-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support configuring backend requests to use the same HTTP protocol as the client request #2437
Comments
@liorokman can't this be solved by pinning |
Soon Envoy Gateway will support Pinning HTTP/1.1 on the client side is a solution that only makes sense if the upstream isn't TLS enabled. If it's possible to negotiate the HTTP protocol with upstream, I think it's better to allow HTTP/2 when the client supports it so that the benefits of HTTP/2 can be realised. |
it sounds like for the case when downstream tls supports h2 and http/1.1 and upstream tls also supports h2 and http/1.1, we want to make sure that protocol downgrades are not supported. So instead of a field like USE_DOWNSTREAM_PROTOCOL (which disables protocol upgrades) |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. |
The |
Description:
The way that EG sets up
HTTPRoute
s by default in Envoy Proxy today is that if TLS is enabled downstream, then ALPN negotiation is enabled with the default valuesh2, http/1.1
. Clients that support ALPN will prefer to use HTTP/2.In contrast, upstream connections are always HTTP/1.1 for
HTTPRoute
s. This can be seen in the following output (edited for brevity) :The output shows that while the
curl
command uses HTTP/2, the echo server identifies the protocol as HTTP/1.1.The fact that Envoy Proxy downgrades the protocol from HTTP/2 to HTTP/1.1 means that there is a potential attack surface created here for HTTP smuggling attacks, as detailed here.
When running the HTTP smuggling detection tool ( https://github.com/neex/http2smugl ) and keeping track of actual requests received in the server and the Envoy Proxy logs, there are several requests that appear in Envoy Proxy's log as rejected but are actually sent all the way to the backend server.
For example:
The following request specifies a response code of
0
and response flagsDPE
("The downstream request had an HTTP protocol error"), and bytes sent and received sizes of0
.When running a
tcpdump
session on the backend server side this specific request is actually found, including a valid HTTP 200 response. This was correlated via thex-request-id
header shown in the Envoy Proxy log. Here is the packet dump, edited for brevity.Since the Envoy Proxy log shows that there was a protocol error and no bytes sent or received, the request should not have appeared at all in the packet capture on the backend side.
I propose that it be made possible to prevent this category of issues by configuring Envoy Gateway to use the same HTTP protocol in upstream requests as received from downstream.
[optional Relevant Links:]
https://book.hacktricks.xyz/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades
The text was updated successfully, but these errors were encountered: