Listener filter to terminate HTTP CONNECT

[liverbirdkte]

Title: Listener filter to terminate HTTP CONNECT

Description:
Envoy has CONNECT support for tunneling raw TCP traffic. I have a new use case, when Envoy is used as forward proxy for HTTPS upstreams, expect Envoy terminates initial CONNECT request and subsequent downstream TLS connection. This makes extra filters like security check work for downstream traffic.

The TLS termination part with mimic cert is covered by #18928.

We still need a way to terminate CONNECT request. Currently this could be done with two listeners work together, first one terminates CONNECT and forwards traffic to second listener which does TLS termination. But this approach has some drawbacks of efficiency and resource consumption, I know lambdai is working on improving this with internal connection, but it seems virtual connection supporting SSL requires lots of work.

I'm wondering if we could handle this case in a single listener by adding a listener filter to terminate HTTP CONNECT request. The new listener filter detects if incoming request is a CONNECT, sets related stats(e.g., requested server name) and does CONNECT termination by replying with a HTTP response to client.

Thanks

[kyessenov]

This would be useful to also impose a stronger security posture by limiting HTTP processing to just CONNECT instead of exposing cross-cutting HCM features.

Why do you think internal connection has problems with TLS? It's possible to layer TLS in CONNECT in TLS with internal connection. On the other hand, listener filters do not support termination of outer TLS (see #18035).

[RyanTheOptimist]

cc: @alyssawilk

[liverbirdkte]

@kyessenov I got the impression that SSL support is not in the initial version of internal connecion from #11725, please correct me if I got something wrong.

Let me describe this listener filter with more details. Actually there are two scenarios for this TLS termination use case, Envoy as a sidecar and forward proxy, the only difference between these two scenarios is whether the initial CONNECT request exists. I'm looking for an Envoy configuration to cover two scenarios in a single listener.
The configuration may look like this:

listener_filters:
- name: envoy.filters.listener.connect_terminator
  name: envoy.filters.listener.tls_inspector
filter_chains:
- filter_chain_match:
     server_names = ["google.com"]
  filters:
  - name: envoy.filters.network.http_connection_manager
      ...
    http_filters:
      ...

If incoming request is CONNECT, connect terminator sets server names with request url, terminates CONNECT and skip.
If incoming request is TLS ClientHello, connect terminator does nothing but leaves the request to tls inspector.

[alyssawilk]

Yep, one could have a listener filter that removes HTTP/1.1 CONNECT headers similar to how we strip proxy proto, though it's obviously not going to work for HTTP/2 and HTTP/3

[liverbirdkte]

@alyssawilk why is this not gonna work for HTTP/2 and HTTP/3, too complex for a listener filter?

[alyssawilk]

Yeah. HTTP/1.1 CONNECT has one logical stream per connection - you strip the initial connect request and everything behind it is TCP payload. HTTP/2 has many streams on one connection, and you would need to basically reimplement the HCM as a listener filter

[liverbirdkte]

@alyssawilk, thanks for the comments. If it's fine to have this listener filter, I could start with some code to terminate HTTP/1.1 CONNECT.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.