Envoy returns a 403 Forbidden response for unsupported HTTP upgrade headers (e.g. SPDY/3.1, TLS/1.2, etc.) even when the upstream service is able to respond normally. This creates a disparity in terms of the developer experience when testing the app outside of the mesh (all working correctly) vs inside the mesh (requests getting blocked). The FR here is to expose a setting that configures Envoy to ignore any unknown headers and let the server respond normally.
More details in istio/istio#53239 (also related to https://github.com/istio/istio/issues/52651#issuecomment-2379732776) but here's the TL;DR:
Envoy returns a
403 Forbidden
response for unsupported HTTP upgrade headers (e.g.SPDY/3.1
,TLS/1.2
, etc.) even when the upstream service is able to respond normally. This creates a disparity in terms of the developer experience when testing the app outside of the mesh (all working correctly) vs inside the mesh (requests getting blocked). The FR here is to expose a setting that configures Envoy to ignore any unknown headers and let the server respond normally.cc @howardjohn