Use the connection's HTTP version in transport header (#1533)

Currently, when the outbound proxy communicates with a meshed endpoint
that uses opaque transport (i.e. multi-cluster gateways), it *always*
sets the gateway header's session protocol to HTTP/2, since the meshed
endpoint supports HTTP/2 protocol upgrading. But the HTTP client may
choose not to use HTTP/2 if the request includes the `Upgrade` header,
as it does for WebSocket connections. In these cases, the transport
header should indicate that the connection is HTTP/1.

This change modifies the HTTP client to pass the used protocol version
when building a connection. This value is then used to set the session
protocol header when it is required..

Signed-off-by: Oliver Gould <[email protected]>

Author: olix0r

linkerd/app/core/src/control.rs

@@ -83,6 +83,7 @@ impl Config {
         svc::stack(ConnectTcp::new(self.connect.keepalive))
             .push(tls::Client::layer(identity))
             .push_connect_timeout(self.connect.timeout)
+            .push_map_target(|(_version, target)| target)
             .push(self::client::layer())
             .push_on_service(svc::MapErr::layer(Into::into))
             .into_new_service()

linkerd/app/inbound/src/http/router.rs

@@ -100,6 +100,7 @@ impl<C> Inbound<C> {
                 .check_service::<Http>()
                 .push(transport::metrics::Client::layer(rt.metrics.proxy.transport.clone()))
                 .check_service::<Http>()
+                .push_map_target(|(_version, target)| target)
                 .push(http::client::layer(
                     config.proxy.connect.h1_settings,
                     config.proxy.connect.h2_settings,

linkerd/app/outbound/Cargo.toml

@@ -38,5 +38,5 @@ linkerd-meshtls = { path = "../../meshtls", features = ["rustls"] }
 linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 parking_lot = "0.12"
-tokio = { version = "1", features = ["time", "macros"] }
+tokio = { version = "1", features = ["macros", "sync", "time"] }
 tokio-test = "0.4"

linkerd/app/outbound/src/endpoint.rs

@@ -218,7 +218,7 @@ impl<S> Outbound<S> {
     {
         let http = self
             .clone()
-            .push_tcp_endpoint::<http::Endpoint>()
+            .push_tcp_endpoint::<http::Connect>()
             .push_http_endpoint()
             .push_http_server()
             .into_inner();

linkerd/app/outbound/src/http.rs

@@ -19,9 +19,7 @@ use linkerd_app_core::{
     profiles::{self, LogicalAddr},
     proxy::{api_resolve::ProtocolHint, tap},
     svc::Param,
-    tls,
-    transport_header::SessionProtocol,
-    Addr, Conditional, CANONICAL_DST_HEADER,
+    tls, Addr, Conditional, CANONICAL_DST_HEADER,
 };
 use std::{net::SocketAddr, str::FromStr};
 
@@ -30,6 +28,8 @@ pub type Logical = crate::logical::Logical<Version>;
 pub type Concrete = crate::logical::Concrete<Version>;
 pub type Endpoint = crate::endpoint::Endpoint<Version>;
 
+pub type Connect = self::endpoint::Connect<Endpoint>;
+
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 struct Route {
     logical: Logical,
@@ -150,18 +150,6 @@ impl Param<client::Settings> for Endpoint {
     }
 }
 
-impl Param<Option<SessionProtocol>> for Endpoint {
-    fn param(&self) -> Option<SessionProtocol> {
-        match self.protocol {
-            Version::H2 => Some(SessionProtocol::Http2),
-            Version::Http1 => match self.metadata.protocol_hint() {
-                ProtocolHint::Http2 => Some(SessionProtocol::Http2),
-                ProtocolHint::Unknown => Some(SessionProtocol::Http1),
-            },
-        }
-    }
-}
-
 impl tap::Inspect for Endpoint {
     fn src_addr<B>(&self, req: &Request<B>) -> Option<SocketAddr> {
         req.extensions().get::<ClientHandle>().map(|c| c.addr)

linkerd/app/outbound/src/http/endpoint.rs

@@ -1,17 +1,26 @@
 use super::{NewRequireIdentity, NewStripProxyError, ProxyConnectionClose};
-use crate::Outbound;
+use crate::{tcp::opaque_transport, Outbound};
 use linkerd_app_core::{
     classify, config, errors, http_tracing, metrics,
     proxy::{http, tap},
     svc::{self, ExtractParam},
-    tls, Error, Result, CANONICAL_DST_HEADER,
+    tls,
+    transport::{self, Remote, ServerAddr},
+    transport_header::SessionProtocol,
+    Error, Result, CANONICAL_DST_HEADER,
 };
 
 #[derive(Copy, Clone, Debug)]
 struct ClientRescue {
     emit_headers: bool,
 }
 
+#[derive(Clone, Debug)]
+pub struct Connect<T> {
+    version: http::Version,
+    inner: T,
+}
+
 impl<C> Outbound<C> {
     pub fn push_http_endpoint<T, B>(self) -> Outbound<svc::ArcNewHttp<T, B>>
     where
@@ -23,7 +32,7 @@ impl<C> Outbound<C> {
             + tap::Inspect,
         B: http::HttpBody<Error = Error> + std::fmt::Debug + Default + Send + 'static,
         B::Data: Send + 'static,
-        C: svc::MakeConnection<T> + Clone + Send + Sync + Unpin + 'static,
+        C: svc::MakeConnection<Connect<T>> + Clone + Send + Sync + Unpin + 'static,
         C::Connection: Send + Unpin,
         C::Metadata: Send + Unpin,
         C::Future: Send + Unpin + 'static,
@@ -39,7 +48,9 @@ impl<C> Outbound<C> {
             // Initiates an HTTP client on the underlying transport. Prior-knowledge HTTP/2
             // is typically used (i.e. when communicating with other proxies); though
             // HTTP/1.x fallback is supported as needed.
-            connect
+            svc::stack(connect.into_inner().into_service())
+                .check_service::<Connect<T>>()
+                .push_map_target(|(version, inner)| Connect { version, inner })
                 .push(http::client::layer(h1_settings, h2_settings))
                 .push_on_service(svc::MapErr::layer(Into::<Error>::into))
                 .check_service::<T>()
@@ -132,17 +143,72 @@ impl errors::HttpRescue<Error> for ClientRescue {
     }
 }
 
+// === impl Connect ===
+
+impl<T> svc::Param<Option<SessionProtocol>> for Connect<T> {
+    #[inline]
+    fn param(&self) -> Option<SessionProtocol> {
+        match self.version {
+            http::Version::Http1 => Some(SessionProtocol::Http1),
+            http::Version::H2 => Some(SessionProtocol::Http2),
+        }
+    }
+}
+
+impl<T: svc::Param<Remote<ServerAddr>>> svc::Param<Remote<ServerAddr>> for Connect<T> {
+    #[inline]
+    fn param(&self) -> Remote<ServerAddr> {
+        self.inner.param()
+    }
+}
+
+impl<T: svc::Param<tls::ConditionalClientTls>> svc::Param<tls::ConditionalClientTls>
+    for Connect<T>
+{
+    #[inline]
+    fn param(&self) -> tls::ConditionalClientTls {
+        self.inner.param()
+    }
+}
+
+impl<T: svc::Param<Option<opaque_transport::PortOverride>>>
+    svc::Param<Option<opaque_transport::PortOverride>> for Connect<T>
+{
+    #[inline]
+    fn param(&self) -> Option<opaque_transport::PortOverride> {
+        self.inner.param()
+    }
+}
+
+impl<T: svc::Param<Option<http::AuthorityOverride>>> svc::Param<Option<http::AuthorityOverride>>
+    for Connect<T>
+{
+    #[inline]
+    fn param(&self) -> Option<http::AuthorityOverride> {
+        self.inner.param()
+    }
+}
+
+impl<T: svc::Param<transport::labels::Key>> svc::Param<transport::labels::Key> for Connect<T> {
+    #[inline]
+    fn param(&self) -> transport::labels::Key {
+        self.inner.param()
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;
-    use crate::{http, test_util::*, transport::addrs::*};
+    use crate::{http, test_util::*};
+    use ::http::header::{CONNECTION, UPGRADE};
     use linkerd_app_core::{
         io,
         proxy::api_resolve::Metadata,
         svc::{NewService, ServiceExt},
         Infallible,
     };
     use std::net::SocketAddr;
+    use support::resolver::ProtocolHint;
 
     static WAS_ORIG_PROTO: &str = "request-orig-proto";
 
@@ -154,7 +220,7 @@ mod test {
         let addr = SocketAddr::new([192, 0, 2, 41].into(), 2041);
 
         let connect = support::connect()
-            .endpoint_fn_boxed(addr, |_: http::Endpoint| serve(::http::Version::HTTP_11));
+            .endpoint_fn_boxed(addr, |_: http::Connect| serve(::http::Version::HTTP_11));
 
         // Build the outbound server
         let (rt, _shutdown) = runtime();
@@ -191,7 +257,7 @@ mod test {
         let addr = SocketAddr::new([192, 0, 2, 41].into(), 2042);
 
         let connect = support::connect()
-            .endpoint_fn_boxed(addr, |_: http::Endpoint| serve(::http::Version::HTTP_2));
+            .endpoint_fn_boxed(addr, |_: http::Connect| serve(::http::Version::HTTP_2));
 
         // Build the outbound server
         let (rt, _shutdown) = runtime();
@@ -230,7 +296,7 @@ mod test {
 
         // Pretend the upstream is a proxy that supports proto upgrades...
         let connect = support::connect()
-            .endpoint_fn_boxed(addr, |_: http::Endpoint| serve(::http::Version::HTTP_2));
+            .endpoint_fn_boxed(addr, |_: http::Connect| serve(::http::Version::HTTP_2));
 
         // Build the outbound server
         let (rt, _shutdown) = runtime();
@@ -245,13 +311,7 @@ mod test {
             logical_addr: None,
             opaque_protocol: false,
             tls: tls::ConditionalClientTls::None(tls::NoClientTls::Disabled),
-            metadata: Metadata::new(
-                None,
-                support::resolver::ProtocolHint::Http2,
-                None,
-                None,
-                None,
-            ),
+            metadata: Metadata::new(None, ProtocolHint::Http2, None, None, None),
         });
 
         let req = http::Request::builder()
@@ -270,6 +330,63 @@ mod test {
         );
     }
 
+    #[tokio::test(flavor = "current_thread")]
+    async fn orig_proto_skipped_on_http_upgrade() {
+        let _trace = linkerd_tracing::test::trace_init();
+
+        let addr = SocketAddr::new([192, 0, 2, 41].into(), 2041);
+
+        // Pretend the upstream is a proxy that supports proto upgrades. The service needs to
+        // support both HTTP/1 and HTTP/2 because an HTTP/2 connection is maintained by default and
+        // HTTP/1 connections are created as-needed.
+        let connect = support::connect().endpoint_fn_boxed(addr, |c: http::Connect| {
+            serve(match svc::Param::param(&c) {
+                Some(SessionProtocol::Http1) => ::http::Version::HTTP_11,
+                Some(SessionProtocol::Http2) => ::http::Version::HTTP_2,
+                None => unreachable!(),
+            })
+        });
+
+        // Build the outbound server
+        let (rt, _shutdown) = runtime();
+        let drain = rt.drain.clone();
+        let stack = Outbound::new(default_config(), rt)
+            .with_stack(connect)
+            .push_http_endpoint::<_, http::BoxBody>()
+            .into_stack()
+            .push_on_service(http::BoxRequest::layer())
+            // We need the server-side upgrade layer to annotate the request so that the client
+            // knows that an HTTP upgrade is in progress.
+            .push_on_service(svc::layer::mk(|svc| {
+                http::upgrade::Service::new(svc, drain.clone())
+            }))
+            .into_inner();
+
+        let svc = stack.new_service(http::Endpoint {
+            addr: Remote(ServerAddr(addr)),
+            protocol: http::Version::Http1,
+            logical_addr: None,
+            opaque_protocol: false,
+            tls: tls::ConditionalClientTls::None(tls::NoClientTls::Disabled),
+            metadata: Metadata::new(None, ProtocolHint::Http2, None, None, None),
+        });
+
+        let req = http::Request::builder()
+            .version(::http::Version::HTTP_11)
+            .uri("http://foo.example.com")
+            .extension(http::ClientHandle::new(([192, 0, 2, 101], 40200).into()).0)
+            // The request has upgrade headers
+            .header(CONNECTION, "upgrade")
+            .header(UPGRADE, "linkerdrocks")
+            .body(hyper::Body::default())
+            .unwrap();
+        let rsp = svc.oneshot(req).await.unwrap();
+        assert_eq!(rsp.status(), http::StatusCode::NO_CONTENT);
+        // The request did NOT get a linkerd upgrade header.
+        assert!(rsp.headers().get(WAS_ORIG_PROTO).is_none());
+        assert_eq!(rsp.version(), ::http::Version::HTTP_11);
+    }
+
     /// Tests that the the HTTP endpoint stack ignores protocol upgrade hinting for HTTP/2 traffic.
     #[tokio::test(flavor = "current_thread")]
     async fn orig_proto_http2_noop() {
@@ -279,7 +396,7 @@ mod test {
 
         // Pretend the upstream is a proxy that supports proto upgrades...
         let connect = support::connect()
-            .endpoint_fn_boxed(addr, |_: http::Endpoint| serve(::http::Version::HTTP_2));
+            .endpoint_fn_boxed(addr, |_: http::Connect| serve(::http::Version::HTTP_2));
 
         // Build the outbound server
         let (rt, _shutdown) = runtime();
@@ -294,13 +411,7 @@ mod test {
             logical_addr: None,
             opaque_protocol: false,
             tls: tls::ConditionalClientTls::None(tls::NoClientTls::Disabled),
-            metadata: Metadata::new(
-                None,
-                support::resolver::ProtocolHint::Http2,
-                None,
-                None,
-                None,
-            ),
+            metadata: Metadata::new(None, ProtocolHint::Http2, None, None, None),
         });
 
         let req = http::Request::builder()

linkerd/proxy/http/src/client.rs

@@ -67,7 +67,7 @@ impl<C, T, B> tower::Service<T> for MakeClient<C, B>
 where
     T: Clone + Send + Sync + 'static,
     T: Param<Settings>,
-    C: MakeConnection<T> + Clone + Unpin + Send + Sync + 'static,
+    C: MakeConnection<(crate::Version, T)> + Clone + Unpin + Send + Sync + 'static,
     C::Connection: Unpin + Send,
     C::Metadata: Send,
     C::Future: Unpin + Send + 'static,
@@ -133,7 +133,7 @@ type RspFuture = Pin<Box<dyn Future<Output = Result<http::Response<BoxBody>>> +
 impl<C, T, B> Service<http::Request<B>> for Client<C, T, B>
 where
     T: Clone + Send + Sync + 'static,
-    C: MakeConnection<T> + Clone + Send + Sync + 'static,
+    C: MakeConnection<(crate::Version, T)> + Clone + Send + Sync + 'static,
     C::Connection: Unpin + Send,
     C::Future: Unpin + Send + 'static,
     C::Error: Into<Error>,

linkerd/proxy/http/src/glue.rs

@@ -163,15 +163,15 @@ impl<C, T> HyperConnect<C, T> {
     pub(super) fn new(connect: C, target: T, absolute_form: bool) -> Self {
         HyperConnect {
             connect,
-            absolute_form,
             target,
+            absolute_form,
         }
     }
 }
 
 impl<C, T> Service<hyper::Uri> for HyperConnect<C, T>
 where
-    C: MakeConnection<T> + Clone + Send + Sync,
+    C: MakeConnection<(crate::Version, T)> + Clone + Send + Sync,
     C::Connection: Unpin + Send,
     C::Future: Unpin + Send + 'static,
     T: Clone + Send + Sync,
@@ -186,7 +186,9 @@ where
 
     fn call(&mut self, _dst: hyper::Uri) -> Self::Future {
         HyperConnectFuture {
-            inner: self.connect.connect(self.target.clone()),
+            inner: self
+                .connect
+                .connect((crate::Version::Http1, self.target.clone())),
             absolute_form: self.absolute_form,
         }
     }

linkerd/proxy/http/src/h1.rs

@@ -66,7 +66,7 @@ type RspFuture = Pin<Box<dyn Future<Output = Result<http::Response<BoxBody>>> +
 impl<C, T, B> Client<C, T, B>
 where
     T: Clone + Send + Sync + 'static,
-    C: MakeConnection<T> + Clone + Send + Sync + 'static,
+    C: MakeConnection<(crate::Version, T)> + Clone + Send + Sync + 'static,
     C::Connection: Unpin + Send,
     C::Future: Unpin + Send + 'static,
     B: hyper::body::HttpBody + Send + 'static,

linkerd/proxy/http/src/h2.rs

@@ -62,7 +62,7 @@ type ConnectFuture<B> = Pin<Box<dyn Future<Output = Result<Connection<B>>> + Sen
 
 impl<C, B, T> Service<T> for Connect<C, B>
 where
-    C: MakeConnection<T>,
+    C: MakeConnection<(crate::Version, T)>,
     C::Connection: Send + Unpin + 'static,
     C::Metadata: Send,
     C::Future: Send + 'static,
@@ -88,7 +88,7 @@ where
 
         let connect = self
             .connect
-            .connect(target)
+            .connect((crate::Version::H2, target))
             .instrument(trace_span!("connect"));
 
         Box::pin(