network: add timeout for transport connect #13610
Conversation
Add a new interface and impl class for incoming connections to the server. This class currently adds no methods on top of the existing Connection class, but will be used to add new functionality in the future. Signed-off-by: Alex Konradi <akonradi@google.com>
Add code to the new ServerConnection class to support a timeout for the transport socket connect event. This will be used to require TLS connections to complete their handshake within a specified period of time. Signed-off-by: Alex Konradi <akonradi@google.com>
Add a config field to the filter chain proto to specify the transport socket timeout and use that to set the value on the server socket. Signed-off-by: Alex Konradi <akonradi@google.com>
Signed-off-by: Alex Konradi <akonradi@google.com>
|
/assign @antoniovicente |
Signed-off-by: Alex Konradi <akonradi@google.com>
|
/lgtm api |
Signed-off-by: Alex Konradi <akonradi@google.com>
|
|
||
| * The :ref:`transport_socket_connect_timeout <envoy_v3_api_field_config.listener.v3.FilterChain.transport_socket_connect_timeout>` | ||
| specifies the amount of time Envoy will wait for a downstream client to complete transport-level | ||
| negotiations. This can be used to limit the amount of time allowed to finish a TLS handshake |
There was a problem hiding this comment.
Worth generalizing this description further? The timeout covers transport socket establishment, which includes the handshake step when establishing TLS or ALPN sockets.
There was a problem hiding this comment.
Done, PTAL. I'm open to suggestions for optimizing for searchability for "tls timeout" and such.
There was a problem hiding this comment.
Sorry, I hadn't looked at the rest of this doc until now.
It makes some sense to me to move this timeout closer to the top. Alternatively, you could add references to the HTTP connection level timeouts and TCP timeouts sections: "See :ref:`Transport Socket` for other connection timeouts."
There was a problem hiding this comment.
Moved above the TCP section.
There was a problem hiding this comment.
I think that now it is even more hidden than before.
Signed-off-by: Alex Konradi <akonradi@google.com>
|
|
||
| * The :ref:`transport_socket_connect_timeout <envoy_v3_api_field_config.listener.v3.FilterChain.transport_socket_connect_timeout>` | ||
| specifies the amount of time Envoy will wait for a downstream client to complete transport-level | ||
| negotiations. This can be used to limit the amount of time allowed to finish a TLS handshake |
There was a problem hiding this comment.
Sorry, I hadn't looked at the rest of this doc until now.
It makes some sense to me to move this timeout closer to the top. Alternatively, you could add references to the HTTP connection level timeouts and TCP timeouts sections: "See :ref:`Transport Socket` for other connection timeouts."
Signed-off-by: Alex Konradi <akonradi@google.com>
Signed-off-by: Alex Konradi <akonradi@google.com>
|
/retest |
|
Retrying Azure Pipelines. |
…eout Signed-off-by: Alex Konradi <akonradi@google.com>
|
/retest |
|
Retrying Azure Pipelines. |
|
The clang_tidy check looks to be the same GOAWAY issue seen elsewhere. Would merging master help, or should I just kick off a retest? |
|
/retest |
|
Retrying Azure Pipelines: |
|
|
||
| void ServerConnectionImpl::onTransportSocketConnectTimeout() { | ||
| closeConnectionImmediately(); | ||
| stream_info_.setConnectionTerminationDetails("transport socket timeout was reached"); |
There was a problem hiding this comment.
nit: can you make this a const string_view somewhere to avoid a probable string_view temporary? Also, I would set the stream info details before closing just for safety in case something looks up the info in the immediate close path.
| case ConnectionEvent::Connected: | ||
| case ConnectionEvent::RemoteClose: | ||
| case ConnectionEvent::LocalClose: |
There was a problem hiding this comment.
Do you envision other events in the future in which we wouldn't do this? Seems like you can just remove the switch and do this always?
There was a problem hiding this comment.
I don't know, but this seemed like a good way of 1) demonstrating that this is supposed to handle all cases identically (i.e. I didn't consider one and forget about the others) and 2) ensuring that if someone ever adds an event type, they have to consider how to modify this since it'll cause a compile error otherwise.
There was a problem hiding this comment.
OK fair enough. Fine by me.
Signed-off-by: Alex Konradi <akonradi@google.com>
* master: (83 commits) tls: Typesafe tls slots (envoyproxy#13789) docs(example): Correct URL for caching example page (envoyproxy#13810) [fuzz] Made health check fuzz more efficient (envoyproxy#13747) rtds: properly scope rtds stats (envoyproxy#13764) http: fixing a bug with IPv6 hosts (envoyproxy#13798) connection: Remember transport socket read resumption requests and replay them when re-enabling read. (envoyproxy#13772) network: adding some accessors for ALPN work. (envoyproxy#13785) docs: added a step about how to handle platform specific extensions (envoyproxy#13759) Fix identation in ip transparency code snippet (envoyproxy#13743) wasm: enable WAVM's stack unwinding feature (envoyproxy#13792) log: set route name for direct response (envoyproxy#13683) Use nghttp2 as external dependsncy in protocol_constraints_lib (envoyproxy#13763) [Windows] Update windows dev docs (envoyproxy#13741) cel: patch thread safety issue (envoyproxy#13739) Windows: Fix ssl_socket_test (envoyproxy#13264) apple dns: add fake api test suite (envoyproxy#13780) overload: scale selected timers in response to load (envoyproxy#13475) examples: Add dynamic configuration (control plane) sandbox (envoyproxy#13746) Removed exception in getResponseStatus() (envoyproxy#13314) network: add timeout for transport connect (envoyproxy#13610) ... Signed-off-by: Michael Puncel <mpuncel@squareup.com>
passthrough functionality for "TLS handshake timeout". Envoy has supported this [for a bit](envoyproxy/envoy#13610), and this PR will allow gloo-edge to support the functionality as well. [Referenced Documentation Here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain) closes solo-io#5438
passthrough functionality for "TLS handshake timeout". Envoy has supported this [for a bit](envoyproxy/envoy#13610), and this PR will allow gloo-edge to support the functionality as well. [Referenced Documentation Here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain) closes solo-io#5438
passthrough functionality for "TLS handshake timeout". Envoy has supported this [for a bit](envoyproxy/envoy#13610), and this PR will allow gloo-edge to support the functionality as well. [Referenced Documentation Here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain) closes solo-io#5438
passthrough functionality for "TLS handshake timeout". Envoy has supported this [for a bit](envoyproxy/envoy#13610), and this PR will allow gloo-edge to support the functionality as well. [Referenced Documentation Here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain) closes solo-io#5438
passthrough functionality for "TLS handshake timeout". Envoy has supported this [for a bit](envoyproxy/envoy#13610), and this PR will allow gloo-edge to support the functionality as well. [Referenced Documentation Here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain) closes solo-io#5438
* feat(ssl): added timeout option passthrough functionality for "TLS handshake timeout". Envoy has supported this [for a bit](envoyproxy/envoy#13610), and this PR will allow gloo-edge to support the functionality as well. [Referenced Documentation Here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchain) closes solo-io#5438
Commit Message: Add a timeout for how long an incoming connection has to establish a transport-level connection
Additional Description:
Adds a configurable timeout for the amount of time a downstream client is allowed to finish the transport-level connect before the connection is forcefully terminated. This can be used to require that a client finishes the TLS handshake in a bounded amount of time.
Risk Level: low
Testing: added unit tests
Docs Changes: document new field
Release Notes: document new feature
Platform Specific Features: none
Addresses #11426