Limit TLS for H2

6 views
Skip to first unread message

boga viswanath

unread,
May 31, 2024, 11:24:39 AMMay 31
to envoy-dev
Hi Envoy community,

I have been working on a deployment which requires L2 envoy. Edge proxy is capable of HTTP1.1/H2 but I want envoy at L2 to restrict connections to H2. 

While checking the available configs, this could be done at HCM with:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-codectype

However, this means TLS is complete and "alpn_protocols" configuration doesn't have an ability to restrict connections to H2. However, it can restrict to HTTP1.1 if configured with alpn_protocols: ["HTTP1.1"]

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto.html#extensions-transport-sockets-tls-v3-commontlscontext

Can I submit a feature request for this?

Thanks,
Vish.

Greg Greenway

unread,
May 31, 2024, 12:22:10 PMMay 31
to boga viswanath, envoy-dev
You can specify just ["h2"] for alpn_protocols to restrict it to only h2. The documentation says "In practice this is likely to be set to one of two values", but the field isn't restricted to only those values.
> --
> You received this message because you are subscribed to the Google Groups "envoy-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to envoy-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-dev/523c81f6-d6e0-42a4-91c7-189104de8d5cn%40googlegroups.com.

boga viswanath

unread,
May 31, 2024, 4:44:53 PMMay 31
to Greg Greenway, envoy-dev
Documentation says “HTTP1.1” allows only that and “H2,HTTP1.1” allows both. It doesn’t say “H2” only allows “H2” 
I tested locally, configuring “H2” and verified that it allows both as well. Is it a bug?

[root@iap /]# date; cat /etc/envoy/envoy.yaml | grep alpn
Fri May 31 19:04:44 UTC 2024
                alpn_protocols: ["h2"]
[root@iap /]# date; tail -n 1 access.log
Fri May 31 19:04:49 UTC 2024
{"upstream_protocol":"HTTP/1.1","method":"GET","host":null,"path":"/","response_code":200,"downstream_protocol":"HTTP/1.1","bytes_received":0,"request_id":"884a89ef-e416-4cda-b3f6-ecc4527c22f3","bytes_sent":13,"start_time":"2024-05-31T19:03:53.624Z","duration":10,"response_code_details":"via_upstream","response_flags":"-","endpoint":"172.19.0.2:4453","authority":"testapp.iap.dev.bloomberg.com:4453"}
[root@iap /]#

Reply all
Reply to author
Forward
0 new messages