gateway: Ensure proper outbound metadata (#715)

The gateway has two deficiencies:

* Using the outbound proxy port for the outbound original dst leads to
  the incorrect port being used in the `l5d-dst-canonical` header. Now,
  we instead use the proper port with an unroutable IP address.
* Because the source cluster's outbound proxy strips `Host` headers,
  there's no `Host` present on gatewayed HTTP/1 requests. Now, the
  `Host` header is updated on all gatewayed HTTP/1 requests.

Author: olix0r

linkerd/app/gateway/src/config.rs

@@ -4,7 +4,7 @@ use linkerd2_app_core::{
 };
 use linkerd2_app_inbound::endpoint as inbound;
 use linkerd2_app_outbound::endpoint as outbound;
-use std::net::SocketAddr;
+use tracing::info_span;
 
 #[derive(Clone, Debug, Default)]
 pub struct Config {
@@ -19,7 +19,6 @@ impl Config {
         self,
         outbound: O,
         profiles: P,
-        default_addr: SocketAddr,
         local_id: tls::PeerIdentity,
     ) -> impl svc::NewService<
         inbound::Target,
@@ -45,13 +44,14 @@ impl Config {
         S::Error: Into<Error>,
         S::Future: Send + 'static,
     {
-        svc::stack(MakeGateway::new(outbound, default_addr, local_id))
+        svc::stack(MakeGateway::new(outbound, local_id))
             .check_new_service::<super::make::Target, http::Request<http::boxed::Payload>>()
             .push(profiles::discover::layer(
                 profiles,
                 Allow(self.allow_discovery),
             ))
             .check_new_service::<inbound::Target, http::Request<http::boxed::Payload>>()
+            .instrument(|_: &inbound::Target| info_span!("gateway"))
             .into_inner()
     }
 }

linkerd/app/gateway/src/gateway.rs

@@ -12,8 +12,9 @@ pub(crate) enum Gateway<O> {
     BadDomain(dns::Name),
     Outbound {
         outbound: O,
-        forwarded_header: http::header::HeaderValue,
         local_identity: identity::Name,
+        host_header: http::header::HeaderValue,
+        forwarded_header: http::header::HeaderValue,
     },
 }
 
@@ -24,13 +25,16 @@ impl<O> Gateway<O> {
         source_identity: identity::Name,
         local_identity: identity::Name,
     ) -> Self {
+        let host = dst.as_http_authority().to_string();
         let fwd = format!(
             "by={};for={};host={};proto=https",
-            local_identity, source_identity, dst
+            local_identity, source_identity, host
         );
         Gateway::Outbound {
             outbound,
             local_identity,
+            host_header: http::header::HeaderValue::from_str(&host)
+                .expect("Host header value must be valid"),
             forwarded_header: http::header::HeaderValue::from_str(&fwd)
                 .expect("Forwarded header value must be valid"),
         }
@@ -63,6 +67,7 @@ where
             Self::Outbound {
                 ref mut outbound,
                 ref local_identity,
+                ref host_header,
                 ref forwarded_header,
             } => {
                 // Check forwarded headers to see if this request has already
@@ -86,6 +91,16 @@ where
                     .headers_mut()
                     .append(http::header::FORWARDED, forwarded_header.clone());
 
+                // If we're forwarding HTTP/1 requests, the old `Host` header
+                // was stripped on the peer's outbound proxy. But the request
+                // should have an updated `Host` header now that it's being
+                // routed in the cluster.
+                if let ::http::Version::HTTP_11 | ::http::Version::HTTP_10 = request.version() {
+                    request
+                        .headers_mut()
+                        .insert(http::header::HOST, host_header.clone());
+                }
+
                 tracing::debug!(
                     headers = ?request.headers(),
                     "Passing request to outbound"

linkerd/app/gateway/src/lib.rs

@@ -144,7 +144,6 @@ mod test {
                 Config { allow_discovery }.build(
                     move |_: _| outbound.clone(),
                     profiles,
-                    ([127, 0, 0, 1], 4140).into(),
                     tls::PeerIdentity::Some(identity::Name::from(
                         dns::Name::try_from("gateway.id.test".as_bytes()).unwrap(),
                     )),

linkerd/app/gateway/src/make.rs

@@ -2,22 +2,17 @@ use super::gateway::Gateway;
 use linkerd2_app_core::{profiles, svc, transport::tls, NameAddr};
 use linkerd2_app_inbound::endpoint as inbound;
 use linkerd2_app_outbound::endpoint as outbound;
-use std::net::SocketAddr;
+use tracing::debug;
 
 #[derive(Clone, Debug)]
 pub(crate) struct MakeGateway<O> {
     outbound: O,
-    default_addr: SocketAddr,
     local_id: tls::PeerIdentity,
 }
 
 impl<O> MakeGateway<O> {
-    pub fn new(outbound: O, default_addr: SocketAddr, local_id: tls::PeerIdentity) -> Self {
-        Self {
-            outbound,
-            default_addr,
-            local_id,
-        }
+    pub fn new(outbound: O, local_id: tls::PeerIdentity) -> Self {
+        Self { outbound, local_id }
     }
 }
 
@@ -50,12 +45,16 @@ where
             },
         };
 
-        // Create an outbound target using the resolved IP & name.
-        let svc = self.outbound.new_service(outbound::HttpLogical {
+        // Create an outbound target using the resolved name and an address
+        // including the original port. We don't know the IP of the target, so
+        // we use an unroutable one.
+        let target = outbound::HttpLogical {
             profile,
-            orig_dst: self.default_addr,
             protocol: http_version,
-        });
+            orig_dst: ([0, 0, 0, 0], dst.port()).into(),
+        };
+        debug!(?target, "Creating outbound service");
+        let svc = self.outbound.new_service(target);
 
         Gateway::new(svc, dst, source_id, local_id)
     }

linkerd/app/src/lib.rs

@@ -170,7 +170,6 @@ impl Config {
             let http_gateway = gateway.build(
                 outbound_http,
                 dst.profiles.clone(),
-                outbound_addr,
                 local_identity.as_ref().map(|l| l.name().clone()),
             );