Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong filter_chain_match'ing for HTTP/2 #37810

Open
zvlb opened this issue Dec 24, 2024 · 8 comments
Open

Wrong filter_chain_match'ing for HTTP/2 #37810

zvlb opened this issue Dec 24, 2024 · 8 comments
Labels
area/tls_sni bug

Comments

@zvlb
Copy link
Contributor

zvlb commented Dec 24, 2024
edited
Loading

Title: Wrong filter_chain_matching for HTTP/2

Description:

If in the envoy configuration, within a single listener, you define 2 (or more) FilterChains that use the same certificate and are configured to use the HTTP/2 protocol, routing between the FilterChains stops working.

Repro steps:

  1. Start envoy (1.32.3) with config-file
  2. Configure /etc/host for route lol.zvlb.io and kek.zvlb.io to 127.0.0.1
  3. Open lol.zvlb.io in Google Chrome, and add the certificate to the trusted ones on your system.
  4. Open lol.zvlb.io in incognito mode, and then open kek.zvlb.io. Browser return "lol" in both cases.

If you delete alpn_protocols from config (use http1.1) - all works good

Config:

admin:
  address:
    socket_address:
      protocol: TCP
      address: 0.0.0.0
      port_value: 8081

static_resources:
  listeners:
  - name: listener
    enable_reuse_port: false
    address:
      socket_address:
        protocol: TCP 
        address: 0.0.0.0
        port_value: 443
    listener_filters:
    - name: "envoy.filters.listener.tls_inspector"
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
    filter_chains:
    - name: "lol"
      filter_chain_match:
        server_names:
          - "lol.zvlb.io"
      transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
            common_tls_context:
              alpn_protocols: ["h2", "http/1.1"]
              tls_certificates:
                - certificate_chain: 
                    inline_string: |
                      -----BEGIN CERTIFICATE-----
                      MIIFJDCCAwygAwIBAgIUSPDI9kzSVK43E2SvIdpb7LrszfswDQYJKoZIhvcNAQEL
                      BQAwEjEQMA4GA1UEAwwHenZsYi5pbzAeFw0yNDEyMjQwODU2MDZaFw0zNDEyMjIw
                      ODU2MDZaMBIxEDAOBgNVBAMMB3p2bGIuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4IC
                      DwAwggIKAoICAQCyjLAH1HiJXLrgMbarjXnQvBhtQomuqj3MFYE75GmFDDuhGi0C
                      mFmOjVFEEXN+8LX4SA4r7Hil53Sw8U16kYv83J7p1P4hkPvA+Qfp4DZwKs9/a8RI
                      Zeu9nwRIgyJa1RZGea/+WjBJwgK+psVgF25Xno8A9nRT133+94Py1u9Wai53CKX8
                      p1wQuqf8rXVMxfztZHUcXlBEC8uKxoSAsJHrVHnk9k05LTChxXT6IeoiRJeDAxHu
                      C/eKUo1QU/gu+nPde7WlPmfl36E7SqWk1vKbM2CLuVJWJ5hHeWqPpwj3WBxWFzgx
                      6ldMVTSguQZYtQtn9oGAuM1U9SXUh+cEytMphuB9xUzHYZQOGStJf9Is6w6hCmWM
                      DEaJQPSy9M2UxHuyjr7gAObWmjtZVwK8+Ssv9n2q+AF6vyAPY0/F/N7/5aTnXcy7
                      +O79W9bbf4xKOlv5i5bky/PJa1vU9eavMEBU5EZetzG6vfY+rr35ywOAjrh+7NZs
                      YxXZGqbnW+M10BkWHHA1AFPO16glAQIW+K26YO0I+g7g25VPf5VTVXbhfueQXHU7
                      M3ij8dqNNLhT9SSqe7bDvZnO+UTLmcHW+bnTD51r8JbMnI6YZCSF0nrHHOlJGTw1
                      nhnoyhPBF5WLoYoMgWXDAStTB8DZ+U1TLraIPl/ifkdSfSC/5RNJ+wLibQIDAQAB
                      o3IwcDAdBgNVHQ4EFgQUHrWt4ghwSSPIq6XH55PFv+NOH7MwHwYDVR0jBBgwFoAU
                      HrWt4ghwSSPIq6XH55PFv+NOH7MwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHREEFjAU
                      ggd6dmxiLmlvggkqLnp2bGIuaW8wDQYJKoZIhvcNAQELBQADggIBACNqn2O9XaqT
                      U8+Szf7Izji2DDoGeXTBVlleWAyzEch3jL9ESGAADHHytg/K7+h3SEc8Ua2Cnbrp
                      Okc4Om+o09Rr3KsHxnrbzAk/i5nT/JyaRSeJCY3pIS2lhM2XbB6tmFTALIsfZ7QN
                      NNOOVw5nmbR22uHAQmgMUot7BoNfD2+/g860ejKCYGzwnctS/LSVeFZM2uPgR/gz
                      pCnkK+J81P54L7eBffj1i4ykOgw/SWbO0n9CcX0nij+WL1PqxEZyVSQzvKRQBshc
                      2lAaE28pSGcbeb4hUSVeNsJ0fg4nYbS573wpWb4koV+uzon0EWCQCfu8CLnOZ/AN
                      PrA24rQoxSgl2Rhc+vHiDuz+LKAhpXxaWQZlMW83ffUIgal7GCh6EtWZtSr/Ye/2
                      hW3nGNMV2vpmdxJBw9TFvuebAf8PcsCH49CTGL0Ek1Sj87qnf19zN2egFgdovKKU
                      43Eo95oM+ZiE+FG6TjfrgLCIbEMJwhcHFdrzz73JEaN+KdSCPx2I2XhADuISU7GA
                      eawuOnjcPxtl5QuszoN5nTBUEeVchL0a4WdqRS8e5mziysoyC/XTjt4vrMKh7i8I
                      oa8bEwepgeXdNCKOSTsm/i10KGl4JLHmuY1MXefe4M07hH82+IqKyDgS9QC4KOI4
                      A5DTZOGU9+dAwgOSW+J4xTWbXrUAo+G9
                      -----END CERTIFICATE-----
                  private_key: 
                    inline_string: |
                      -----BEGIN PRIVATE KEY-----
                      MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCyjLAH1HiJXLrg
                      MbarjXnQvBhtQomuqj3MFYE75GmFDDuhGi0CmFmOjVFEEXN+8LX4SA4r7Hil53Sw
                      8U16kYv83J7p1P4hkPvA+Qfp4DZwKs9/a8RIZeu9nwRIgyJa1RZGea/+WjBJwgK+
                      psVgF25Xno8A9nRT133+94Py1u9Wai53CKX8p1wQuqf8rXVMxfztZHUcXlBEC8uK
                      xoSAsJHrVHnk9k05LTChxXT6IeoiRJeDAxHuC/eKUo1QU/gu+nPde7WlPmfl36E7
                      SqWk1vKbM2CLuVJWJ5hHeWqPpwj3WBxWFzgx6ldMVTSguQZYtQtn9oGAuM1U9SXU
                      h+cEytMphuB9xUzHYZQOGStJf9Is6w6hCmWMDEaJQPSy9M2UxHuyjr7gAObWmjtZ
                      VwK8+Ssv9n2q+AF6vyAPY0/F/N7/5aTnXcy7+O79W9bbf4xKOlv5i5bky/PJa1vU
                      9eavMEBU5EZetzG6vfY+rr35ywOAjrh+7NZsYxXZGqbnW+M10BkWHHA1AFPO16gl
                      AQIW+K26YO0I+g7g25VPf5VTVXbhfueQXHU7M3ij8dqNNLhT9SSqe7bDvZnO+UTL
                      mcHW+bnTD51r8JbMnI6YZCSF0nrHHOlJGTw1nhnoyhPBF5WLoYoMgWXDAStTB8DZ
                      +U1TLraIPl/ifkdSfSC/5RNJ+wLibQIDAQABAoICAAnQYleX1eVE98+dY+tDjDvN
                      LvGIe/1iBaILV45ldGhX/woQoIM5QQjtGxeo9uZ2ECZ8vWysI4iI85jLNqVDTUTB
                      kqmLJ8nMCI53kbgI9y0MqVmZYJFTKtVCIY/jx1ZjSoVmqGYMaoWPWKvGimhI+Wtu
                      /3C/2y6FlHsYe0P0jPS8wt+PleIQh+ayf8vLc/xbkJay1B4SUAqhdFdlKIDTU73x
                      535OjHmVUow9yHt8NDycdRCCMXDabwmHFpXg+64HXamBpH8X8kmIFHpoFLk+CFlA
                      BnE/pzctl3jsQ09wkLVZvjr8LT5PIWvEbi9cZC0pjF4zRjR/U+f0zpbDPo88n8Ub
                      z3vbScTHuCDuY8RRoDPVBv4lgwiVfGfvLgGBij6s+/ViJ1L9VQqYln0xc+4BcW5N
                      YcoBVVrAum5F4YmrtmjAcPTSqCSuoeqI9tdZTLq+2vXdMtnanToW+Hnivd9nvXgX
                      bdNgzAQPR6GEda+Zhf/q74V5ucXvURSrNCH2HxqezmPXBa5Azsy5Q9wt0AJulK4o
                      rHpmW1/88LQpEh3tSxNoQgbtcJ2HLNqkCPJ3h5K8Nv6IcpfCK7AvN3lpJ4rqBmMt
                      osRTgOw5d9YekDtgEQgWeIdOlsrhad8/2qiwlqVsyvRT90xGh4tIS4YWFgZl1SWt
                      HGbW1e3gpps8rPR/VkXxAoIBAQDZRTLsGwYvrsWJIA+qTvY4YjLkGfdnukk1iU7j
                      Zwbo2pype4vK7tvjRqSLuMcX1IULEyRtV+DkX7F9EaLMF/MgxjPF/0ftSgv82d98
                      G5EQpNtUSdGnKTJRW9zWRCoigoM+Z/qnuw2KC+7O45cOBnv4uvNSg3Zs6ZGtkWkz
                      t6Y9ZxRF2IFABfyOlCNN2nhrq8yt6AxkWpebWmMOvtdVZBPWxjqa9z3otUTAjITq
                      Df/2Z6jCpTbmzupEgpc3k8+DyQiDeCU22CbbNTHePF/1z9SOSCMDtwwVY/QG5Na0
                      tpRgXDsApHj70cvcTj4ELy3GeWIx3VGpr+EJDLEleRdNCJwRAoIBAQDSYIavXNoN
                      JJNORnsQKKjwaEzs8wrg63MeIc5PNfb3kRHEBkpNvP/E3HPX4HJ4HG3HrkuwkZwf
                      bKHjV6ocUonf8waOKFvqoHi1U0XOYitOzCfsT3gz+eNuUNp0nLwxg8T4Qje92dw+
                      5jjp11xzo/Uv0Y+1BwhKWbEQdm8OEPb2tAWunbknL+HhR3+Zl8feoy34wv76LEsT
                      g/2jHZY2Z1vENMtI45BTfrd7q3wmWPAbroJgIy2FFmBi/C+c5ud+YEfId6Uwg9di
                      pgWc7NxE27AyzZTMMKX5lQ7zw4xmk/1RP6XEXbUhc59zT1VBj1Ir6vWZO/t3h0cy
                      1xuuKNogpGydAoIBAC8mMyzFmIwUc02UpZGh3RDTTpPthqD97hEuIO58VyWE+2ZU
                      Jzv8pb8mf2LK0Hm9ZrnGh6sq3OTyV0P65cdAk0RTfrzC70rxPLS8WyFFoi9odyhN
                      dK+/4umA8+WTmUkv5WdPjTeFAiUo/cPr48XpZlHN0Cvh13s/HJv76EaO3gaJLf8S
                      QsowAmS2hQrKFEPZXmuG5dmJR0kxTjnO9E/VjfCXx/QFH2w2mhrm45kfPKKuUBMd
                      Y1KnKHOBm2s2KlxA7hYJppnGQnhjjNTbaT+gwFG4GdEekgK6VCSC2I0S6hQXL76t
                      8otDNegzGoYx7s8ZXFPR4XzfbAhYtsCZDJNtAOECggEAK8nNnuibtkqboppG+SkN
                      aOS8xkEcTY6Uanws3g3kdskqQnvwsVeagRZFwnREPz3jl8FunbThIyVQWOqhTL3d
                      VtDV13cNErwOA+fuSrPiQcd6s9Qit+bWcNrBba5F+aRstiPKSGj1T95JkFq0Mpm4
                      6hgbalmpXxhmI4ATQ4FCdj0oRZ0ssbxkrqhcJdMS1gNvCS1FNztK8Sfy/iWlY3OG
                      BUPb4DMFkmt4s3QRJkYyzAA5wNrxmZb7vv6wxl7FZmeR6WcF6iA3D6Bw4KXofyie
                      9yQVSZ8CnP1qnFBig+Nfwa6WyVWb4veXA8BKhZfYSa3hKuDySYHNzwY5C7oTFOJE
                      fQKCAQEA01vlLshH8QGw3Fvgd6SGzp9La7XzUv4J5sFDWro0bJ+zSXlwFY4ZCMYO
                      zIOd24F2oiPpo88KbS/NZcVMII+hc2IDJLo/x/HayY+hwHVZXaMo/PmYSD9O8mF4
                      P5x0fZ2bcoZ1Qf8DhlT+MbVg/FpcIsP1cPR4KtoE8KDvUn4cEvHYFQAeCG0+rhSP
                      aw6QjFEHAW/Wc5dSBafDvxHt4nB61ErLaUa8wvAgcmx7cNHoTy8PW96OmZ3PFOA+
                      wbVE16stltW6skHkwK9AYLuPKAhu9pBNlgFniFdchGKA4JatS5mzRtUnhiO6Lzzd
                      TvTF5gVn5egAGnKfpPP6aNMqiWrY7w==
                      -----END PRIVATE KEY-----
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: lol
          use_remote_address: true
          route_config:
            name: lol
            virtual_hosts:
            - name: lol
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                direct_response:
                  status: 200
                  body: 
                    inline_string: "lol"
          http_filters:
            - name: envoy.filters.http.router
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
    - name: "kek"
      filter_chain_match:
        server_names:
          - "kek.zvlb.io"
      transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
            common_tls_context:
              alpn_protocols: ["h2", "http/1.1"]
              tls_certificates:
                - certificate_chain: 
                    inline_string: |
                      -----BEGIN CERTIFICATE-----
                      MIIFJDCCAwygAwIBAgIUSPDI9kzSVK43E2SvIdpb7LrszfswDQYJKoZIhvcNAQEL
                      BQAwEjEQMA4GA1UEAwwHenZsYi5pbzAeFw0yNDEyMjQwODU2MDZaFw0zNDEyMjIw
                      ODU2MDZaMBIxEDAOBgNVBAMMB3p2bGIuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4IC
                      DwAwggIKAoICAQCyjLAH1HiJXLrgMbarjXnQvBhtQomuqj3MFYE75GmFDDuhGi0C
                      mFmOjVFEEXN+8LX4SA4r7Hil53Sw8U16kYv83J7p1P4hkPvA+Qfp4DZwKs9/a8RI
                      Zeu9nwRIgyJa1RZGea/+WjBJwgK+psVgF25Xno8A9nRT133+94Py1u9Wai53CKX8
                      p1wQuqf8rXVMxfztZHUcXlBEC8uKxoSAsJHrVHnk9k05LTChxXT6IeoiRJeDAxHu
                      C/eKUo1QU/gu+nPde7WlPmfl36E7SqWk1vKbM2CLuVJWJ5hHeWqPpwj3WBxWFzgx
                      6ldMVTSguQZYtQtn9oGAuM1U9SXUh+cEytMphuB9xUzHYZQOGStJf9Is6w6hCmWM
                      DEaJQPSy9M2UxHuyjr7gAObWmjtZVwK8+Ssv9n2q+AF6vyAPY0/F/N7/5aTnXcy7
                      +O79W9bbf4xKOlv5i5bky/PJa1vU9eavMEBU5EZetzG6vfY+rr35ywOAjrh+7NZs
                      YxXZGqbnW+M10BkWHHA1AFPO16glAQIW+K26YO0I+g7g25VPf5VTVXbhfueQXHU7
                      M3ij8dqNNLhT9SSqe7bDvZnO+UTLmcHW+bnTD51r8JbMnI6YZCSF0nrHHOlJGTw1
                      nhnoyhPBF5WLoYoMgWXDAStTB8DZ+U1TLraIPl/ifkdSfSC/5RNJ+wLibQIDAQAB
                      o3IwcDAdBgNVHQ4EFgQUHrWt4ghwSSPIq6XH55PFv+NOH7MwHwYDVR0jBBgwFoAU
                      HrWt4ghwSSPIq6XH55PFv+NOH7MwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHREEFjAU
                      ggd6dmxiLmlvggkqLnp2bGIuaW8wDQYJKoZIhvcNAQELBQADggIBACNqn2O9XaqT
                      U8+Szf7Izji2DDoGeXTBVlleWAyzEch3jL9ESGAADHHytg/K7+h3SEc8Ua2Cnbrp
                      Okc4Om+o09Rr3KsHxnrbzAk/i5nT/JyaRSeJCY3pIS2lhM2XbB6tmFTALIsfZ7QN
                      NNOOVw5nmbR22uHAQmgMUot7BoNfD2+/g860ejKCYGzwnctS/LSVeFZM2uPgR/gz
                      pCnkK+J81P54L7eBffj1i4ykOgw/SWbO0n9CcX0nij+WL1PqxEZyVSQzvKRQBshc
                      2lAaE28pSGcbeb4hUSVeNsJ0fg4nYbS573wpWb4koV+uzon0EWCQCfu8CLnOZ/AN
                      PrA24rQoxSgl2Rhc+vHiDuz+LKAhpXxaWQZlMW83ffUIgal7GCh6EtWZtSr/Ye/2
                      hW3nGNMV2vpmdxJBw9TFvuebAf8PcsCH49CTGL0Ek1Sj87qnf19zN2egFgdovKKU
                      43Eo95oM+ZiE+FG6TjfrgLCIbEMJwhcHFdrzz73JEaN+KdSCPx2I2XhADuISU7GA
                      eawuOnjcPxtl5QuszoN5nTBUEeVchL0a4WdqRS8e5mziysoyC/XTjt4vrMKh7i8I
                      oa8bEwepgeXdNCKOSTsm/i10KGl4JLHmuY1MXefe4M07hH82+IqKyDgS9QC4KOI4
                      A5DTZOGU9+dAwgOSW+J4xTWbXrUAo+G9
                      -----END CERTIFICATE-----
                  private_key: 
                    inline_string: |
                      -----BEGIN PRIVATE KEY-----
                      MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCyjLAH1HiJXLrg
                      MbarjXnQvBhtQomuqj3MFYE75GmFDDuhGi0CmFmOjVFEEXN+8LX4SA4r7Hil53Sw
                      8U16kYv83J7p1P4hkPvA+Qfp4DZwKs9/a8RIZeu9nwRIgyJa1RZGea/+WjBJwgK+
                      psVgF25Xno8A9nRT133+94Py1u9Wai53CKX8p1wQuqf8rXVMxfztZHUcXlBEC8uK
                      xoSAsJHrVHnk9k05LTChxXT6IeoiRJeDAxHuC/eKUo1QU/gu+nPde7WlPmfl36E7
                      SqWk1vKbM2CLuVJWJ5hHeWqPpwj3WBxWFzgx6ldMVTSguQZYtQtn9oGAuM1U9SXU
                      h+cEytMphuB9xUzHYZQOGStJf9Is6w6hCmWMDEaJQPSy9M2UxHuyjr7gAObWmjtZ
                      VwK8+Ssv9n2q+AF6vyAPY0/F/N7/5aTnXcy7+O79W9bbf4xKOlv5i5bky/PJa1vU
                      9eavMEBU5EZetzG6vfY+rr35ywOAjrh+7NZsYxXZGqbnW+M10BkWHHA1AFPO16gl
                      AQIW+K26YO0I+g7g25VPf5VTVXbhfueQXHU7M3ij8dqNNLhT9SSqe7bDvZnO+UTL
                      mcHW+bnTD51r8JbMnI6YZCSF0nrHHOlJGTw1nhnoyhPBF5WLoYoMgWXDAStTB8DZ
                      +U1TLraIPl/ifkdSfSC/5RNJ+wLibQIDAQABAoICAAnQYleX1eVE98+dY+tDjDvN
                      LvGIe/1iBaILV45ldGhX/woQoIM5QQjtGxeo9uZ2ECZ8vWysI4iI85jLNqVDTUTB
                      kqmLJ8nMCI53kbgI9y0MqVmZYJFTKtVCIY/jx1ZjSoVmqGYMaoWPWKvGimhI+Wtu
                      /3C/2y6FlHsYe0P0jPS8wt+PleIQh+ayf8vLc/xbkJay1B4SUAqhdFdlKIDTU73x
                      535OjHmVUow9yHt8NDycdRCCMXDabwmHFpXg+64HXamBpH8X8kmIFHpoFLk+CFlA
                      BnE/pzctl3jsQ09wkLVZvjr8LT5PIWvEbi9cZC0pjF4zRjR/U+f0zpbDPo88n8Ub
                      z3vbScTHuCDuY8RRoDPVBv4lgwiVfGfvLgGBij6s+/ViJ1L9VQqYln0xc+4BcW5N
                      YcoBVVrAum5F4YmrtmjAcPTSqCSuoeqI9tdZTLq+2vXdMtnanToW+Hnivd9nvXgX
                      bdNgzAQPR6GEda+Zhf/q74V5ucXvURSrNCH2HxqezmPXBa5Azsy5Q9wt0AJulK4o
                      rHpmW1/88LQpEh3tSxNoQgbtcJ2HLNqkCPJ3h5K8Nv6IcpfCK7AvN3lpJ4rqBmMt
                      osRTgOw5d9YekDtgEQgWeIdOlsrhad8/2qiwlqVsyvRT90xGh4tIS4YWFgZl1SWt
                      HGbW1e3gpps8rPR/VkXxAoIBAQDZRTLsGwYvrsWJIA+qTvY4YjLkGfdnukk1iU7j
                      Zwbo2pype4vK7tvjRqSLuMcX1IULEyRtV+DkX7F9EaLMF/MgxjPF/0ftSgv82d98
                      G5EQpNtUSdGnKTJRW9zWRCoigoM+Z/qnuw2KC+7O45cOBnv4uvNSg3Zs6ZGtkWkz
                      t6Y9ZxRF2IFABfyOlCNN2nhrq8yt6AxkWpebWmMOvtdVZBPWxjqa9z3otUTAjITq
                      Df/2Z6jCpTbmzupEgpc3k8+DyQiDeCU22CbbNTHePF/1z9SOSCMDtwwVY/QG5Na0
                      tpRgXDsApHj70cvcTj4ELy3GeWIx3VGpr+EJDLEleRdNCJwRAoIBAQDSYIavXNoN
                      JJNORnsQKKjwaEzs8wrg63MeIc5PNfb3kRHEBkpNvP/E3HPX4HJ4HG3HrkuwkZwf
                      bKHjV6ocUonf8waOKFvqoHi1U0XOYitOzCfsT3gz+eNuUNp0nLwxg8T4Qje92dw+
                      5jjp11xzo/Uv0Y+1BwhKWbEQdm8OEPb2tAWunbknL+HhR3+Zl8feoy34wv76LEsT
                      g/2jHZY2Z1vENMtI45BTfrd7q3wmWPAbroJgIy2FFmBi/C+c5ud+YEfId6Uwg9di
                      pgWc7NxE27AyzZTMMKX5lQ7zw4xmk/1RP6XEXbUhc59zT1VBj1Ir6vWZO/t3h0cy
                      1xuuKNogpGydAoIBAC8mMyzFmIwUc02UpZGh3RDTTpPthqD97hEuIO58VyWE+2ZU
                      Jzv8pb8mf2LK0Hm9ZrnGh6sq3OTyV0P65cdAk0RTfrzC70rxPLS8WyFFoi9odyhN
                      dK+/4umA8+WTmUkv5WdPjTeFAiUo/cPr48XpZlHN0Cvh13s/HJv76EaO3gaJLf8S
                      QsowAmS2hQrKFEPZXmuG5dmJR0kxTjnO9E/VjfCXx/QFH2w2mhrm45kfPKKuUBMd
                      Y1KnKHOBm2s2KlxA7hYJppnGQnhjjNTbaT+gwFG4GdEekgK6VCSC2I0S6hQXL76t
                      8otDNegzGoYx7s8ZXFPR4XzfbAhYtsCZDJNtAOECggEAK8nNnuibtkqboppG+SkN
                      aOS8xkEcTY6Uanws3g3kdskqQnvwsVeagRZFwnREPz3jl8FunbThIyVQWOqhTL3d
                      VtDV13cNErwOA+fuSrPiQcd6s9Qit+bWcNrBba5F+aRstiPKSGj1T95JkFq0Mpm4
                      6hgbalmpXxhmI4ATQ4FCdj0oRZ0ssbxkrqhcJdMS1gNvCS1FNztK8Sfy/iWlY3OG
                      BUPb4DMFkmt4s3QRJkYyzAA5wNrxmZb7vv6wxl7FZmeR6WcF6iA3D6Bw4KXofyie
                      9yQVSZ8CnP1qnFBig+Nfwa6WyVWb4veXA8BKhZfYSa3hKuDySYHNzwY5C7oTFOJE
                      fQKCAQEA01vlLshH8QGw3Fvgd6SGzp9La7XzUv4J5sFDWro0bJ+zSXlwFY4ZCMYO
                      zIOd24F2oiPpo88KbS/NZcVMII+hc2IDJLo/x/HayY+hwHVZXaMo/PmYSD9O8mF4
                      P5x0fZ2bcoZ1Qf8DhlT+MbVg/FpcIsP1cPR4KtoE8KDvUn4cEvHYFQAeCG0+rhSP
                      aw6QjFEHAW/Wc5dSBafDvxHt4nB61ErLaUa8wvAgcmx7cNHoTy8PW96OmZ3PFOA+
                      wbVE16stltW6skHkwK9AYLuPKAhu9pBNlgFniFdchGKA4JatS5mzRtUnhiO6Lzzd
                      TvTF5gVn5egAGnKfpPP6aNMqiWrY7w==
                      -----END PRIVATE KEY-----
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: kek
          use_remote_address: true
          route_config:
            name: kek
            virtual_hosts:
            - name: kek
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                direct_response:
                  status: 200
                  body: 
                    inline_string: "kek"
          http_filters:
            - name: envoy.filters.http.router
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
@zvlb zvlb added bug triage Issue requires triage labels Dec 24, 2024
@dolgovas
Copy link

I faced with the same problem.
I'm going to migrate from nginx to envoy. Nginx uses SNI only for choosing certificate on tls-connect, and after than nginx use header HOST for choosing correct server.

But It seems that envoy doesn't use header HOST for choose correct config section, only use SNI for this.

But modern browsers don't send sni on every request if both site on the same IP and use the same certificate.

@phlax phlax added area/tls_sni and removed triage Issue requires triage labels Dec 29, 2024
@phlax
Copy link
Member

phlax commented Dec 29, 2024

cc @rshriram @ggreenway

@agrawroh
Copy link
Contributor

agrawroh commented Dec 30, 2024
edited
Loading

I can't seem to repro using cURL on the same Envoy version listed in the description (v1.32.3).

Here are the requests I made and the responses I got,

Request:

curl -vvv https://lol.zvlb.io:443 --resolve lol.zvlb.io:443:127.0.0.1 --http2 -k

Response:

* Using Stream ID: 1 (easy handle 0x5639f07964f0)
> GET / HTTP/2
> Host: lol.zvlb.io
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200
< content-length: 3
< content-type: text/plain
< date: Tue, 31 Dec 2024 00:58:16 GMT
< server: envoy
<
* Connection #0 to host lol.zvlb.io left intact
lol

Request:

curl -vvv https://kek.zvlb.io:443 --resolve kek.zvlb.io:443:127.0.0.1 --http2 -k

Response:

* Using Stream ID: 1 (easy handle 0x564676514260)
> GET / HTTP/2
> Host: kek.zvlb.io
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200
< content-length: 3
< content-type: text/plain
< date: Tue, 31 Dec 2024 00:59:15 GMT
< server: envoy
<
* Connection #0 to host kek.zvlb.io left intact
kek

@dolgovas
Copy link

@agrawroh yes, you are right. Because curl send SNI on every request. It affected only modern browsers especially chrome and firefox.
For example in safari everything works correctly

@zvlb
Copy link
Contributor Author

zvlb commented Dec 31, 2024

@agrawroh
To see the error, follow these steps:

  1. Start envoy (1.32.3) with config-file
  2. Configure /etc/host for route lol.zvlb.io and kek.zvlb.io to 127.0.0.1
  3. Open lol.zvlb.io in Google Chrome, and add the certificate to the trusted ones on your system.
  4. Open lol.zvlb.io in incognito mode, and then open kek.zvlb.io. Browser return "lol" in both cases.

@ggreenway
Copy link
Contributor

I think this is probably the same issue described in #6767. @zvlb you can work around this by either using a single network filter chain and matching on vhost in the http connection manager, or keeping two filter chains and configuring the http connection manager to respond with a 421 when the wrong vhost is received.

@zvlb
Copy link
Contributor Author

zvlb commented Jan 7, 2025

using a single network filter chain and matching on vhost in the http connection manager, or keeping two filter chains and configuring the http connection manager to respond with a 421 when the wrong vhost is received.

I can’t use a single filterChain because I may have completely different httpFilters (applied at the filterChain level) for different domains using the same certificate. Perhaps I could resolve this somehow using typed-per-filter-config, but it seems… terrible to me.

Regarding the 421 response code. How can I determine that the vhost is incorrect? Do you have an example of such a configuration? Can this be configured using some kind of httpFilter?

@ggreenway
Copy link
Contributor

Here's a rough example (this probably isn't quite a valid config, but you get the idea):

      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["the.real.domain.com"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: the_cluster
            - name: 421_response
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                direct_response:
                  status: 421
                  body:
                    inline_string: "incorrect vhost\n"
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls_sni bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@phlax @ggreenway @agrawroh @zvlb @dolgovas