network: TCP proxying over HTTP POST (#14552)

Commit Message: Add support proxying TCP over HTTP/2 or HTTP/1.1 POST to tcp_proxy. It's controlled by tcp_proxy filter configuration. Also add support adding additional headers to the proxy requests to coordinate with the upstream. In addition, add allo_post config to router, which allow triggering the regular TCP decaping from a POST request payload. Additional Description: N/A Risk Level: Low Testing: Unit tests. Integration tests. Docs Changes: Added Release Notes: Added Platform Specific Features: N/A Fixes #14234 cc @alyssawilk @mattklein123 Signed-off-by: Wenlei (Frank) He <wlhe@google.com> Mirrored from https://github.com/envoyproxy/envoy @ effa486d042cd2ac141ee48d8ed54b02b0951c73
4 years ago · 551955ccfe
parent 9ca0cdf044
commit 551955ccfe
4 changed files with 34 additions and 2 deletions
--- a/envoy/config/route/v3/route_components.proto
+++ b/envoy/config/route/v3/route_components.proto
@ -741,10 +741,13 @@ message RouteAction {
        "envoy.api.v2.route.RouteAction.UpgradeConfig";

    // Configuration for sending data upstream as a raw data payload. This is used for
-    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
+    // CONNECT or POST requests, when forwarding request payload as raw TCP.
    message ConnectConfig {
      // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream.
      core.v3.ProxyProtocolConfig proxy_protocol_config = 1;
+
+      // If set, the route will also allow forwarding POST payload as raw TCP.
+      bool allow_post = 2;
    }

    // The case-insensitive name of this upgrade, e.g. "websocket".
--- a/envoy/config/route/v4alpha/route_components.proto
+++ b/envoy/config/route/v4alpha/route_components.proto
@ -734,13 +734,16 @@ message RouteAction {
        "envoy.config.route.v3.RouteAction.UpgradeConfig";

    // Configuration for sending data upstream as a raw data payload. This is used for
-    // CONNECT requests, when forwarding CONNECT payload as raw TCP.
+    // CONNECT or POST requests, when forwarding request payload as raw TCP.
    message ConnectConfig {
      option (udpa.annotations.versioning).previous_message_type =
          "envoy.config.route.v3.RouteAction.UpgradeConfig.ConnectConfig";

      // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream.
      core.v4alpha.ProxyProtocolConfig proxy_protocol_config = 1;
+
+      // If set, the route will also allow forwarding POST payload as raw TCP.
+      bool allow_post = 2;
    }

    // The case-insensitive name of this upgrade, e.g. "websocket".
--- a/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto
+++ b/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto
@ -68,6 +68,19 @@ message TcpProxy {

    // The hostname to send in the synthesized CONNECT headers to the upstream proxy.
    string hostname = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Use POST method instead of CONNECT method to tunnel the TCP stream.
+    // The 'protocol: bytestream' header is also NOT set to comply with the HTTP spec.
+    //
+    // The upstream proxy is expected to convert POST payload as raw TCP.
+    bool use_post = 2;
+
+    // Additional request headers to upstream proxy. This is mainly used to
+    // trigger upstream to convert POST requests back to CONNECT requests.
+    //
+    // Neither *:-prefixed* pseudo-headers nor the Host: header can be overridden.
+    repeated config.core.v3.HeaderValueOption headers_to_add = 3
+        [(validate.rules).repeated = {max_items: 1000}];
  }

  reserved 6;
--- a/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto
+++ b/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto
@ -68,6 +68,19 @@ message TcpProxy {

    // The hostname to send in the synthesized CONNECT headers to the upstream proxy.
    string hostname = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Use POST method instead of CONNECT method to tunnel the TCP stream.
+    // The 'protocol: bytestream' header is also NOT set to comply with the HTTP spec.
+    //
+    // The upstream proxy is expected to convert POST payload as raw TCP.
+    bool use_post = 2;
+
+    // Additional request headers to upstream proxy. This is mainly used to
+    // trigger upstream to convert POST requests back to CONNECT requests.
+    //
+    // Neither *:-prefixed* pseudo-headers nor the Host: header can be overridden.
+    repeated config.core.v4alpha.HeaderValueOption headers_to_add = 3
+        [(validate.rules).repeated = {max_items: 1000}];
  }

  reserved 6;