Istio TLS origination with IIS external service. How to disable HTTP/2?

jesse · December 24, 2020, 4:14pm

I have an external service that I have set up with a ServiceEntry. I would like to shift TLS origination to envoy to get better metrics on the outbound connection.

When I do this, connections always fail with a 503 error. I did a bunch of digging and the issue I am encountering is very similar to the one mentioned at the end of this thread:

The workaround mentioned does not apply, as I already have client certificates set to ignore on IIS. Is there a way to tell Istio to not attempt HTTP2?

“In a few cases, HTTP/2 can’t be used in combination with other features. In these situations, Windows will fall back to HTTP/1.1 and continue the transaction. This may involve negotiating HTTP/1.1 during the handshake, or sending an error code to the client instructing it to retry over an HTTP/1.1 connection.”

jesse · December 24, 2020, 5:02pm

Looks like the same issue here:

And I just encountered it with an Adobe endpoint on the web too, also SOAP.
So, apparently any SOAP / IIS endpoint hates the envoy TLS origination. Any ideas would be great!

jesse · December 24, 2020, 5:09pm

Ah. Found this. https://github.com/istio/istio/pull/29529
So, apparently this is already a known issue. Guess i’ll just stop using TLS origination for now…

ragingpastry · September 16, 2021, 4:36pm

We ran into this issue and ended up disabling HTTP/2 in istio with the following config.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-alpn-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: FILTER_CHAIN
    match:
      listener:
        filterChain:
          sni: "*.mygateway.com"
    patch:
      operation: MERGE
      value:
        transportSocket:
          name: envoy.transport_sockets.tls
          typedConfig:
            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
            commonTlsContext:
              alpnProtocols:
                - "http/1.1"
              tlsCertificateSdsSecretConfigs:
                - name: kubernetes://wildcard-cert
                  sdsConfig:
                    ads: {}
                    resourceApiVersion: V3

Topic		Replies	Views
Istio 1.7 mTLS origination with external IIS service. How to disable HTTP/2?	1	848	February 3, 2022
503 when implementing egress tls origination	4	1602	July 31, 2020
Issue with Egress Gateway with TLS Origination Networking	2	1910	March 23, 2022
Cannot reach external service with TLS (using or not an egress gateway) Config	3	2411	August 20, 2019
Understanding how Service Entry, Virtual Service, Destination Rule works on outbound connections?	1	1791	December 23, 2020

Istio TLS origination with IIS external service. How to disable HTTP/2?

Related topics