Skip to content

fix: force HTTP1 for upstream connections for WS and WSS backends#8699

Merged
zhaohuabing merged 5 commits into
envoyproxy:mainfrom
zhaohuabing:fix-8693
Apr 22, 2026
Merged

fix: force HTTP1 for upstream connections for WS and WSS backends#8699
zhaohuabing merged 5 commits into
envoyproxy:mainfrom
zhaohuabing:fix-8693

Conversation

@zhaohuabing

@zhaohuabing zhaohuabing commented Apr 8, 2026

Copy link
Copy Markdown
Member

This PR forces forces HTTP/1.1 upstream connections instead of negotiating HTTP/2 for ws and wss Backend appProtocols. This change avoids compatibility issues with WebSocket backends that do not support RFC 8441 extended CONNECT.

Fixes: #8693

@zhaohuabing zhaohuabing requested a review from a team as a code owner April 8, 2026 10:34
@netlify

netlify Bot commented Apr 8, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 canceled.

Name Link
🔨 Latest commit 42ea32c
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69e6daaef5c2c700086b1150

@codecov

codecov Bot commented Apr 8, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 94.73684% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.42%. Comparing base (56cc3f7) to head (42ea32c).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
internal/ir/xds.go 84.61% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8699      +/-   ##
==========================================
- Coverage   74.43%   74.42%   -0.02%     
==========================================
  Files         245      245              
  Lines       38973    39007      +34     
==========================================
+ Hits        29010    29031      +21     
- Misses       7960     7972      +12     
- Partials     2003     2004       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing zhaohuabing marked this pull request as ready for review April 8, 2026 11:04
@zhaohuabing zhaohuabing marked this pull request as draft April 8, 2026 11:12
@zhaohuabing zhaohuabing marked this pull request as ready for review April 9, 2026 01:24
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
},
}
// If forceHTTP1UpstreamProtocol is set, force Envoy to use HTTP1 upstream regardless of other settings.
case forceHTTP1UpstreamProtocol:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we reuse requiresHTTP1Options ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can’t. forceHTTP1UpstreamProtocol takes precedence over requiresHTTP2Options, which in turn takes precedence over requiresHTTP1Options.

// influence transport socket specific settings
requiresAutoHTTPConfig := len(args.settings) > 0
requiresHTTP2Options := false
forceHTTP1UpstreamProtocol := false

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of this, would it make sense to use AppProtocol of WS in xds layer and set requiresHTTP1Options for that case ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

requiresHTTP1Options and forceHTTP1UpstreamProtocol have different meanings. forceHTTP1UpstreamProtocol takes precedence over requiresHTTP2Options, which in turn takes precedence over requiresHTTP1Options.

@zhaohuabing zhaohuabing Apr 21, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be easier to read if requiresHTTP2Options was named hasHTTP2OrGRPCUpstream

		if ds.Protocol == ir.GRPC ||
			ds.Protocol == ir.HTTP2 {
			requiresHTTP2Options = true
		}

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
@zhaohuabing zhaohuabing requested a review from a team April 21, 2026 02:03
@zhaohuabing

Copy link
Copy Markdown
Member Author

/retest

@arkodg arkodg left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks

@zhaohuabing zhaohuabing requested a review from a team April 22, 2026 03:58

@arkodg arkodg left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be good to have per port support in the future

@zhaohuabing

Copy link
Copy Markdown
Member Author

/retest

@zhaohuabing zhaohuabing requested a review from a team April 22, 2026 07:53
@zhaohuabing

Copy link
Copy Markdown
Member Author

would be good to have per port support in the future

Agreed. The current Backend appProtocols field is backend-wide, so this PR keeps the behavior at that level. Per-port appProtocol support would need API changes and can be handled separately.

@zhaohuabing zhaohuabing merged commit 7633125 into envoyproxy:main Apr 22, 2026
79 of 85 checks passed
@zhaohuabing zhaohuabing deleted the fix-8693 branch April 22, 2026 08:17
skos-ninja pushed a commit to skos-ninja/envoy-gateway that referenced this pull request May 1, 2026
…voyproxy#8699)

* force HTTP1 for upstream connections for WS and WSS backends

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* use different clusters for mixed upstream protocols

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* update

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Jake Oliver <[email protected]>
cnvergence added a commit that referenced this pull request May 9, 2026
* fix json report (#8614)

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 4768ca7)

* fix: deep copy status in translator layer to avoid race (#8778)

Signed-off-by: Rudrakh Panigrahi <[email protected]>
(cherry picked from commit 3f70a89)

* fix: force HTTP1 for upstream connections for WS and WSS backends (#8699)

* force HTTP1 for upstream connections for WS and WSS backends

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* use different clusters for mixed upstream protocols

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* update

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 7633125)

* fix: reason with multiple errors rejected validation (#8859)

* fix: reason with multiple errors rejected validation

Signed-off-by: zirain <[email protected]>

* release notes

Signed-off-by: zirain <[email protected]>

* fix lint

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 7811d86)

* feat(chart): Allow configuring envoy proxy image via helm chart (#8785)

* feat: Allow configuring envoy proxy defaults via helm chart

This commit is a continuation of the previous work to support supplying default proxy settings added in #7698 and adds three new chart values under `global.images.envoyProxy`:

| Value | Type | Default | Description |
|----------------------------------------|--------|------|---------------------------------------------------------------------|
| `global.images.envoyProxy.image`       | string | `""` | Full image name (`registry/repo:tag`) for the Envoy Proxy container |
| `global.images.envoyProxy.pullPolicy`  | string | `""` | Image pull policy                                                   |
| `global.images.envoyProxy.pullSecrets` | list   | `[]` | Image pull secrets                                                  |

When any of these are set, the chart generates an `envoyProxy:` block inside the `EnvoyGateway` ConfigMap, wiring into the existing `EnvoyGatewaySpec.envoyProxy` field (added in #7698). The global `imageRegistry` override takes highest precedence, consistent with other chart components.

Full EnvoyProxy defaults (replicas, resources, etc.) can be provided via `config.envoyGateway.envoyProxy`; the image values are merged on top.

Closes #4764.

Signed-off-by: Michael Sommerville <[email protected]>
(cherry picked from commit 8570285)

* add rn and version bump

Signed-off-by: Karol Szwaj <[email protected]>

* fix: respect backend endpoint hostname for health checks (#8929)

* fix: respect backend endpoint hostname for health checks

- Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation.
- Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback.
- Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order.

- go test ./internal/ir
- go test ./internal/xds/translator
- go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy
- go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings)
- make generate
- make manifests
- git diff --check

Signed-off-by: Arko Dasgupta <[email protected]>
Co-authored-by: Codex <[email protected]>

* fix gen

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: zirain <[email protected]>
Co-authored-by: Codex <[email protected]>
Co-authored-by: zirain <[email protected]>

* update release notes

Signed-off-by: Karol Szwaj <[email protected]>

* fix gen-check

Signed-off-by: Karol Szwaj <[email protected]>

* Revert "feat(chart): Allow configuring envoy proxy image via helm chart (#8785)"

This reverts commit 092cc67.

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: Michael Sommerville <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Michael Sommerville <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: Codex <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

WSS -> WSS handling

3 participants