envoyproxy · alyssawilk · Apr 28, 2020 · Apr 1, 2020 · Apr 2, 2020 · Apr 2, 2020
diff --git a/api/envoy/config/route/v3/route_components.proto b/api/envoy/config/route/v3/route_components.proto
@@ -370,7 +370,7 @@ message WeightedCluster {
   string runtime_key_prefix = 2;
 }
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message RouteMatch {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch";
 
@@ -392,6 +392,11 @@ message RouteMatch {
     google.protobuf.BoolValue validated = 2;
   }
 
+  // [#not-implemented-hide:]
+  // An extensible message for matching CONNECT requests.
+  message ConnectMatcher {
+  }
+
   reserved 5, 3;
 
   reserved "regex";
@@ -420,6 +425,16 @@ message RouteMatch {
     // on :path, etc. The issue with that is it is unclear how to generically deal with query string
     // stripping. This needs more thought.]
     type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}];
+
+    // [#not-implemented-hide:]
+    // If this is used as the matcher, the matcher will only match CONNECT requests.
+    // Note that this will not match HTTP/2 upgrade-style CONNECT requests
+    // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style
+    // upgrades.
+    // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2,
+    // where CONNECT requests may have a path, the path matchers will work if
+    // there is a path present.
+    ConnectMatcher connect_matcher = 12;
   }
 
   // Indicates that prefix/path matching should be case insensitive. The default
@@ -705,6 +720,13 @@ message RouteAction {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.route.RouteAction.UpgradeConfig";
 
+    // [#not-implemented-hide:]
+    // Configuration for sending data upstream as a raw data payload. This is used for
+    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
+    message ConnectConfig {
+      // TODO(alyssawilk) add proxy proto configuration here.
+    }
+
     // The case-insensitive name of this upgrade, e.g. "websocket".
     // For each upgrade type present in upgrade_configs, requests with
     // Upgrade: [upgrade_type] will be proxied upstream.
@@ -713,6 +735,11 @@ message RouteAction {
 
     // Determines if upgrades are available on this route. Defaults to true.
     google.protobuf.BoolValue enabled = 2;
+
+    // [#not-implemented-hide:]
+    // Configuration for sending data upstream as a raw data payload. This is used for
+    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
+    ConnectConfig connect_config = 3;
   }
 
   reserved 12, 18, 19, 16, 22, 21, 10;

diff --git a/api/envoy/config/route/v4alpha/route_components.proto b/api/envoy/config/route/v4alpha/route_components.proto
@@ -371,7 +371,7 @@ message WeightedCluster {
   string runtime_key_prefix = 2;
 }
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message RouteMatch {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RouteMatch";
 
@@ -393,6 +393,13 @@ message RouteMatch {
     google.protobuf.BoolValue validated = 2;
   }
 
+  // [#not-implemented-hide:]
+  // An extensible message for matching CONNECT requests.
+  message ConnectMatcher {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.config.route.v3.RouteMatch.ConnectMatcher";
+  }
+
   reserved 5, 3;
 
   reserved "regex";
@@ -421,6 +428,16 @@ message RouteMatch {
     // on :path, etc. The issue with that is it is unclear how to generically deal with query string
     // stripping. This needs more thought.]
     type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}];
+
+    // [#not-implemented-hide:]
+    // If this is used as the matcher, the matcher will only match CONNECT requests.
+    // Note that this will not match HTTP/2 upgrade-style CONNECT requests
+    // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style
+    // upgrades.
+    // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2,
+    // where CONNECT requests may have a path, the path matchers will work if
+    // there is a path present.
+    ConnectMatcher connect_matcher = 12;
   }
 
   // Indicates that prefix/path matching should be case insensitive. The default
@@ -706,6 +723,16 @@ message RouteAction {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.config.route.v3.RouteAction.UpgradeConfig";
 
+    // [#not-implemented-hide:]
+    // Configuration for sending data upstream as a raw data payload. This is used for
+    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
+    message ConnectConfig {
+      // TODO(alyssawilk) add proxy proto configuration here.
+
+      option (udpa.annotations.versioning).previous_message_type =
+          "envoy.config.route.v3.RouteAction.UpgradeConfig.ConnectConfig";
+    }
+
     // The case-insensitive name of this upgrade, e.g. "websocket".
     // For each upgrade type present in upgrade_configs, requests with
     // Upgrade: [upgrade_type] will be proxied upstream.
@@ -714,6 +741,11 @@ message RouteAction {
 
     // Determines if upgrades are available on this route. Defaults to true.
     google.protobuf.BoolValue enabled = 2;
+
+    // [#not-implemented-hide:]
+    // Configuration for sending data upstream as a raw data payload. This is used for
+    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
+    ConnectConfig connect_config = 3;
 oneof action { 
   option (validate.required) = true; 
   // Route request to some upstream cluster. 
   RouteAction route = 2; 
   // Return a redirect. 
   RedirectAction redirect = 3; 
   // Return an arbitrary HTTP response directly, without proxying. 
   DirectResponseAction direct_response = 7; 
   // [#not-implemented-hide:] 
   // If true, a filter will define the action (e.g., it could dynamically generate the 
   // RouteAction). 
   FilterAction filter_action = 17; 
 oneof action { 
   option (validate.required) = true; 
  
   // Route request to some upstream cluster. 
   RouteAction route = 2; 
  
   // Return a redirect. 
   RedirectAction redirect = 3; 
  
   // Return an arbitrary HTTP response directly, without proxying. 
   DirectResponseAction direct_response = 7; 
  
   // [#not-implemented-hide:] 
   // If true, a filter will define the action (e.g., it could dynamically generate the 
   // RouteAction). 
   FilterAction filter_action = 17; 
   }
 
   reserved 12, 18, 19, 16, 22, 21, 10;

diff --git a/docs/root/intro/arch_overview/http/http.rst b/docs/root/intro/arch_overview/http/http.rst
@@ -7,5 +7,5 @@ HTTP
   http_connection_management
   http_filters
   http_routing
-  websocket
+  upgrades
   http_proxy
diff --git a/...ot/intro/arch_overview/http/websocket.rst → ...oot/intro/arch_overview/http/upgrades.rst b/...ot/intro/arch_overview/http/websocket.rst → ...oot/intro/arch_overview/http/upgrades.rst
@@ -1,19 +1,19 @@
 .. _arch_overview_websocket:
 
-WebSocket and HTTP upgrades
+HTTP upgrades
 ===========================
 
-Envoy Upgrade support is intended mainly for WebSocket but may be used for non-WebSocket
-upgrades as well. Upgrades pass both the HTTP headers and the upgrade payload
+Envoy Upgrade support is intended mainly for WebSocket and CONNECT support, but may be used for
+arbitrary upgrades as well. Upgrades pass both the HTTP headers and the upgrade payload
 through an HTTP filter chain. One may configure the
 :ref:`upgrade_configs <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.upgrade_configs>`
 with or without custom filter chains. If only the
 :ref:`upgrade_type <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.UpgradeConfig.upgrade_type>`
-is specified, both the upgrade headers, any request and response body, and WebSocket payload will
+is specified, both the upgrade headers, any request and response body, and HTTP data payload will
 pass through the default HTTP filter chain. To avoid the use of HTTP-only filters for upgrade payload,
 one can set up custom
 :ref:`filters <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.UpgradeConfig.filters>`
-for the given upgrade type, up to and including only using the router filter to send the WebSocket
+for the given upgrade type, up to and including only using the router filter to send the HTTP
 data upstream.
 
 Upgrades can be enabled or disabled on a :ref:`per-route <envoy_api_field_route.RouteAction.upgrade_configs>` basis.
@@ -32,12 +32,12 @@ laid out below, but custom filter chains can only be configured on a per-HttpCon
 | F                     | F                       | F                 |
 +-----------------------+-------------------------+-------------------+
 
-Note that the statistics for upgrades are all bundled together so WebSocket
+Note that the statistics for upgrades are all bundled together so WebSocket and other upgrades
 :ref:`statistics <config_http_conn_man_stats>` are tracked by stats such as
 downstream_cx_upgrades_total and downstream_cx_upgrades_active
 
-Handling HTTP/2 hops
-^^^^^^^^^^^^^^^^^^^^
+Websocket over HTTP/2 hops
+^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 While HTTP/2 support for WebSockets is off by default, Envoy does support tunneling WebSockets over
 HTTP/2 streams for deployments that prefer a uniform HTTP/2 mesh throughout; this enables, for example,
@@ -61,3 +61,30 @@ a GET method on the final Envoy-Upstream hop.
 
 Note that the HTTP/2 upgrade path has very strict HTTP/1.1 compliance, so will not proxy WebSocket
 upgrade requests or responses with bodies.
+
+.. TODO(alyssawilk) unhide this when unhiding config
+.. CONNECT support
+.. ^^^^^^^^^^^^^^^
+
+.. Envoy CONNECT support is off by default (Envoy will send an internall generated 403 in response to
+.. CONNECT requests). CONNECT support can be enabled via the upgrade options described above, setting
+.. the upgrade value to the special keyword "CONNECT".
+
+.. While for HTTP/2, CONNECT request may have a path, in general and for HTTP/1.1 CONNECT requests do
+.. not have a path, and can only be matched using a
+.. :ref:`connect_matcher <envoy_api_field_route.RouteMatch.connect_matcher>`
+..
+.. Envoy can handle CONNECT in one of two ways, either proxying the CONNECT headers through as if they
+.. were any other request, and letting the upstream handle the CONNECT request, or by terminating the
+.. CONNECT request, and forwarding the payload as raw TCP data. When CONNECT upgrade configuration is
+.. set up, the default behavior is to proxy the CONNECT request. If termination is desired, this can
+.. be accomplished by setting
+.. :ref:`connect_config <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.UpgradeConfig.connect_config>`
+.. If it that message is present for CONNECT requests, the router filter will strip the request headers,
+.. and forward the HTTP payload upstream. On receipt of initial TCP data from upstream, the router
+.. will synthesize 200 response headers, and then forward the TCP data as the HTTP response body.
+
+.. .. warning::
+.. This mode of CONNECT support can create major security holes if configured correctly, as the upstream
+.. will be forwarded *unsanitized* headers if they are in the body payload. Please use with caution
+
diff --git a/generated_api_shadow/envoy/config/route/v3/route_components.proto b/generated_api_shadow/envoy/config/route/v3/route_components.proto
diff --git a/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto b/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto