search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.28k stars 4.69k forks source link

Local Close Reason was not set - client_ssl_auth #34997

Closed mhears closed 2 days ago

mhears commented 4 days ago

When using envoy.filters.network.client_ssl_auth if the client fingerprint is not matched via the auth_api_cluster REST API an envoy bug is hit as shown from the log extract below.

This appears to have the same signature as issue #26856 which was resolved for RBAC under PR #26879

Tested carried out on envoy v1.30.3

[2024-07-01 15:00:12.307][1][info][config] [source/common/listener_manager/listener_manager_impl.cc:930] all dependencies initialized. starting workers [2024-07-01 15:00:22.600][2146][error][envoy_bug] [source/common/http/conn_manager_impl.cc:597] envoy bug failure: !local_close_reason.empty(). Details: Local Close Reason was not set! [2024-07-01 15:00:22.601][2146][error][envoy_bug] [./source/common/common/assert.h:38] stacktrace for envoy bug [2024-07-01 15:00:22.603][2146][error][envoy_bug] [./source/common/common/assert.h:45] #0 UNKNOWN [0x40044be1fe] [2024-07-01 15:00:22.603][2146][error][envoy_bug] [./source/common/common/assert.h:45] #1 UNKNOWN [0x40044b0f70] [2024-07-01 15:00:22.603][2146][error][envoy_bug] [./source/common/common/assert.h:45] #2 UNKNOWN [0x40044b09ce] [2024-07-01 15:00:22.604][2146][error][envoy_bug] [./source/common/common/assert.h:45] #3 UNKNOWN [0x40044af8bb] [2024-07-01 15:00:22.604][2146][error][envoy_bug] [./source/common/common/assert.h:45] #4 UNKNOWN [0x4003e47ea2] [2024-07-01 15:00:22.604][2146][error][envoy_bug] [./source/common/common/assert.h:45] #5 UNKNOWN [0x40044be1fe] [2024-07-01 15:00:22.605][2146][error][envoy_bug] [./source/common/common/assert.h:45] #6 UNKNOWN [0x40044b0f70] [2024-07-01 15:00:22.605][2146][error][envoy_bug] [./source/common/common/assert.h:45] #7 UNKNOWN [0x40040f6a48] [2024-07-01 15:00:22.606][2146][error][envoy_bug] [./source/common/common/assert.h:45] #8 UNKNOWN [0x400410eb28] [2024-07-01 15:00:22.606][2146][error][envoy_bug] [./source/common/common/assert.h:45] #9 UNKNOWN [0x40040f6adb] [2024-07-01 15:00:22.606][2146][error][envoy_bug] [./source/common/common/assert.h:45] #10 UNKNOWN [0x40044b4de5] [2024-07-01 15:00:22.607][2146][error][envoy_bug] [./source/common/common/assert.h:45] #11 UNKNOWN [0x40044b36a2] [2024-07-01 15:00:22.607][2146][error][envoy_bug] [./source/common/common/assert.h:45] #12 UNKNOWN [0x40044916d1] [2024-07-01 15:00:22.607][2146][error][envoy_bug] [./source/common/common/assert.h:45] #13 UNKNOWN [0x4004492c7d] [2024-07-01 15:00:22.608][2146][error][envoy_bug] [./source/common/common/assert.h:45] #14 UNKNOWN [0x40053bd800] [2024-07-01 15:00:22.608][2146][error][envoy_bug] [./source/common/common/assert.h:45] #15 UNKNOWN [0x40053bc141]

Sample configuration:

{
  "static_resources": {
    "listeners": [
      {
        "address": {
          "socket_address": {
            "address": "0.0.0.0",
            "port_value": "443"
          }
        },
        "name": "api-gateway",
        "per_connection_buffer_limit_bytes": 250000000,
        "filter_chains": [
          {
            "filters": [
              {
                "name": "envoy.client_ssl_auth",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.extensions.filters.network.client_ssl_auth.v3.ClientSSLAuth",
                  "auth_api_cluster": "authn",
                  "stat_prefix": "authn",
                  "refresh_delay": "5s"
                }
              },
              {
                "name": "envoy.http_connection_manager",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                  "codec_type": "auto",
                  "stat_prefix": "api_gateway",
                  "use_remote_address": false,
                  "forward_client_cert_details": "SANITIZE_SET",
                  "http_filters": [
                    {
                      "name": "envoy.router",
                      "typed_config": {
                        "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
                      }
                    }
                  ],
                  "route_config": {
                    "name": "local_route",
                    "virtual_hosts": [
                      {
                        "name": "service",
                        "domains": [
                          "*"
                        ],
                        "routes": [
                          {
                            "match": {
                              "safe_regex": {
                                "google_re2": {},
                                "regex": ".*"
                              }
                            },
                            "direct_response": {
                              "status": 200
                            }
                          }
                          ]
                      }
                    ]
                  }
                }
              }
            ],
            "transport_socket": {
              "name": "envoy.transport_sockets.tls",
              "typed_config": {
                "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
                "require_client_certificate": true,
                "common_tls_context": {
                  "alpn_protocols": "h2,http/1.1",
                  "tls_params": {
                    "tls_minimum_protocol_version": "TLSv1_2"
                  },
                  "tls_certificates": {
                    "certificate_chain": {
                      "filename": "/etc/ssl/service/service.cer"
                    },
                    "private_key": {
                      "filename": "/etc/ssl/service/service.key"
                    }
                  },
                  "validation_context": {
                    "trusted_ca": {
                      "filename": "/etc/ssl/certs/ca-certificates.crt"
                    }
                  }
                }
              }
            }
          }
        ]
      }
    ],
    "clusters": [
      {
        "name": "authn",
        "connect_timeout": "0.25s",
        "type": "logical_dns",
        "lb_policy": "round_robin",
        "load_assignment": {
          "cluster_name": "authn",
          "endpoints": [
            {
              "lb_endpoints": [
                {
                  "endpoint": {
                    "address": {
                      "socket_address": {
                        "address": "authn",
                        "port_value": 8080
                      }
                    }
                  }
                }
              ]
            }
          ]
        }
      }
    ]
  }
}
htuch commented 4 days ago

@ggreenway

arulthileeban commented 3 days ago

Looks like it is probably coming out of https://github.com/envoyproxy/envoy/blob/main/contrib/client_ssl_auth/filters/network/source/client_ssl_auth.cc#L133. I can add a PR to fix this.