Open amortensen opened 2 years ago
If you only need to redirect websocket connections, I believe you can workaround the issue by setting the websocket upgrade as the default for all routes, in the default HttpConnectionManager, eg:
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: AUTO
stat_prefix: egress_http
upgrade_configs:
- upgrade_type: websocket
If you have any non-websocket routes, you can explicitly disable the upgrade on them. If you also need to redirect non-websocket this won't work I think.
Hello @jcferretti
Your suggestion doesn't work too unfortunately
My company uses that workaround I described above in our production deployments. It works, with the caveats I mentioned.
@jcferretti Hello I try to test my setup here https://github.com/acteek/envoy-tests/blob/main/config/redirect.yaml and it doesn't work. I would be very happy if you could check the config and point out a mistake
Sorry I think I was wrong. I checked our configs and we don't do what I suggested above. I am not sure the following excerpt would help or not, but this is something we are actually doing:
{
"match": {
"prefix": "/acl/"
},
"route": {
"cluster": "8be5d925f228d2a8d0c4619402f36e03993f6357",
"upgrade_configs": [
{
"upgrade_type": "websocket",
"enabled": true
}
]
}
},
{
"match": {
"prefix": "/acl"
},
"redirect": {
"path_redirect": "/acl/"
}
i am also looking to perform websocket redirects and this is not supported
Under certain circumstances I would like to redirect a websocket connection upgrade request from one private location to another, in which the initial connection upgrade request is internally redirected after receiving a 302 from the service host fielding the initial request. It appears Envoy should support this, but does not due to a specific condition in the internal redirect handling code.
The flow below is what I would like to have working:
It looks from the Envoy docs like this should be possible using
internal_redirect_policy
andupgrade_configs
for the route configs. To test this, I modified the docker-compose.yml from the envoy websocket example. I added a cluster containing a simple node server that just redirects to the websocat cluster (see config below), and added the internal redirect policy and upgrade config. However, Envoy fails to perform the internal redirect, and the internal 302 is passed to the downstream client. I have separately verified that I can do internal redirects when theupgrade_configs
block is not included in the config.After adding some additional trace messages to the code, it appears the
Filter::setupRedirect
method will not perform the internal redirect if the downstream request is not complete (downstream_end_stream_ == false
). The downstream request will of course not be complete because this is an upgrade request.I don't see a way around this using currently available configuration options. It looks to me like my use case could be supported with a slightly more refined conditional in
Filter::setupRedirect
based on the presence of upgrade_configs (or a new config flag enabling redirect support in combination with upgrades), but I'm not sufficiently experienced with the code at this point to be sure.Config:
Logs: Full trace logs in this gist: envoy_ws_upgrade_internal_redirect_failure_logs. Key excerpts: