Some HTTP/2 requests fail with comma-separated values in ':authority' pseudo-header

SeanKilleen · November 30, 2023, 1:31pm

Hi all,

I’m at a loss, and I’m hoping someone in the community might be able to help me understand a strange situation I’m troubleshooting.

In short: I’m using Kyma, which uses Istio. I am new-ish to both, though familiar with their concepts. I use a Kyma “API Rule”, which in turn uses Istio VirtualServices.

In most testing up until now, requests have worked fine. I can make HTTP/1.1 requests via Postman, and HTTP/2 requests via Insomnia, from my local machine to the Kyma instance.

However, our SAP environment seems to be unable to make requests. The same URL, auth, body, content-type, compression, etc. and a 404 is being returned instead. I am able to reproduce the behavior using Apidog, a Postman/Insomnia-like tool that has experimental HTTP/2 support, but that tool is new to me (was recommended by a colleague who recreated the issue).

I enabled Istio’s debug logs, and looked at the failing vs successful requests. The failing requests seem to have one thing in common: In the istio “:authority” request header, the hostname is duplicated. If the hostname is xyz.com, successful requests have xyz.com in the authority pseudo-header, and failed requests have xyz.com,xyz.com.

As a result (I think) in the debug logs, I see:

envoy filter source/extensions/filters/http/alpn/alpn_filter.cc:61 cannot find route entry

What I can’t figure out is: how is that happening?

Is the client setting these values wrong? Or is it happening somewhere else?
Is there a way to relax Istio so that it will find the routes when the authority is sent as xyz.com,xyz.com?
Is there some pre-processing happening in either Istio or Envoy where this :authority pseudo-header is being generated / calculated? And if so, is there possibly an issue there where in some cases that value is appended to when it shouldn’t be?

Full technical details with logs etc. here: Some HTTP/2 requests fail with duplicate value in envoy authority request header · Issue #48088 · istio/istio · GitHub – but realizing it is better as a question for this group rather than assuming it’s an Istio bug.

SeanKilleen · November 30, 2023, 6:59pm

Hi all,

Confirmed that this appears to be an issue in the Envoy proxy used by Istio:

github.com/envoyproxy/envoy

Some HTTP/2 requests fail with duplicate value in envoy authority request pseudo-header

opened 09:33PM - 29 Nov 23 UTC

SeanKilleen

bug area/http

*Title*: Some HTTP/2 requests fail with duplicate value in envoy authority requ…est header ### Bug Description Hi all, I am using SAP BTP Kyma with Istio and hitting a truly strange situation that I think may be related to Envoy as well. I am posting here because I think this group will at least help me understand how the `authority` pseudo-header is set in HTTP/2 requests. ## Background We use SAP BTP Kyma, which uses Istio: * Kubernetes v1.26.9 * Istio v1.19.3 Within Kyma, we are using an API Rule to allow traffic. It is a very broad rule currently, allowing put/get/post/delete requests across `.*` Kyma, as I understand, uses Istio VirtualServices to work with a single kyma-gateway. I am newer to troubleshooting both Istio and Kyma, so I don't want anyone to assume that I know something I don't; let me know if I'm missing something conceptually. ## The Problem All HTTP/1.x requests to our app succeed. However, some HTTP/2 requests succeed, and some do not. * I can make HTTP/2 requests via Insomnia (on Windows) or curl (via WSL) and receive a successful response. * In some cases, with some clients -- Apidog on Windows, or an SAP environment that's making an HTTP/1.1 request and wrapping it in HTTP/2 -- those same calls result in a 404 error (I can flip a switch for HTTP/2 support on/off on the client and it will work when not an HTTP/2 request). Same body, same URL, same content-type, etc. etc. After a bunch of troubleshooting and getting deeper into the Istio logs, I noticed a pattern. In the requests that fail, the `authority` header within envoy seems to be duplicated. E.g. if the correct authority is `xyz`, the value being shown in the logs is `xyz,xyz`. Requests that fail seem to consistently have this occur, and I have never seen it occur in a successful request. I am having difficulty understanding whether: * The calling clients are somehow doing something they shouldn't that's not in the spirit of HTTP/2 * The Kyma/istio/envoy integration is causing this to be duplicated * Something within Istio/Envoy is causing it to be duplicated. ## Logs <details> <summary>Istio logs for a failed request</summary> ```log 2023-11-29T19:16:18.155693Z debug envoy filter external/envoy/source/extensions/filters/listener/tls_inspector/tls_inspector.cc:137 tls:onServerName(), requestedServerName: cip.REDACTED.kyma.ondemand.com thread=24 2023-11-29T19:16:18.203382Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1605 [Tags: "ConnectionId":"1735723"] updating connection-level initial window size to 268435456 thread=24 2023-11-29T19:16:18.204324Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:378 [Tags: "ConnectionId":"1735723"] new stream thread=24 2023-11-29T19:16:18.204510Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1165 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] request headers complete (end_stream=false): ':method', 'POST' ':scheme', 'https' ':path', '/api/SvcRequest/ProcessServiceRequest' ':authority', 'cip.REDACTED.kyma.ondemand.com,cip.REDACTED.kyma.ondemand.com' 'content-type', 'application/xml; charset=utf-8' 'content-length', '1816' 'accept', 'application/xml' 'authorization', 'Bearer REDACTED' 'user-agent', 'SAP NetWeaver Application Server (1.0;757)' 'accept-encoding', 'gzip, br' thread=24 2023-11-29T19:16:18.204576Z debug envoy connection external/envoy/source/common/network/connection_impl.h:98 [C1735723] current connecting state: false thread=24 2023-11-29T19:16:18.204632Z debug envoy filter source/extensions/filters/http/alpn/alpn_filter.cc:61 cannot find route entry thread=24 2023-11-29T19:16:18.204655Z debug envoy router external/envoy/source/common/router/router.cc:408 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] no route match for URL '/api/SvcRequest/ProcessServiceRequest' thread=24 2023-11-29T19:16:18.204669Z debug envoy http external/envoy/source/common/http/filter_manager.cc:946 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] Preparing local reply with details route_not_found thread=24 2023-11-29T19:16:18.204711Z debug envoy http external/envoy/source/common/http/filter_manager.cc:988 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] Executing sending local reply. thread=24 2023-11-29T19:16:18.204760Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1819 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] encoding headers via codec (end_stream=true): ':status', '404' 'date', 'Wed, 29 Nov 2023 19:16:17 GMT' 'server', 'istio-envoy' thread=24 2023-11-29T19:16:18.204775Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:237 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] doEndStream() resetting stream thread=24 2023-11-29T19:16:18.204783Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1888 [Tags: "ConnectionId":"1735723","StreamId":"511241007191140157"] stream reset: reset reason: local reset, response details: - thread=24 2023-11-29T19:16:18.204851Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1225 [Tags: "ConnectionId":"1735723"] sent reset code=0 thread=24 2023-11-29T19:16:18.204881Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1350 [Tags: "ConnectionId":"1735723"] stream 1 closed: 0 thread=24 ``` </details> <details> <summary>Istio logs for a successful request</summary> ``` 2023-11-29T18:01:12.409335Z debug envoy filter external/envoy/source/extensions/filters/listener/tls_inspector/tls_inspector.cc:137 tls:onServerName(), requestedServerName: cip.REDACTED.kyma.ondemand.com thread=23 2023-11-29T18:01:12.446095Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1605 [Tags: "ConnectionId":"1733026"] updating connection-level initial window size to 268435456 thread=23 2023-11-29T18:01:12.446162Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:378 [Tags: "ConnectionId":"1733026"] new stream thread=23 2023-11-29T18:01:12.446285Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1165 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] request headers complete (end_stream=false): ':method', 'POST' ':path', '/api/SvcRequest/ProcessServiceRequest' ':scheme', 'https' ':authority', 'cip.REDACTED.kyma.ondemand.com' 'content-type', 'application/xml' 'user-agent', 'SeanInsomnia/8.3.0' 'authorization', 'Bearer REDACTED' 'accept', '*/*' 'content-length', '1816' thread=23 2023-11-29T18:01:12.446330Z debug envoy connection external/envoy/source/common/network/connection_impl.h:98 [C1733026] current connecting state: false thread=23 2023-11-29T18:01:12.446407Z debug envoy filter source/extensions/filters/http/alpn/alpn_filter.cc:92 override with 3 ALPNs thread=23 2023-11-29T18:01:12.446467Z debug envoy router external/envoy/source/common/router/router.cc:478 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] cluster 'outbound|80||cip.sct-products.svc.cluster.local' match for URL '/api/SvcRequest/ProcessServiceRequest' thread=23 2023-11-29T18:01:12.446569Z debug envoy router external/envoy/source/common/router/router.cc:690 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] router decoding headers: ':method', 'POST' ':path', '/api/SvcRequest/ProcessServiceRequest' ':scheme', 'https' ':authority', 'cip.REDACTED.kyma.ondemand.com' 'content-type', 'application/xml' 'user-agent', 'SeanInsomnia/8.3.0' 'authorization', 'Bearer REDACTED' 'accept', '*/*' 'content-length', '1816' 'x-forwarded-for', '10.250.0.4' 'x-forwarded-proto', 'https' 'x-envoy-internal', 'true' 'x-request-id', '144dda5d-3b6e-4d6c-8950-fd617f61f188' 'x-envoy-peer-metadata-id', 'router~100.64.0.49~istio-ingressgateway-5b96c5b95f-5vxdj.istio-system~istio-system.svc.cluster.local' 'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwodCgxJTlNUQU5DRV9JUFMSDRoLMTAwLjY0LjAuNDkKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjE5LjMKzwMKBkxBQkVMUxLEAyrBAwodCgNhcHASFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKEwoFY2hhcnQSChoIZ2F0ZXdheXMKFAoIaGVyaXRhZ2USCBoGVGlsbGVyCjYKKWluc3RhbGwub3BlcmF0b3IuaXN0aW8uaW8vb3duaW5nLXJlc291cmNlEgkaB3Vua25vd24KGQoFaXN0aW8SEBoOaW5ncmVzc2dhdGV3YXkKGQoMaXN0aW8uaW8vcmV2EgkaB2RlZmF1bHQKMAobb3BlcmF0b3IuaXN0aW8uaW8vY29tcG9uZW50EhEaD0luZ3Jlc3NHYXRld2F5cwoxCiRwb2RzLndhcmRlbi5reW1hLXByb2plY3QuaW8vdmFsaWRhdGUSCRoHc3VjY2VzcwoSCgdyZWxlYXNlEgcaBWlzdGlvCjkKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0CiIKF3NpZGVjYXIuaXN0aW8uaW8vaW5qZWN0EgcaBWZhbHNlChoKB01FU0hfSUQSDxoNY2x1c3Rlci5sb2NhbAovCgROQU1FEicaJWlzdGlvLWluZ3Jlc3NnYXRld2F5LTViOTZjNWI5NWYtNXZ4ZGoKGwoJTkFNRVNQQUNFEg4aDGlzdGlvLXN5c3RlbQpdCgVPV05FUhJUGlJrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvaXN0aW8tc3lzdGVtL2RlcGxveW1lbnRzL2lzdGlvLWluZ3Jlc3NnYXRld2F5CqQFChFQTEFURk9STV9NRVRBREFUQRKOBSqLBQomCgphenVyZV9OYW1lEhgaFnNob290LS1reW1hLS1jLTM1OTY0YzMKOQoyYXp1cmVfa3ViZXJuZXRlcy5pby1jbHVzdGVyLXNob290LS1reW1hLS1jLTM1OTY0YzMSAxoBMQokCh1henVyZV9rdWJlcm5ldGVzLmlvLXJvbGUtbm9kZRIDGgExCiMKGGF6dXJlX2t1YmVybmV0ZXMuaW9fYXJjaBIHGgVhbWQ2NAoaCg5henVyZV9sb2NhdGlvbhIIGgZlYXN0dXMKQgoKYXp1cmVfbmFtZRI0GjJzaG9vdC0ta3ltYS0tYy0zNTk2NGMzLWNwdS13b3JrZXItMC16My01YzRkZC1nZzc0cwpACjZhenVyZV9uZXR3b3JraW5nLmdhcmRlbmVyLmNsb3VkX25vZGUtbG9jYWwtZG5zLWVuYWJsZWQSBhoEdHJ1ZQonCh1henVyZV9ub2RlLmt1YmVybmV0ZXMuaW9fcm9sZRIGGgRub2RlCjQKCmF6dXJlX3ZtSWQSJhokZWZkZWVhN2UtODhhOC00OTA5LTlkYjItYjM5MzE5OWI1OWZmCjcKJWF6dXJlX3dvcmtlci5nYXJkZW4uc2FwY2xvdWQuaW9fZ3JvdXASDhoMY3B1LXdvcmtlci0wCjQKJGF6dXJlX3dvcmtlci5nYXJkZW5lci5jbG91ZF9jcmktbmFtZRIMGgpjb250YWluZXJkCjIKIGF6dXJlX3dvcmtlci5nYXJkZW5lci5jbG91ZF9wb29sEg4aDGNwdS13b3JrZXItMAo3Ci1henVyZV93b3JrZXIuZ2FyZGVuZXIuY2xvdWRfc3lzdGVtLWNvbXBvbmVudHMSBhoEdHJ1ZQonCg1XT1JLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5' 'x-envoy-expected-rq-timeout-ms', '180000' 'x-envoy-attempt-count', '1' 'x-forwarded-host', 'cip.REDACTED.kyma.ondemand.com' thread=23 2023-11-29T18:01:12.447195Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1148 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] request end stream thread=23 2023-11-29T18:01:12.451942Z debug envoy router external/envoy/source/common/router/upstream_request.cc:562 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] pool ready thread=23 2023-11-29T18:01:19.821992Z debug envoy router external/envoy/source/common/router/router.cc:1437 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] upstream headers complete: end_stream=false thread=23 2023-11-29T18:01:19.822329Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1819 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] encoding headers via codec (end_stream=false): ':status', '200' 'content-type', 'application/xml' 'date', 'Wed, 29 Nov 2023 18:01:18 GMT' 'server', 'istio-envoy' 'x-envoy-upstream-service-time', '7375' thread=23 2023-11-29T18:01:19.823102Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1924 [Tags: "ConnectionId":"1733026","StreamId":"16013734393669961989"] Codec completed encoding stream. thread=23 2023-11-29T18:01:19.823154Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1350 [Tags: "ConnectionId":"1733026"] stream 1 closed: 0 thread=23 2023-11-29T18:01:19.823191Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1414 [Tags: "ConnectionId":"1733026"] Recouping 0 bytes of flow control window for stream 1. thread=23 ``` </details> As far as I can tell, the difference seems to be that when these failing requests are made, and the `authority` header is formatted in that way, the `alpn_filter` in istio can't find the routes, and therefore there's a 404. I'm not sure if that's because * The header itself is badly formed and shouldn't be in that format * The header is fine but there is some kind of matching on host that is too strict and needs to be relaxed * Something else is going on that I'm missing. ## Troubleshooting So far * Many many successful and failed requests to try to reproduce the pattern * I've enabled more verbose logs (let me know if others would be helpful!) `--level "http:debug,http2:debug,admin:debug,client:debug,connection:debug,envoy_bug:debug,filter:debug,main:debug,multi_connection:debug,quic_stream:debug,router:debug,upstream:debug"` * Installed Kiali to check things out visually, look at some config validation, etc. -- no issues found. ### Version ```Text istioctl: client version: 1.20.0 control plane version: 1.19.3 data plane version: 1.19.3 (20 proxies) kubectl: Client Version: v1.28.2 Server Version: v1.26.9 ``` ----- I am happy to work on collecting additional logs & stats, but first I want to ensure that I'm barking up the right tree.

Any client that sends both the :authority pseudo-header and the Host header will run into this problem with Envoy it seems, as Envoy will concatenate the :authority field which winds up in an authority that Istio then matches on and doesn’t find any routes for.

The only workaround in the interim is to see if we can coax HTTP/2 clients into not sending both headers with their request.

Topic		Replies	Views
Istio authorization trying to Match multiple values using request.headers condition	0	633	August 16, 2020
503 error with requestPrincipals in AuthorizationPlicy (istio 1.5.2) Security	5	1128	May 27, 2020
Istio maturity observations	1	878	April 23, 2020
Missing CORS headers for failed JWT validation Security	1	3263	January 8, 2021
RBAC Fails closed if service related to envoyExtAuthHttp is deleted Security	1	502	October 31, 2021

Some HTTP/2 requests fail with comma-separated values in ':authority' pseudo-header

Related Topics