Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CONNECT-UDP example configuration error #33775

Open
Bfarkiani opened this issue Apr 25, 2024 · 5 comments
Open

CONNECT-UDP example configuration error #33775

Bfarkiani opened this issue Apr 25, 2024 · 5 comments
Labels
area/udp bug investigate Potential bug that needs verification

Comments

@Bfarkiani
Copy link

If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.

Title: CONNECT-UDP example configuration error
Description:
I am trying to test the configuration provided in https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/upgrades#connect-udp-support. I am also using quiche masque_client https://github.com/google/quiche/tree/main/quiche/quic/masque. Also I am using envoy:dev latest container. The client side proxy configuration is as below:

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: UDP
        address: 0.0.0.0
        port_value: 10000
    udp_listener_config:
      quic_options: {}
      downstream_socket_config:
        prefer_gro: true
    filter_chains:
    - transport_socket:
        name: envoy.transport_sockets.quic
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport
          downstream_tls_context:
            common_tls_context:
              tls_certificates:
              - certificate_chain:
                  filename: /etc/envoy/server.crt
                private_key:
                  filename: /etc/envoy/server.key
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: HTTP3
          stat_prefix: ingress_http
          access_log:
          - name: envoy.access_loggers.stdout
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog                
          
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "*"
              routes:
              - match:
                  connect_matcher:
                    {}
                route:
                  cluster: cluster_0
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          http3_protocol_options:
            allow_extended_connect: true
          upgrade_configs:
          - upgrade_type: CONNECT-UDP
  clusters:
  - name: cluster_0
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http3_protocol_options:
            allow_extended_connect: true
    load_assignment:
      cluster_name: cluster_0
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 192.168.170.128
                port_value: 10000
    transport_socket:
      name: envoy.transport_sockets.quic
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport
        upstream_tls_context:
          common_tls_context:
            tls_certificates:
            - certificate_chain:
                filename: /etc/envoy/server.crt
              private_key:
                filename: /etc/envoy/server.key

Server side proxy (192.168.170.128) that terminates connect-udp and forward request to google is as follows:


static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: UDP
        address: 0.0.0.0
        port_value: 10000
    udp_listener_config:
      quic_options: {}
      downstream_socket_config:
        prefer_gro: true
    filter_chains:
    - transport_socket:
        name: envoy.transport_sockets.quic
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport
          downstream_tls_context:
            common_tls_context:
              tls_certificates:
              - certificate_chain:
                  filename: /etc/envoy/server.crt
                private_key:
                  filename: /etc/envoy/server.key
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: HTTP3
          stat_prefix: ingress_http
          access_log:
          - name: envoy.access_loggers.stdout
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog             
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "*"
              routes:
              - match:
                  connect_matcher:
                    {}
                route:
                  cluster: service_google
                  upgrade_configs:
                  - upgrade_type: CONNECT-UDP
                    connect_config:
                      {}
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          http3_protocol_options:
            allow_extended_connect: true
          upgrade_configs:
          - upgrade_type: CONNECT-UDP
  clusters:
  - name: service_google
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_google
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: www.google.com
                port_value: 443

And the command for masque client is
./masque_client --disable_certificate_verification=true 127.0.0.1:10000 https://www.google.com

It fails. The output of client envoy is

[2024-04-25 03:31:08.165][1][info][main] [source/server/server.cc:971] starting main dispatch loop
[2024-04-25 03:32:38.204][15][info][quic] [external/com_github_google_quiche/quiche/quic/core/tls_server_handshaker.cc:974] No hostname indicated in SNI
[2024-04-25 03:32:38.215][15][info][quic] [external/com_github_google_quiche/quiche/quic/core/tls_handshaker.cc:256] Cert chain verification failed: Leaf certificate doesn't match hostname:
58755145347776:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:external/boringssl/src/ssl/handshake.cc:393:
[2024-04-25T03:32:38.211Z] "GET /.well-known/masque/udp/www.google.com/443/ HTTP/3" 503 UF 1311 236 4 - "-" "-" "c3a36610-997b-40ab-a2a4-a7d46f698f00" "www.google.com:443" "192.168.170.128:10000"

The server envoy output is

[2024-04-25 03:32:38.210][20][info][quic] [external/com_github_google_quiche/quiche/quic/core/tls_server_handshaker.cc:974] No hostname indicated in SNI

The client and server envoy proxies both use the same self-signed certificate, and the configuration is the same as provided in the website.
If I enable auto_sni in client side :

  - name: cluster_0
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        upstream_http_protocol_options:
          auto_sni: true
          
        explicit_http_config:
          http3_protocol_options:
            allow_extended_connect: true
    load_assignment:
      cluster_name: cluster_0
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 192.168.170.128
                port_value: 10000
    transport_socket:
      name: envoy.transport_sockets.quic
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport
        upstream_tls_context:
          common_tls_context:
            validation_context:
              trust_chain_verification: ACCEPT_UNTRUSTED

I still get the following error

[2024-04-25 03:56:25.547][17][info][quic] [external/com_github_google_quiche/quiche/quic/core/tls_server_handshaker.cc:974] No hostname indicated in SNI
[2024-04-25 03:56:25.563][17][info][quic] [external/com_github_google_quiche/quiche/quic/core/tls_handshaker.cc:256] Cert chain verification failed: Leaf certificate doesn't match hostname: www.google.com
22063240393008:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:external/boringssl/src/ssl/handshake.cc:393:
[2024-04-25T03:56:25.554Z] "GET /.well-known/masque/udp/www.google.com/443/ HTTP/3" 503 UF 1311 236 9 - "-" "-" "3e1dbc32-dba5-48fa-8069-2065bfecefec" "www.google.com:443" "192.168.170.128:10000"

I also changed server proxy to the follow and nothing changed:

  clusters:
  - name: service_google
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        upstream_http_protocol_options:
          auto_sni: true
        explicit_http_config: 
          http2_protocol_options: {}
    
    load_assignment:
      cluster_name: service_google
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: www.google.com
                port_value: 443

Thank you for checking this.
@Bfarkiani Bfarkiani added bug triage Issue requires triage labels Apr 25, 2024
@wbpcode
Copy link
Member

wbpcode commented Apr 26, 2024

cc @DavidSchinazi cc @RyanTheOptimist

@wbpcode wbpcode added investigate Potential bug that needs verification area/udp and removed triage Issue requires triage labels Apr 26, 2024
@DavidSchinazi
Copy link
Contributor

@jeongseokson could you take a look at this one please?

@jeongseokson
Copy link
Contributor

Hi @Bfarkiani, thank you for reporting the issue. Does sending a CONNECT-UDP request directly to the server-proxy work?

I will try to test the forwarding and terminating proxy two-hop setup myself and see if there's any issue in the current example configs.

@Bfarkiani
Copy link
Author

Bfarkiani commented Apr 29, 2024
edited

Hi @jeongseokson
Thank you for your attention. I sent the request to the server. The server uses the same configuration as above (the same as the envoy docs). Envoy server prints the following message

[2024-04-29T20:15:37.750Z] "GET /.well-known/masque/udp/www.google.com/443/ HTTP/3" 200 - 3875 68976 383 - "-" "-" "c70459b6-454d-45e1-9629-55f97aae6c7f" "www.google.com:443" "142.250.190.36:443"

So, it seems that sending directly to the server works fine.

@jeongseokson
Copy link
Contributor

Thanks for the update. I will test the two proxy setup myself when time permits to see if I can reproduce the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/udp bug investigate Potential bug that needs verification
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeongseokson @DavidSchinazi @wbpcode @Bfarkiani