503 when implementing egress tls origination

Hi All.
I was wondering if anyone has insight on egress tls origination issue. Im trying to get visibility in the istio_requests_total metric
I followed this document to the dot

It works for medium.com
But when i apply the EXACT same configuration for another third party, I get a 503 this error in the access logs.

TLS error: 268435715:SSL routines:OPENSSL_internal:INVALID_ALPN_PROTOCOL 268435605:SSL routines:OPENSSL_internal:ERROR_PARSING_EXTENSION 268435646:SSL routines:OPENSSL_internal:PARSE_TLSEXT

I’m not really sure where else to look for logs. Anyone have any insight?

I spun up my own proxy to try to figure if there are any differences between calls for a regular https:// call and when envoy upgrades my http to https://

https:
map[Accept:[/] Connection:[close] User-Agent:[curl/7.64.0]]

http->https:
map[Accept:[/] Connection:[close] Content-Length:[0] User-Agent:[curl/7.64.0] X-B3-Sampled:[0] X-B3-Spanid:[4d2e33c323758cb8] X-B3-Traceid:[bf0aa12d85ed78fc4d2e33c323758cb8] X-Envoy-Decorator-Operation:[example.website.com:443/*] X-Envoy-Peer-Metadata:[ChwKDElOU1RBTkNFX0lQUxIMGgoxMC44MC4yLjE0CuMDCgZMQUJFTFMS2AMq1QMKGQoDYXBwEhIaEGdyYXBocWwtdHJhbnNmZXIKGgoLYXBwLmdyYXBocWwSCxoJZmVkZXJhdGVkCjAKGmFwcC5rdWJlcm5ldGVzLmlvL2luc3RhbmNlEhIaEGdyYXBocWwtdHJhbnNmZXIKJgocYXBwLmt1YmVybmV0ZXMuaW8vbWFuYWdlZC1ieRIGGgRIZWxtCiwKFmFwcC5rdWJlcm5ldGVzLmlvL25hbWUSEhoQZ3JhcGhxbC10cmFuc2ZlcgoSCghhcHAudHlwZRIGGgRub2RlCiYKDWhlbG0uc2gvY2hhcnQSFRoTc2VydmljZS1jaGFydC0xLjAuMQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo1YmY0NDRkZmY3CiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KNQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRISGhBncmFwaHFsLXRyYW5zZmVyCjkKI3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLXJldmlzaW9uEhIaEGdyYXBocWwtdHJhbnNmZXIKHQoHdmVyc2lvbhISGhBncmFwaHFsLXRyYW5zZmVyChoKB01FU0hfSUQSDxoNY2x1c3Rlci5sb2NhbAorCgROQU1FEiMaIWdyYXBocWwtdHJhbnNmZXItNWJmNDQ0ZGZmNy1ydnJ4egoSCglOQU1FU1BBQ0USBRoDYXBpClAKBU9XTkVSEkcaRWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9hcGkvZGVwbG95bWVudHMvZ3JhcGhxbC10cmFuc2ZlcgolCg9TRVJWSUNFX0FDQ09VTlQSEhoQZ3JhcGhxbC10cmFuc2ZlcgojCg1XT1JLTE9BRF9OQU1FEhIaEGdyYXBocWwtdHJhbnNmZXI=] X-Envoy-Peer-Metadata-Id:[sidecar~10.0.0.14~busybox.test~test.svc.cluster.local] X-Forwarded-Proto:[http] X-Request-Id:[df4ce998-a8c8-4124-bb83-a9ebccdc4261]]

Im speculating the sites are rejecting due to the header and maybe have size limits. Is there anyway to remove or turn off passing these headers?

Ive proxied the request to another server to make the out bound request. No issues.
Not really sure what I’m doing wrong here. Any one free to help here?

The error indicates that the server doesn’t recognize any of the offered ALPN (Application Layer Protocol Negotiation) options. This is because Istio’s TLS origination is configured to advertise Istio variants of the actual protocols used. For example, HTTP/1.1 traffic gets advertised as istio-http/1.1,istio rather than http/1.1. Some servers will gladly ignore unknown ALPNs (or don’t support the mechanism altogether), while some will reject connections if they don’t recognize any of the offered protocols (as the spec dictates).

You can confirm this by deploying a custom pilot/istiod where you add http/1.1 to the ALPN chain that I linked to. That said, I’m still trying to find out why these variants are used.

FWIW, this seems to be about istio/istio#24619.