$request" $status $body_bytes_sent '
    											'"$http_referer" "$http_user_agent" host "$host" hosthdr "$http_host"';
    	access_log /dev/stdout debug_format;
    	error_log /dev/stdout debug;
    	server {
    		listen        8080 http2;
    
    		location      / {
    			root      /data;
    		}
    	}
    }
    
  2. Run kong 2.1.2 with the following config:

    kong.conf

    database=off
    daemon=off
    declarative_config=kong.yml
    
    proxy_listen=0.0.0.0:9080 http2

    kong.yml

    _format_version: "2.1"
    _transform: true
    services:
    - name: grpc
      protocol: grpc
      host: 172.17.0.2 # this is the IP address of the nginx docker container
      port: 8080
      routes:
      - name: catch-all
        paths:
        - /
        protocols:
        - grpc
  3. Make a gRPC request to Kong:

    grpcurl -v -plaintext -d '{}' 127.0.0.1:9080 proto.SomeService.ListSomething
    
  4. Observe in nginx logs (grep for http2 header:) that there is no :authority header but there is host):

    got:

    2020/08/17 13:52:41 [debug] 28#28: *2 http2 header: "host: 172.17.0.2"
    

    expected but did not get:

    2020/08/17 13:52:41 [debug] 28#28: *2 http2 header: ":authority: 172.17.0.2"
    

Additional Details & Logs

@bungle
Copy link
Member

bungle commented Aug 19, 2020

@gszr do you remember why we added:

grpc_set_header      Host               $upstream_host;

This will then not add :authority. I am not sure if this is a problem, but removing that could perhaps prevent some of the Kong features working. I am not sure can you set pseudo-headers with grpc_set_header, do you recall @gszr?

@gszr
Copy link
Member

gszr commented Aug 19, 2020

I do not recall, unfortunately. I started looking into this yesterday, but did not finish. By removing the Host header, I faced a different issue. Let's create a task to look deeper into this/

@bungle
Copy link
Member

bungle commented Aug 19, 2020

Sure. Just as a note Nginx ingress just removed the host:
kubernetes/ingress-nginx@d7b213d

@dndx
Copy link
Member

dndx commented Aug 24, 2020

Dig deeper into the above commit from @bungle reveals kubernetes/ingress-nginx#3706 (comment).

I think it was done intentionally when we developed the gRPC proxy feature as well. Maybe we can add a comment in the template file so to avoid further confusion on this.

@mflendrich
Copy link
Author

What is the current status of this issue?

@gszr
Copy link
Member

gszr commented Sep 3, 2020

Hi @mflendrich,

@dndx and I have looked at it and due to how Nginx handles pseudo-headers, it is not currently possible to modify it from Kong using the APIs we have available. An Nginx patch will be required. We have a task planned to work on this. For the moment being, there are no workarounds.

@gszr
Copy link
Member

gszr commented Jan 15, 2021

Fixed by #6603

@gszr gszr closed this as completed Jan 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants