Skip to content

Instantly share code, notes, and snippets.

@incfly

incfly/README.md

Last active July 31, 2019 21:30
Show Gist options
  • Save incfly/5e9338948c13d82bd5fee387cb6e43c0 to your computer and use it in GitHub Desktop.
Save incfly/5e9338948c13d82bd5fee387cb6e43c0 to your computer and use it in GitHub Desktop.
Download ZIP
Envoy ALPN Selected Or Not
Raw
README.md
  • Envoy Server configure listener with http1.1 ALPN and TLS enabled, DirectResponse. Two filter chains, one matching the alpn == http1.1, one is default filter chain, returns response "hello world, selected from alpn http1.1."
  • Envoy Client configures Cluster with http1.1 ALPN and TLS enabled, cluster requests sends to server Envoy.
  • Sending request from curl -> Client Envoy -> Server Envoy, returns "hello world alpn 1.1"
  • However ALPN "http1.1" can't be fetched via SslSocket::protocol(), returns empy.

Note, these two parts are using different SSL methods.

  1. FilterChainMatch uses boringssl::SSL_early_callback_ctx_extension_get
  2. SslSocket::protocol invokes borgingssl::SSL_get0_alpn_selected, link

Question, is it possible the server envoy just use the ALPN data for filter chain match purpose, but the next stage ALPN is not selected and used as part of TLS process?

Raw
client.yaml
---
node:
id: 'a2'
cluster: 'd2'
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 8001
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 8000
filter_chains:
- filter_chain_match:
# empty
filters:
- config:
codec_type: auto
http_filters:
- config: {}
name: envoy.router
route_config:
name: local_route
virtual_hosts:
- domains:
- "*"
name: service
routes:
- match:
prefix: "/"
route: { cluster: open_cluster }
#direct_response:
#status: 200
#body:
#inline_string: "hello world, inline response."
stat_prefix: httpxtest
name: envoy.http_connection_manager
clusters:
- connect_timeout: 0.25s
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificates:
- certificate_chain: { filename: "./test/config/integration/certs/clientcert.pem" }
private_key: { filename: "./test/config/integration/certs/clientkey.pem" }
hosts:
- socket_address:
address: 127.0.0.1
port_value: 9000
lb_policy: round_robin
name: open_cluster
type: strict_dns
Raw
server.yaml
---
node:
id: 'abc'
cluster: 'def'
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 9001
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 9000
filter_chains:
- filter_chain_match:
application_protocols:
- "http/1.1"
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificates:
- certificate_chain: { filename: "./test/config/integration/certs/servercert.pem" }
private_key: { filename: "./test/config/integration/certs/serverkey.pem" }
filters:
- config:
codec_type: auto
http_filters:
- config: {}
name: envoy.router
route_config:
name: local_route
virtual_hosts:
- domains:
- "*"
name: service
routes:
- match:
prefix: "/"
direct_response:
status: 200
body:
inline_string: "hello world, from httpx-server-envoy-with-http1.1 alpn match."
stat_prefix: httpxtest
name: envoy.http_connection_manager
- filter_chain_match:
# empty
tls_context:
common_tls_context:
alpn_protocols:
- http/1.1
tls_certificates:
- certificate_chain: { filename: "./test/config/integration/certs/servercert.pem" }
private_key: { filename: "./test/config/integration/certs/serverkey.pem" }
filters:
- config:
codec_type: auto
http_filters:
- config: {}
name: envoy.router
route_config:
name: local_route
virtual_hosts:
- domains:
- "*"
name: service
routes:
- match:
prefix: "/"
direct_response:
status: 200
body:
inline_string: "hello world, from httpx-server-envoy."
stat_prefix: httpxtest
name: envoy.http_connection_manager
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment