[gateway] forward-port dynamic forward proxy h2/h2c upstream support with auto_sni#88
Merged
Merged
Conversation
…with auto_sni These DFP improvements shipped on the v0.11.x release line (authored 2026-06-03 for the NetworkingProd1 incident) but were never forward-ported to main, which diverged from that line on 2025-10-01. This brings them to main, correct from the start: - Speak HTTP/2 upstream for h2/h2c Backends by emitting HttpProtocolOptions on the dynamic_forward_proxy cluster (previously HTTP/1.1 only, which defeated multiplexing and made the upstream connection cap easy to hit). - Remove Envoy's implicit 1024 max_connections/max_requests cap on http and dfp clusters via explicit circuit breakers. - Set auto_sni and auto_san_validation on the DFP cluster's HttpProtocolOptions. Envoy's dynamic_forward_proxy factory requires both once typed_extension_protocol_options are present (otherwise the cluster is rejected: "dynamic_forward_proxy cluster must have auto_sni and auto_san_validation true ..."). This derives the upstream SNI from the dynamically resolved host and validates the cert SAN against it, preserving TLS verification without allow_insecure_cluster_options. Forward-port of fee0145 + b4dcd07 plus the auto_sni fix shipped in v0.11.23. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Forward-ports the dynamic forward proxy (DFP) improvements that shipped on the
v0.11.xrelease line tomain— correct from the start:h2/h2cBackends by emittingHttpProtocolOptionson thedynamic_forward_proxycluster (was HTTP/1.1 only, defeating multiplexing and making the upstream connection cap easy to hit).max_connections/max_requestscap on http and dfp clusters via explicit circuit breakers.auto_sniandauto_san_validationon the DFP cluster'sHttpProtocolOptions. Envoy'sdynamic_forward_proxyfactory requires both oncetyped_extension_protocol_optionsare present, otherwise the cluster is rejected withdynamic_forward_proxy cluster must have auto_sni and auto_san_validation true unless allow_insecure_cluster_options is set.This derives upstream SNI from the dynamically resolved host and validates the cert SAN against it — preserving TLS verification, noallow_insecure_cluster_options.Why
These commits (
fee0145,b4dcd07) were authored 2026-06-03 for the NetworkingProd1 incident (dfp-backend-0e058897rejected;/phone-number/*latency from upstream connection saturation) directly on thev0.11.xrelease branch, which diverged frommainon 2025-10-01. They were never forward-ported — somainstill spoke HTTP/1.1 to DFP upstreams. The auto_sni fix is what shipped asv0.11.23; bundling it here means the feature lands on main without ever reintroducing the rejection.Tests
pkg/gateway/xds/translator/dynamic_forward_proxy_test.goreproduces the production backend (protocol: h2,dnsLookupFamily: v4_only, system-trust TLS) and asserts the generated cluster carriesauto_sni+auto_san_validation+ HTTP/2 + a TLS socket; coversh2c, plain-HTTP/1.1, and TLS-only-HTTP/1.1; plus a non-DFP scoping guard proving non-DFP cluster output is unchanged. Proven red without the fix, green with it.🤖 Generated with Claude Code