Skip to content
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions api/envoy/config/core/v3/protocol.proto
Original file line number Diff line number Diff line change
Expand Up @@ -416,8 +416,6 @@ message GrpcProtocolOptions {
Http2ProtocolOptions http2_protocol_options = 1;
}

// [#not-implemented-hide:]
Comment thread
phlax marked this conversation as resolved.
//
// A message which allows using HTTP/3.
message Http3ProtocolOptions {
QuicProtocolOptions quic_protocol_options = 1;
Expand Down
2 changes: 0 additions & 2 deletions api/envoy/config/core/v4alpha/protocol.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions api/envoy/config/listener/v3/udp_listener_config.proto
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ message UdpListenerConfig {

// Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set
// to the default object to enable QUIC without modifying any additional options.
// [#not-implemented-hide:]
// [#comment:Unhide when QUIC alpha is announced with other docs.]
//
// .. note::
// QUIC support is currently alpha and should be used with caution.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

im wondering if this note should be a warning - and also thinking it might be better placed in docs/root/intro/arch_overview/http/http3.rst as its linked to from various places - feels a bit arbitrary to add it to one proto

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I lean towards the API because I think folks will actually read it here, where I'm less confident of folks reading the docs. Happy to make it a warning through.

@phlax phlax May 6, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

im wondering if this should make use of the experimental annotation that has just been added

agreed that there needs to be a warning here - but i would put the fuller explanation in the ref docs and point to that - as is done in most of the the api protos - mho

QuicProtocolOptions quic_options = 7;
}

Expand Down
5 changes: 3 additions & 2 deletions api/envoy/config/listener/v4alpha/udp_listener_config.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#next-free-field: 6]
message HttpProtocolOptions {
// If this is used, the cluster will only operate on one of the possible upstream protocols.
// Note that HTTP/2 should generally be used for upstream clusters doing gRPC.
// Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC.
Comment thread
phlax marked this conversation as resolved.
Outdated
message ExplicitHttpConfig {
oneof protocol_config {
option (validate.required) = true;
Expand All @@ -68,7 +68,8 @@ message HttpProtocolOptions {

config.core.v3.Http2ProtocolOptions http2_protocol_options = 2;

// [#not-implemented-hide:]
// .. note::
// QUIC support is currently alpha and should be used with caution.
config.core.v3.Http3ProtocolOptions http3_protocol_options = 3;
}
}
Expand All @@ -80,7 +81,8 @@ message HttpProtocolOptions {

config.core.v3.Http2ProtocolOptions http2_protocol_options = 2;

// [#not-implemented-hide:]
// .. note::
// QUIC support is currently alpha and should be used with caution.
config.core.v3.Http3ProtocolOptions http3_protocol_options = 3;
}

Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion docs/root/configuration/best_practices/edge.rst
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ HTTP proxies should additionally configure:
to true (to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing <config_http_conn_man_header_sanitizing>`
for details),
* :ref:`connection and stream timeouts <faq_configuration_timeouts>`,
* :ref:`HTTP/2 maximum concurrent streams limit <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.max_concurrent_streams>` to 100,
* :ref:`HTTP/2 maximum concurrent streams limit <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.max_concurrent_streams>` and :ref:`HTTP/3 maximum concurrent streams limit <envoy_v3_api_field_config.core.v3.QuicProtocolOptions.max_concurrent_streams>` to 100
* :ref:`HTTP/2 initial stream window size limit <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.initial_stream_window_size>` to 64 KiB,
* :ref:`HTTP/2 initial connection window size limit <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.initial_connection_window_size>` to 1 MiB.
* :ref:`headers_with_underscores_action setting <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.headers_with_underscores_action>` to REJECT_REQUEST, to protect upstream services that treat '_' and '-' as interchangeable.
Expand Down
12 changes: 6 additions & 6 deletions docs/root/configuration/best_practices/level_two.rst
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,20 @@ edge use case may need to be adjusted when using Envoy in a multi-level deployme
.. image:: /_static/multilevel_deployment.svg

**In summary, if you run level two Envoy version 1.11.1 or greater which terminates
HTTP/2, we strongly advise you to change the HttpConnectionManager configuration of your level
HTTP/2 or above, we strongly advise you to change the HttpConnectionManager configuration of your level
two Envoy, by setting its downstream**
:ref:`validation of HTTP messaging option <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`
**to true.**

If there is an invalid HTTP/2 request and this option is not set, the Envoy in
If there is an invalid request and this option is not set, the Envoy in
question will reset the entire connection. This behavior was changed as part of
the 1.11.1 security release, to increase the security of Edge Envoys. Unfortunately,
because there are no guarantees that edge proxies will enforce HTTP/1 or HTTP/2
standards compliance as rigorously as Envoy’s HTTP/2 stack does, this can result
because there are no guarantees that edge proxies will enforce HTTP
standards compliance as rigorously as Envoy’s stack does, this can result
in a problem as follows. If one client sends a request that for example passes
level one proxy's validation checks, and it is forwarded over an upstream multiplexed
HTTP/2 connection (potentially shared with other clients) the strict enforcement on
the level two Envoy HTTP/2 will reset all the streams on that connection, causing
connection (potentially shared with other clients) the strict enforcement on
the level two Envoy will reset all the streams on that connection, causing
Comment thread
alyssawilk marked this conversation as resolved.
a service disruption to the clients sharing that L1-L2 connection. If a malicious
user has insight into what traffic will bypass level one checks, they could spray
“bad” traffic across the level one fleet, causing serious disruption to other users’
Expand Down
7 changes: 5 additions & 2 deletions docs/root/configuration/http/http_conn_man/stats.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ statistics:
downstream_cx_http1_total, Counter, Total HTTP/1.1 connections
downstream_cx_upgrades_total, Counter, Total successfully upgraded connections. These are also counted as total http1/http2 connections.
downstream_cx_http2_total, Counter, Total HTTP/2 connections
downstream_cx_http3_total, Counter, Total HTTP/3 connections
downstream_cx_destroy, Counter, Total connections destroyed
downstream_cx_destroy_remote, Counter, Total connections destroyed due to remote close
downstream_cx_destroy_local, Counter, Total connections destroyed due to local close
Expand All @@ -26,6 +27,7 @@ statistics:
downstream_cx_http1_active, Gauge, Total active HTTP/1.1 connections
downstream_cx_upgrades_active, Gauge, Total active upgraded connections. These are also counted as active http1/http2 connections.
downstream_cx_http2_active, Gauge, Total active HTTP/2 connections
downstream_cx_http3_active, Gauge, Total active HTTP/3 connections
downstream_cx_protocol_error, Counter, Total protocol errors
downstream_cx_length_ms, Histogram, Connection length milliseconds
downstream_cx_rx_bytes_total, Counter, Total bytes received
Expand All @@ -41,6 +43,7 @@ statistics:
downstream_rq_total, Counter, Total requests
downstream_rq_http1_total, Counter, Total HTTP/1.1 requests
downstream_rq_http2_total, Counter, Total HTTP/2 requests
downstream_rq_http3_total, Counter, Total HTTP/3 requests
downstream_rq_active, Gauge, Total active requests
downstream_rq_response_before_rq_complete, Counter, Total responses sent before the request was complete
downstream_rq_rx_reset, Counter, Total request resets received
Expand Down Expand Up @@ -149,8 +152,8 @@ On the upstream side all http2 statistics are rooted at *cluster.<name>.http2.*

.. attention::

The HTTP/2 `streams_active` gauge may be greater than the HTTP connection manager
`downstream_rq_active` gauge due to differences in stream accounting between the codec and the
The HTTP `streams_active` gauges may be greater than the HTTP connection manager
`downstream_rq_active` gauge due to differences in stream accounting between the codecs and the
HTTP connection manager.

Tracing statistics
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ AWS Lambda

The AWS Lambda filter is currently under active development.

The HTTP AWS Lambda filter is used to trigger an AWS Lambda function from a standard HTTP/1.x or HTTP/2 request.
The HTTP AWS Lambda filter is used to trigger an AWS Lambda function from a standard HTTP request.
It supports a few options to control whether to pass through the HTTP request payload as is or to wrap it in a JSON
schema.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ response trailers to a compliant gRPC server. It works by doing the following:
work with unary gRPC APIs.

This filter also collects stats for all gRPC requests that transit, even if those requests are
normal gRPC requests over HTTP/2.
normal gRPC requests over HTTP/2 or above.

More info: wire format in `gRPC over HTTP/2 <https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md>`_.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ gRPC HTTP/1.1 reverse bridge
* This filter should be configured with the name *envoy.filters.http.grpc_http1_reverse_bridge*.

This is a filter that enables converting an incoming gRPC request into a HTTP/1.1 request to allow
a server that does not understand HTTP/2 or gRPC semantics to handle the request.
a server that does not understand HTTP/2 or HTTP/3 or gRPC semantics to handle the request.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally your call... I wonder if we should be consistent about saying either "HTTP/2 or HTTP/3" vs "HTTP/2 or above". Probably not worth doing?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like in some situations it's awkward to phrase it the other way :-/


The filter works by:

Expand Down
2 changes: 1 addition & 1 deletion docs/root/configuration/http/http_filters/lua_filter.rst
Original file line number Diff line number Diff line change
Expand Up @@ -659,7 +659,7 @@ protocol()
streamInfo:protocol()

Returns the string representation of :repo:`HTTP protocol <include/envoy/http/protocol.h>`
used by the current request. The possible values are: *HTTP/1.0*, *HTTP/1.1*, and *HTTP/2*.
used by the current request. The possible values are: *HTTP/1.0*, *HTTP/1.1*, *HTTP/2* and *HTTP/3*.
Comment thread
phlax marked this conversation as resolved.
Outdated

downstreamLocalAddress()
^^^^^^^^^^^^^^^^^^^^^^^^
Expand Down
2 changes: 1 addition & 1 deletion docs/root/configuration/observability/access_log/stats.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ The gRPC access log has statistics rooted at *access_logs.grpc_access_log.* with
:widths: 1, 1, 2

logs_written, Counter, Total log entries sent to the logger which were not dropped. This does not imply the logs have been flushed to the gRPC endpoint yet.
logs_dropped, Counter, Total log entries dropped due to network or HTTP/2 back up.
logs_dropped, Counter, Total log entries dropped due to network or application level back up.


File access log statistics
Expand Down
2 changes: 1 addition & 1 deletion docs/root/configuration/observability/access_log/usage.rst
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ The following command operators are supported:

%PROTOCOL%
HTTP
Protocol. Currently either *HTTP/1.1* or *HTTP/2*.
Protocol. Currently either *HTTP/1.1* *HTTP/2* or *HTTP/3*.

TCP
Not implemented ("-").
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,11 @@ upstream.use_http2
Whether the cluster utilizes the *http2* if configured in `HttpProtocolOptions <envoy_v3_msg_config.upstreams.http.v3.HttpProtocolOptions>`.
Set to 0 to disable HTTP/2 even if the feature is configured. Defaults to enabled.

upstream.use_http3
Whether the cluster utilizes the *http3* if configured in `HttpProtocolOptions <envoy_v3_msg_config.upstreams.http.v3.HttpProtocolOptions>`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this text is identical to the HTTP/2 text (except 3 instead of 2), but I wonder if we should remove "the" after "utilizes"? "Whether the cluster utilizes http3 if configured..." WDYT?

Set to 0 to disable HTTP/3 even if the feature is configured. Defaults to enabled.


.. _config_cluster_manager_cluster_runtime_zone_routing:

Zone aware load balancing
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ Every cluster has a statistics tree rooted at *cluster.<name>.* with the followi
upstream_cx_active, Gauge, Total active connections
upstream_cx_http1_total, Counter, Total HTTP/1.1 connections
upstream_cx_http2_total, Counter, Total HTTP/2 connections
upstream_cx_http3_total, Counter, Total HTTP/3 connections
upstream_cx_connect_fail, Counter, Total connection failures
upstream_cx_connect_timeout, Counter, Total connection connect timeouts
upstream_cx_idle_timeout, Counter, Total connection idle timeouts
Expand All @@ -51,7 +52,7 @@ Every cluster has a statistics tree rooted at *cluster.<name>.* with the followi
upstream_cx_destroy_with_active_rq, Counter, Total connections destroyed with 1+ active request
upstream_cx_destroy_local_with_active_rq, Counter, Total connections destroyed locally with 1+ active request
upstream_cx_destroy_remote_with_active_rq, Counter, Total connections destroyed remotely with 1+ active request
upstream_cx_close_notify, Counter, Total connections closed via HTTP/1.1 connection close header or HTTP/2 GOAWAY
upstream_cx_close_notify, Counter, Total connections closed via HTTP/1.1 connection close header or HTTP/2 or HTTP/3 GOAWAY
upstream_cx_rx_bytes_total, Counter, Total received connection bytes
upstream_cx_rx_bytes_buffered, Gauge, Received connection bytes currently buffered
upstream_cx_tx_bytes_total, Counter, Total sent connection bytes
Expand All @@ -63,7 +64,7 @@ Every cluster has a statistics tree rooted at *cluster.<name>.* with the followi
upstream_rq_total, Counter, Total requests
upstream_rq_active, Gauge, Total active requests
upstream_rq_pending_total, Counter, Total requests pending a connection pool connection
upstream_rq_pending_overflow, Counter, Total requests that overflowed connection pool or requests (mainly for HTTP/2) circuit breaking and were failed
upstream_rq_pending_overflow, Counter, Total requests that overflowed connection pool or requests (mainly for HTTP/2 and above) circuit breaking and were failed
upstream_rq_pending_failure_eject, Counter, Total requests that were failed due to a connection pool connection failure or remote connection termination
upstream_rq_pending_active, Gauge, Total active requests pending a connection pool connection
upstream_rq_cancelled, Counter, Total requests cancelled before obtaining a connection pool connection
Expand Down
8 changes: 4 additions & 4 deletions docs/root/faq/configuration/flow_control.rst
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@ and downstream.

The listener limits are also propogated to the HttpConnectionManager, and applied on a per-stream
basis to HTTP/1.1 L7 buffers described below. As such they limit the size of HTTP/1 requests and
response bodies that can be buffered. For HTTP/2, as many streams can be multiplexed over one TCP
response bodies that can be buffered. For HTTP/2 and HTTP/3, as many streams can be multiplexed over one
connection, the L7 and L4 buffer limits can be tuned separately, and the configuration option
:ref:`http2 stream limits <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.initial_connection_window_size>`
is applied to all of the L7 buffers. Note that for both HTTP/1 and
HTTP/2 Envoy can and will proxy arbitrarily large bodies on routes where all L7 filters are
streaming, but many filters such as the transcoder or buffer filters require the full HTTP body to
is applied to all of the L7 buffers. Note that for all version of HTTP Envoy can and will proxy
arbitrarily large bodies on routes where all L7 filters are streaming, but many filters such as the transcoder
or buffer filters require the full HTTP body to
be buffered, so limit the request and response size based on the listener limit.

The cluster limits affect how much raw data will be read per read() call from upstream, as
Expand Down
2 changes: 1 addition & 1 deletion docs/root/faq/configuration/timeouts.rst
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ context request/stream is interchangeable.
is the amount of time that the connection manager will allow a stream to exist with no upstream
or downstream activity. The default stream idle timeout is *5 minutes*. This timeout is strongly
recommended for all requests (not just streaming requests/responses) as it additionally defends
against an HTTP/2 peer that does not open stream window once an entire response has been buffered
against a peer that does not open stream window once an entire response has been buffered
Comment thread
phlax marked this conversation as resolved.
Outdated
to be sent to a downstream client.
* The HTTP protocol :ref:`max_stream_duration <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_stream_duration>`
is defined in a generic message used by the HTTP connection manager. The max stream duration is the
Expand Down
2 changes: 1 addition & 1 deletion docs/root/faq/load_balancing/concurrency_lb.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ load balancing policies such as :ref:`round robin <arch_overview_load_balancing_
it may thus appear that load balancing is not working properly when using multiple workers. The
:option:`--concurrency` option can be used to adjust the number of workers if desired.

The siloed execution model is also the reason why multiple HTTP/2 connections may be established to
The siloed execution model is also the reason why multiple HTTP/2 or HTTP/3 connections may be established to

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a question about this PR, but it does make me wonder.... Presumably EnvoyMobile will be a single silo? (Maybe that was in the presentation. I should go re-read those slides)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, AFIK one worker thread for mobile but you can double check with the Lyft folks.

each upstream; :ref:`connection pools <arch_overview_conn_pool>` are not shared between workers.
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ HTTP connection manager :ref:`configuration <config_http_conn_man>`.
HTTP protocols
--------------

Envoy’s HTTP connection manager has native support for HTTP/1.1, WebSockets, and HTTP/2. It does not support
SPDY. Envoy’s HTTP support was designed to first and foremost be an HTTP/2 multiplexing proxy.
Envoy’s HTTP connection manager has native support for HTTP/1.1, WebSockets, HTTP/2 and HTTP/3. It does not support
SPDY. Envoy’s HTTP support was designed to first and foremost be an HTTP/2+ multiplexing proxy.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine to keep this as "HTTP/2" since when Envoy was designed HTTP/3 was not yet a thing. Your call though.

Internally, HTTP/2 terminology is used to describe system components. For example, an HTTP request
and response take place on a *stream*. A codec API is used to translate from different wire
protocols into a protocol agnostic form for streams, requests, responses, etc. In the case of
HTTP/1.1, the codec translates the serial/pipelining capabilities of the protocol into something
that looks like HTTP/2 to higher layers. This means that the majority of the code does not need to
understand whether a stream originated on an HTTP/1.1 or HTTP/2 connection.
understand whether a stream originated on an HTTP/1.1, HTTP/2, or HTTP/3 connection.

HTTP header sanitizing
----------------------
Expand Down
Loading