Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement HTTP proxy CONNECT with ALPN #2699

Merged
merged 5 commits into from
Sep 29, 2023

Conversation

idelpivnitskiy
Copy link
Member

@idelpivnitskiy idelpivnitskiy commented Sep 19, 2023

Motivation:

Proxies that behave like blind forwarding tunnel do not care what protocol will be
used after the tunnel is established. Because we always enforce TLS for such tunnels,
we can rely on ALPN to negotiate expected protocol after the tunnel is established.
This will allow gRPC use cases to operate via tunneling proxies.

Modifications:

  • Enhance ProxyConnectLBHttpConnectionFactory to take ALPN results into account
    before finishing connection initialization;
  • Enhance HttpsProxyTest to validate proxy tunnel works for any combination of the
    configured protocols;
  • Enhance ProxyConnectLBHttpConnectionFactory to validate new use-cases;
  • Add GrpcProxyTunnelTest;

Results:

  1. HTTP users can negotiate HTTP/2 after proxy tunnel is established.
  2. gRPC users can use proxy tunnels.

Depends on #2697, review only starting from "Implement HTTP proxy CONNECT with ALPN" commit.

@idelpivnitskiy idelpivnitskiy self-assigned this Sep 19, 2023
@idelpivnitskiy idelpivnitskiy merged commit 055374e into apple:main Sep 29, 2023
@idelpivnitskiy idelpivnitskiy deleted the proxy-connect-with-alpn branch September 29, 2023 19:03
idelpivnitskiy added a commit to idelpivnitskiy/servicetalk that referenced this pull request Sep 29, 2023
Motivation:

After apple#2699 implemented HTTP proxy CONNECT with ALPN, it made observability
confusing. It broke the contract that only one `connectionEstablished` method can
be invoked, which happens when ALPN switches from HTTP/1.1 to HTTP/2 pipeline.
Also, for a proxy tunnel with HTTP/1.1 `ConnectionObserver` events were always confusing:
users had to wait for `handshakeComplete` after `connectionEstablished` to report that
the connection is "ready".

Modifications:

- Add `ConnectionObserver.ProxyConnectObserver` that reports events related to
`CONNECT` phase that starts right after `onTransportHandshakeComplete`;
- Refactor `PipelinedLBHttpConnectionFactory` to defer invocation of
`connectionEstablished`/`multiplexedConnectionEstablished` until after the handshake
is complete to make it consistent with non-proxied connections and make sure only
one of the "established" methods is invoked;
- Removed `ProxyConnectLBHttpConnectionFactoryTest` because it targeted code paths
that do not exist anymore. Instead, enhanced `HttpsProxyTest` to cover similar use-cases.
- Enhanced `ProxyTunnel` to allow behavior customization;

Result:

Enhanced observability for proxy tunnels, `ConnectionObserver` behavior is consistent
between proxied and non-proxied use-cases.
idelpivnitskiy added a commit that referenced this pull request Sep 29, 2023
Motivation:

After #2699 implemented HTTP proxy CONNECT with ALPN, it made observability
confusing. It broke the contract that only one `connectionEstablished` method can
be invoked, which happens when ALPN switches from HTTP/1.1 to HTTP/2 pipeline.
Also, for a proxy tunnel with HTTP/1.1 `ConnectionObserver` events were always confusing:
users had to wait for `handshakeComplete` after `connectionEstablished` to report that
the connection is "ready".

Modifications:

- Add `ConnectionObserver.ProxyConnectObserver` that reports events related to
`CONNECT` phase that starts right after `onTransportHandshakeComplete`;
- Refactor `PipelinedLBHttpConnectionFactory` to defer invocation of
`connectionEstablished`/`multiplexedConnectionEstablished` until after the handshake
is complete to make it consistent with non-proxied connections and make sure only
one of the "established" methods is invoked;
- Removed `ProxyConnectLBHttpConnectionFactoryTest` because it targeted code paths
that do not exist anymore. Instead, enhanced `HttpsProxyTest` to cover similar use-cases.
- Enhanced `ProxyTunnel` to allow behavior customization;

Result:

Enhanced observability for proxy tunnels, `ConnectionObserver` behavior is consistent
between proxied and non-proxied use-cases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants