tcp_proxy: Propagate non-2xx response status on CONNECT to client when using internal listeners · envoyproxy/envoy#43977

(3 comments) (0 reactions) (1 assignee)C++ (27,997 stars) (5,373 forks)batch import

area/internal_listenerarea/tcp_proxyarea/tunnelingenhancementhelp wanted

Description

tcp_proxy: Propagate non-2xx response status on CONNECT to client when using internal listeners

Description: This is the setup:

Client -> Egress HCM -> Entry cluster -> Internal Encap listener -> tcp_proxy(TunnelingConfig, HTTP2 CONNECT) -> Upstream

When the upstream returns 403 on the CONNECT stream, tcp_proxy treats this as a failure to establish the tunnel and resets the downstream connection. The Entry cluster sees cx_connect_fail and we return a 503 to the client.

If we try UPSTREAM_FILTER_STATE(envoy.tcp_proxy.propagate_response_headers) at the egress HCM access log, we find that the filter state is not propagated but propagate_response_headers: true on the encap listener's tcp_proxy does show the 403 which helps for access log visibility at the egress proxy.

It would be really helpful to propagate the 403 back to the egress HCM's client response.

Contributor guide

Tech stack: cpp
Domain: backendinfrastructure
Issue type: feature
Difficulty: 4
Estimated time: 3-5 days
Activity status: blocked
Clarity: clear
Prerequisites: C++ knowledgeEnvoy proxy internalsHTTP/2 CONNECTFilter state propagation
Newbie friendliness: 20
Research direction: Investigate the tcp proxy tunneling configuration in source/extensions/filters/network/tcp proxy/ and the existing propagate response headers implementation. Understand the flow from egress HCM through entry cluster to internal encap listener and upstream. Propose changes to propagate non 2xx status codes from upstream CONNECT response back to client via filter state or direct response, and ensure the egress HCM access log can capture the propagated status.