From 50251656e573830d1457b39c8457956249342aff Mon Sep 17 00:00:00 2001 From: Matthew Ceroni Date: Tue, 30 Apr 2019 15:41:15 -0700 Subject: [PATCH 1/4] Enable configuration of http1.0 --- ambassador/ambassador/envoy/v2/v2listener.py | 13 ++++++++----- ambassador/ambassador/ir/ir.py | 4 ++-- ambassador/ambassador/ir/irambassador.py | 6 ++++-- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/ambassador/ambassador/envoy/v2/v2listener.py b/ambassador/ambassador/envoy/v2/v2listener.py index a78aef6b14..0e1fe65ecd 100644 --- a/ambassador/ambassador/envoy/v2/v2listener.py +++ b/ambassador/ambassador/envoy/v2/v2listener.py @@ -104,7 +104,7 @@ def v2filter_buffer(buffer: IRBuffer, v2config: 'V2Config'): 'name': 'envoy.buffer', 'config': { "max_request_bytes": buffer.max_request_bytes - } + } } @v2filter.when("ir.grpc_http1_bridge") @@ -148,7 +148,7 @@ def v2filter_authv0(auth: IRAuth, v2config: 'V2Config'): assert auth.cluster cluster = typecast(IRCluster, auth.cluster) - + assert auth.api_version == "ambassador/v0" # This preserves almost exactly the same logic prior to ambassador/v1 implementation. @@ -167,8 +167,8 @@ def v2filter_authv0(auth: IRAuth, v2config: 'V2Config'): for key in sorted(hdrs): allowed_authorization_headers.append({"exact": key}) - - allowed_request_headers = [] + + allowed_request_headers = [] for key in sorted(request_headers.keys()): allowed_request_headers.append({"exact": key}) @@ -228,7 +228,7 @@ def v2filter_authv1(auth: IRAuth, v2config: 'V2Config'): for key in list(set(auth.allowed_authorization_headers).union(AllowedAuthorizationHeaders)): allowed_authorization_headers.append({"exact": key}) - + allowed_request_headers = [] for key in list(set(auth.allowed_request_headers).union(AllowedRequestHeaders)): @@ -511,6 +511,9 @@ def __init__(self, config: 'V2Config', listener: IRListener) -> None: if 'server_name' in config.ir.ambassador_module: base_http_config["server_name"] = config.ir.ambassador_module.server_name + if 'enable_http10' in config.ir.ambassador_module: + base_http_config["http_protocol_options"] = { 'accept_http_10': config.ir.ambassador_module.enable_http10 } + if config.ir.tracing: base_http_config["generate_request_id"] = True diff --git a/ambassador/ambassador/ir/ir.py b/ambassador/ambassador/ir/ir.py index 77105201fd..bf43b12c70 100644 --- a/ambassador/ambassador/ir/ir.py +++ b/ambassador/ambassador/ir/ir.py @@ -160,7 +160,7 @@ def __init__(self, aconf: Config, secret_handler=None, file_checker=None) -> Non # After the Ambassador and TLS modules are done, we need to set up the # filter chains, which requires checking in on the auth, and - # ratelimit configuration. Note that order of the filters matter. + # ratelimit configuration. Note that order of the filters matter. self.save_filter(IRAuth(self, aconf)) # ...note that ratelimit is a filter too... @@ -519,7 +519,7 @@ def features(self) -> Dict[str, Any]: for key in [ 'diagnostics', 'liveness_probe', 'readiness_probe', 'statsd' ]: od[key] = self.ambassador_module.get(key, {}).get('enabled', False) - for key in [ 'use_proxy_proto', 'use_remote_address', 'x_forwarded_proto_redirect' ]: + for key in [ 'use_proxy_proto', 'use_remote_address', 'x_forwarded_proto_redirect', 'enable_http10' ]: od[key] = self.ambassador_module.get(key, False) od['xff_num_trusted_hops'] = self.ambassador_module.get('xff_num_trusted_hops', 0) diff --git a/ambassador/ambassador/ir/irambassador.py b/ambassador/ambassador/ir/irambassador.py index 3cb60223e0..ba5b901b03 100644 --- a/ambassador/ambassador/ir/irambassador.py +++ b/ambassador/ambassador/ir/irambassador.py @@ -37,7 +37,8 @@ class IRAmbassador (IRResource): 'use_proxy_proto', 'use_remote_address', 'x_forwarded_proto_redirect', - 'xff_num_trusted_hops' + 'xff_num_trusted_hops', + 'enable_http10' ] service_port: int @@ -85,6 +86,7 @@ def __init__(self, ir: 'IR', aconf: Config, circuit_breakers=None, xff_num_trusted_hops=0, server_name="envoy", + enable_http10=False **kwargs ) @@ -210,7 +212,7 @@ def setup(self, ir: 'IR', aconf: Config) -> bool: config=dict()) self.grpc_http11_bridge.sourced_by(amod) ir.save_filter(self.grpc_http11_bridge) - + if amod and ('enable_grpc_web' in amod): self.grpc_web = IRFilter(ir=ir, aconf=aconf, kind='ir.grpc_web', name='grpc_web', config=dict()) self.grpc_web.sourced_by(amod) From 35a42b962747e73600727c660ac01bd9799de0be Mon Sep 17 00:00:00 2001 From: Matthew Ceroni Date: Tue, 30 Apr 2019 15:47:59 -0700 Subject: [PATCH 2/4] Set default --- ambassador/ambassador/ir/irambassador.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ambassador/ambassador/ir/irambassador.py b/ambassador/ambassador/ir/irambassador.py index ba5b901b03..962eaadde8 100644 --- a/ambassador/ambassador/ir/irambassador.py +++ b/ambassador/ambassador/ir/irambassador.py @@ -80,13 +80,13 @@ def __init__(self, ir: 'IR', aconf: Config, readiness_probe={"enabled": True}, diagnostics={"enabled": True}, use_proxy_proto=False, + enable_http10=False, use_remote_address=use_remote_address, x_forwarded_proto_redirect=False, load_balancer=None, circuit_breakers=None, xff_num_trusted_hops=0, server_name="envoy", - enable_http10=False **kwargs ) From f910e21f5ada6e45f5109a0264ae92c4de5a3a97 Mon Sep 17 00:00:00 2001 From: Matthew Ceroni Date: Wed, 1 May 2019 10:09:35 -0700 Subject: [PATCH 3/4] Update documentation --- docs/reference/core/ambassador.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/reference/core/ambassador.md b/docs/reference/core/ambassador.md index 4c0432c587..fc3634b039 100644 --- a/docs/reference/core/ambassador.md +++ b/docs/reference/core/ambassador.md @@ -36,6 +36,9 @@ config: # Should we enable the grpc-Web protocol? # enable_grpc_web: false +# Should we enable http/1.0 protocol? +# enable_http10: false + # Should we do IPv4 DNS lookups when contacting services? Defaults to true, # but can be overridden in a [`Mapping`](/reference/mappings). # enable_ipv4: true @@ -75,11 +78,11 @@ config: # use_proxy_proto: false # use_remote_address controls whether Envoy will trust the remote -# address of incoming connections or rely exclusively on the -# X-Forwarded_For header. +# address of incoming connections or rely exclusively on the +# X-Forwarded_For header. # use_remote_address: true -# xff_num_trusted_hops controls the how Envoy sets the trusted +# xff_num_trusted_hops controls the how Envoy sets the trusted # client IP address of a request. If you have a proxy in front # of Ambassador, Envoy will set the trusted client IP to the # address of that proxy. To preserve the orginal client IP address, @@ -90,7 +93,7 @@ config: # Ambassador lets through only the HTTP requests with # `X-FORWARDED-PROTO: https` header set, and redirects all the other -# requests to HTTPS if this field is set to true. Note that `use_remote_address` +# requests to HTTPS if this field is set to true. Note that `use_remote_address` # must be set to false for this feature to work as expected. # x_forwarded_proto_redirect: false @@ -111,7 +114,7 @@ config: # ... -# Set default CORS configuration for all mappings in the cluster. See +# Set default CORS configuration for all mappings in the cluster. See # CORS syntax at https://www.getambassador.io/reference/cors.html # cors: # origins: http://foo.example,http://bar.example @@ -169,6 +172,10 @@ Ambassador supports bridging HTTP/1.1 clients to backend gRPC servers. When an H gRPC-Web is a protocol built on gRPC that extends the benefits of gRPC to the browser. The gRPC-Web specification requires a server-side proxy to translate between gRPC-Web requests and gRPC backend services. Ambassador can serve as the service-side proxy for gRPC-Web when `enable_grpc_web: true` is set. +### HTTP/1.0 support (`enable_http10`) + +Enabled/disable handling of incoming HTTP/1.0 and HTTP 0.9 requests. + ### `enable_ivp4` and `enable_ipv6` If both IPv4 and IPv6 are enabled, Ambassador will prefer IPv6. This can have strange effects if Ambassador receives @@ -204,7 +211,7 @@ Many load balancers can use the [PROXY protocol](https://www.haproxy.org/downloa ### `xff_num_trusted_hops` -The value of `xff_num_trusted_hops` indicates the number of trusted proxies in front of Ambassador. The default setting is 0 which tells Envoy to use the immediate downstream connection's IP address as the trusted client address. The trusted client address is used to populate the `remote_address` field used for rate limiting and can affect which IP address Envoy will set as `X-Envoy-External-Address`. +The value of `xff_num_trusted_hops` indicates the number of trusted proxies in front of Ambassador. The default setting is 0 which tells Envoy to use the immediate downstream connection's IP address as the trusted client address. The trusted client address is used to populate the `remote_address` field used for rate limiting and can affect which IP address Envoy will set as `X-Envoy-External-Address`. `xff_num_trusted_hops` behavior is determined by the value of `use_remote_address` (which defaults to `true` in Ambassador). From 0967b2bcdb595a907db7e2242891d6d13bdbd585 Mon Sep 17 00:00:00 2001 From: Matthew Ceroni Date: Wed, 1 May 2019 10:10:42 -0700 Subject: [PATCH 4/4] Update documentation --- docs/reference/core/ambassador.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/core/ambassador.md b/docs/reference/core/ambassador.md index fc3634b039..6728f79116 100644 --- a/docs/reference/core/ambassador.md +++ b/docs/reference/core/ambassador.md @@ -174,7 +174,7 @@ gRPC-Web is a protocol built on gRPC that extends the benefits of gRPC to the br ### HTTP/1.0 support (`enable_http10`) -Enabled/disable handling of incoming HTTP/1.0 and HTTP 0.9 requests. +Enable/disable handling of incoming HTTP/1.0 and HTTP 0.9 requests. ### `enable_ivp4` and `enable_ipv6`