Istio 1.7 mTLS origination with external IIS service. How to disable HTTP/2?

Achana_Weerathunga · January 13, 2022, 1:26am

Context: mTLS connectivity for outbound request from Istio egress gateway to external IIS.

Problem statement: connections always fail with a 503 Service Unavailable error. Further investigation found that Istio egress sends the request in HTTP/2 but IIS is expecting HTTP1.1 for MTLS connection.
In these situations, Windows IIS falls back to HTTP/1.1 and continue the transaction. This may involve negotiating HTTP/1.1 during the handshake, or sending an error code to the client instructing it to retry over an HTTP/1.1 connection.”Ref HTTP/2 on IIS | Microsoft Docs

I tried to add the following EnvoyFilter config to set HTTP1.1 for outbound requests. But still, it’s not working. can you please guide me on this?
Istio version : 1.7

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-alpn-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: cx-egressgateway
  configPatches:
    - applyTo: FILTER_CHAIN
      match:
        listener:
          filterChain:
            sni: "*.mygateway.com"
      patch:
        operation: MERGE
        value:
          transportSocket:
            name: envoy.transport_sockets.tls
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              commonTlsContext:
                alpnProtocols:
                  - "http/1.1"
                tlsCertificateSdsSecretConfigs:
                  - name: kubernetes://wildcard-cert
                    sdsConfig:
                      ads: {}
                      resourceApiVersion: V3

tyb-istio · February 3, 2022, 10:46am

I am having the same issue. mTLS origination with IIS fails. If I curl the service with mTLS, it works but there are two retries as can be seen below. It seems the egressgateway is less tolerant. A way to configure retries, or downgrade to 1.1, or force 1.1 would be needed.

curl https://.../ws --cacert ca.crt --key tls.key --cert tls.crt  -v

Connected to xxxx (xxxx) port 443 (#0)
...
GET /ws HTTP/2
...
Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)
* Downgrades to HTTP/1.1!
* Empty reply from server
...
GET /ws HTTP/2
...
HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)
* Connection died, retrying a fresh connect(retry count: 1)
* Downgrades to HTTP/1.1!
* Closing connection 0
...
GET /ws HTTP/1.1
...
HTTP/1.1 200
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
...

Topic		Replies	Views
Istio TLS origination with IIS external service. How to disable HTTP/2?	3	1953	September 16, 2021
mTLS origination for egress traffic with custom mTLS between client istio-proxy and egress gateway Security	1	3304	June 9, 2021
503 when implementing egress tls origination	4	1602	July 31, 2020
Istio egress with MTLS external service Networking	0	2421	August 28, 2020
Understanding how Service Entry, Virtual Service, Destination Rule works on outbound connections?	1	1792	December 23, 2020

Istio 1.7 mTLS origination with external IIS service. How to disable HTTP/2?

Related topics