envoyproxy · alyssawilk · Aug 25, 2021 · Aug 24, 2021 · Aug 25, 2021 · Aug 25, 2021
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -60,6 +60,7 @@ Bug Fixes
 * access log: fix ``%UPSTREAM_CLUSTER%`` when used in http upstream access logs. Previously, it was always logging as an unset value.
 * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentaion <https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html>`_.
 * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false.
+* dynamic forward proxy: fixing a validation bug where san and sni checks were not applied setting :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` via :ref:`typed_extension_protocol_options <envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
 * ext_authz: fix the ext_authz filter to correctly merge multiple same headers using the ',' as separator in the check request to the external authorization service.
 * hcm: remove deprecation for :ref:`xff_num_trusted_hops <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.xff_num_trusted_hops>` and forbid mixing ip detection extensions with old related knobs.
 * http: limit use of deferred resets in the http2 codec to server-side connections. Use of deferred reset for client connections can result in incorrect behavior and performance problems.

@@ -6,6 +6,7 @@
 
 #include "source/common/network/transport_socket_options_impl.h"
 #include "source/extensions/common/dynamic_forward_proxy/dns_cache_manager_impl.h"
+#include "source/extensions/filters/network/common/utility.h"
 
 namespace Envoy {
 namespace Extensions {
@@ -179,22 +180,29 @@ ClusterFactory::createClusterWithConfig(
       context.singletonManager(), context.dispatcher(), context.tls(), context.api(),
       context.runtime(), context.stats(), context.messageValidationVisitor());
   envoy::config::cluster::v3::Cluster cluster_config = cluster;
-  if (cluster_config.has_upstream_http_protocol_options()) {
-    if (!proto_config.allow_insecure_cluster_options() &&
-        (!cluster_config.upstream_http_protocol_options().auto_sni() ||
-         !cluster_config.upstream_http_protocol_options().auto_san_validation())) {
-      throw EnvoyException(
-          "dynamic_forward_proxy cluster must have auto_sni and auto_san_validation true when "
-          "configured with upstream_http_protocol_options");
-    }
-  } else {
+  if (!cluster_config.has_upstream_http_protocol_options()) {
+    // This sets defaults which will only apply if using old style http config.
+    // They will be a no-op if typed_extension_protocol_options are used for
+    // http config.
     cluster_config.mutable_upstream_http_protocol_options()->set_auto_sni(true);
     cluster_config.mutable_upstream_http_protocol_options()->set_auto_san_validation(true);
   }
 
   auto new_cluster = std::make_shared<Cluster>(
       cluster_config, proto_config, context.runtime(), cache_manager_factory, context.localInfo(),
       socket_factory_context, std::move(stats_scope), context.addedViaApi());
+
+  auto& options = new_cluster->info()->upstreamHttpProtocolOptions();
+
+  if (!proto_config.allow_insecure_cluster_options()) {
+    if (!options.has_value() ||
+        (!options.value().auto_sni() || !options.value().auto_san_validation())) {
+      throw EnvoyException(
+          "dynamic_forward_proxy cluster must have auto_sni and auto_san_validation true unless "
+          "allow_insecure_cluster_options is set.");
+    }
+  }
+
   auto lb = std::make_unique<Cluster::ThreadAwareLoadBalancer>(*new_cluster);
   return std::make_pair(new_cluster, std::move(lb));
 }

@@ -249,8 +249,8 @@ upstream_http_protocol_options: {}
 
   EXPECT_THROW_WITH_MESSAGE(
       createCluster(yaml_config), EnvoyException,
-      "dynamic_forward_proxy cluster must have auto_sni and auto_san_validation true when "
-      "configured with upstream_http_protocol_options");
+      "dynamic_forward_proxy cluster must have auto_sni and auto_san_validation true unless "
+      "allow_insecure_cluster_options is set.");
 }
 
 TEST_F(ClusterFactoryTest, InsecureUpstreamHttpProtocolOptions) {

@@ -62,6 +62,12 @@ name: dynamic_forward_proxy
     cluster_.set_name("cluster_0");
     cluster_.set_lb_policy(envoy::config::cluster::v3::Cluster::CLUSTER_PROVIDED);
 
+    ConfigHelper::HttpProtocolOptions protocol_options;
+    protocol_options.mutable_upstream_http_protocol_options()->set_auto_sni(true);
+    protocol_options.mutable_upstream_http_protocol_options()->set_auto_san_validation(true);
+    protocol_options.mutable_explicit_http_config()->mutable_http_protocol_options();
+    ConfigHelper::setProtocolOptions(cluster_, protocol_options);
+
     if (upstream_tls_) {
       envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context;
       auto* validation_context =