Disable protocol upgrades for the HTTP client by default. #6194
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This avoids problems where a connection could be blocked by an intermediate proxy that disallows upgrades. If wanted, it could be enabled on an individual case with a configuration API on the OTP HTTP client
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dev-2.x #6194 +/- ##
=============================================
- Coverage 69.90% 69.90% -0.01%
+ Complexity 17723 17720 -3
=============================================
Files 1998 1998
Lines 75443 75445 +2
Branches 7718 7718
=============================================
- Hits 52740 52739 -1
- Misses 20025 20026 +1
- Partials 2678 2680 +2 ☔ View full report in Codecov by Sentry. |
vpaturet
approved these changes
Oct 28, 2024
habrahamsson-skanetrafiken
approved these changes
Oct 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This avoids problems where a connection could be blocked by an intermediate proxy that disallows protocol upgrades.
Issue
In OTP PR #6079 the Apache HTTP client was upgraded 5.4. They in turn enabled protocol upgrades by default in HTTPCLIENT-751. This means that the client/server will try upgrading a plain HTTP connection to a TLS one (among other upgrades).
Unfortunately this causes problems in our deployment as we run an Envoy proxy server on top of our instances (specifically our SIRI updaters can't connect to the history service). Envoy currently doesn't support protocol upgrades by default and will answer the request with 403.
For the curious, Envoy have issues open on the subject: Envoy #36305, Envoy #36469
There is also a slightly heated Apache HTTP client bug ticket HTTPCLIENT-2344 - which is closed as 'invalid', and which indicates that the current behavior wont change.
This subject was discussed and agreed in a dev meeting that it's better to disable protocol upgrades by default for all clients.
If wanted, it could be enabled on an individual case by adding a configuration API on the OTP HTTP client.
Testing
Tested in a runtime environment.