http: adding CONNECT example configs and improving docs (#11066)

Risk Level: n/a
Testing: n/a
Docs Changes: connect docs improved
Release Notes: n/a
Part of #1451 and #1630

Signed-off-by: Alyssa Wilk <[email protected]>

configs/configgen.py

@@ -134,3 +134,6 @@ def generate_config(template_path, template, output_file, **context):
 
 for google_ext in ['v2.yaml']:
   shutil.copy(os.path.join(SCRIPT_DIR, 'google_com_proxy.%s' % google_ext), OUT_DIR)
+
+shutil.copy(os.path.join(SCRIPT_DIR, 'encapsulate_in_connect.v3.yaml'), OUT_DIR)
+shutil.copy(os.path.join(SCRIPT_DIR, 'terminate_connect.v3.yaml'), OUT_DIR)

configs/encapsulate_in_connect.v3.yaml

@@ -0,0 +1,38 @@
+admin:
+  access_log_path: /tmp/admin_access.log
+  address:
+    socket_address:
+      protocol: TCP
+      address: 127.0.0.1
+      port_value: 9903
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        protocol: TCP
+        address: 127.0.0.1
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: tcp
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: tcp_stats
+          cluster: "cluster_0"
+          tunneling_config:
+            hostname: host.com
+  clusters:
+    - name: cluster_0
+      connect_timeout: 5s
+      http2_protocol_options:
+        {}
+      load_assignment:
+        cluster_name: cluster_0
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
+                      port_value: 10001

configs/terminate_connect.v3.yaml

@@ -0,0 +1,64 @@
+admin:
+  access_log_path: /tmp/admin_access.log
+  address:
+    socket_address:
+      protocol: TCP
+      address: 127.0.0.1
+      port_value: 9902
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        protocol: TCP
+        address: 127.0.0.1
+        port_value: 10001
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains:
+                - "*"
+              routes:
+                - match:
+                    connect_matcher:
+                      {}
+                  route:
+                    cluster: service_google
+                    upgrade_configs:
+                      - upgrade_type: CONNECT
+                        connect_config:
+                          {}
+          http_filters:
+          - name: envoy.filters.http.router
+          http2_protocol_options:
+            allow_connect: true
+          upgrade_configs:
+            - upgrade_type: CONNECT
+  clusters:
+  - name: service_google
+    connect_timeout: 0.25s
+    type: LOGICAL_DNS
+    # Comment out the following line to test on v6 networks
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: service_google
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: www.google.com
+                port_value: 443
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        sni: www.google.com

docs/root/intro/arch_overview/http/upgrades.rst

@@ -89,3 +89,17 @@ upgrade requests or responses with bodies.
 .. This mode of CONNECT support can create major security holes if configured correctly, as the upstream
 .. will be forwarded *unsanitized* headers if they are in the body payload. Please use with caution
 
+.. Tunneling TCP over HTTP/2
+.. ^^^^^^^^^^^^^^^^^^^^^^^^^
+.. Envoy also has support for transforming raw TCP into HTTP/2 CONNECT requests. This can be used to
+.. proxy multiplexed TCP over pre-warmed secure connections and amortize the cost of any TLS handshake.
+.. An example set up proxying SMTP would look something like this
+..
+.. [SMTP Upstream] --- raw SMTP --- [L2 Envoy]  --- SMTP tunneled over HTTP/2  --- [L1 Envoy]  --- raw SMTP  --- [Client]
+..
+.. Examples of such a set up can be found in the Envoy example config `directory <https://github.com/envoyproxy/envoy/tree/master/configs/>`
+.. If you run `bazel-bin/source/exe/envoy-static --config-path configs/encapsulate_in_connect.yaml --base-id 1`
+.. and `bazel-bin/source/exe/envoy-static --config-path  configs/terminate_connect.yaml`
+.. you will be running two Envoys, the first listening for TCP traffic on port 10000 and encapsulating it in an HTTP/2
+.. CONNECT request, and the second listening for HTTP/2 on 10001, stripping the CONNECT headers, and forwarding the
+.. original TCP upstream, in this case to google.com.

test/config_test/config_test.cc

@@ -168,6 +168,8 @@ uint32_t run(const std::string& directory) {
     ENVOY_LOG_MISC(info, "testing {}.\n", filename);
     OptionsImpl options(
         Envoy::Server::createTestOptionsImpl(filename, "", Network::Address::IpVersion::v6));
+    // Avoid contention issues with other tests over the hot restart domain socket.
+    options.setHotRestartDisabled(true);
     ConfigTest test1(options);
     envoy::config::bootstrap::v3::Bootstrap bootstrap;
     Server::InstanceUtil::loadBootstrapConfig(bootstrap, options,

test/config_test/example_configs_test.cc

@@ -21,9 +21,9 @@ TEST(ExampleConfigsTest, All) {
 
 #ifdef __APPLE__
   // freebind/freebind.yaml is not supported on macOS and disabled via Bazel.
-  EXPECT_EQ(21UL, ConfigTest::run(directory));
+  EXPECT_EQ(23UL, ConfigTest::run(directory));
 #else
-  EXPECT_EQ(22UL, ConfigTest::run(directory));
+  EXPECT_EQ(24UL, ConfigTest::run(directory));
 #endif
 
   ConfigTest::testMerge();