Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(aws-lambda) strip Connection header if client is using HTTP/2 #4032

Merged
merged 6 commits into from
Dec 3, 2018
Merged

fix(aws-lambda) strip Connection header if client is using HTTP/2 #4032

merged 6 commits into from
Dec 3, 2018

Conversation

rainest
Copy link
Contributor

@rainest rainest commented Nov 28, 2018

Summary

Strip Connection headers from AWS Lambda responses if client is using HTTP per RFC 7540

Issues resolved

Fix #2991

fix(aws-lambda) strip Connection header if client is using HTTP/2
7e18d75 
We currently access Lambda over HTTP/1.1, and it returns a Connection
header as such. The Connection header is not used in HTTP/2 (it is
superseded by other protocol features) and including it violates RFC
7540 8.1.2.2. Per the same "an intermediary transforming an HTTP/1.x
message to HTTP/2 will need to remove any header fields nominated by the
Connection header field, along with the Connection header field itself."
@rainest rainest requested a review from thibaultcha November 28, 2018 22:46
@rainest
Copy link
Contributor Author

rainest commented Nov 28, 2018

Previously #3481, which did not like my attempt to rebase. The current version of the plugin no longer uses ngx.say, so only the change to strip Connection remains relevant.

At present we lack an HTTP/2 client library in the test suite, so this does not include new tests.

@thibaultcha
Copy link
Member

Thanks @rainest. Before I check myself, have you researched (i.e. grep or such) the codebase for potential other instances of this issue?

@rainest
Copy link
Contributor Author

rainest commented Nov 28, 2018
edited
Loading

As far as I know, this should only apply when lua-resty-http is used to fetch content rather than simply proxying the request--it'd be very apparent if it applied to regular proxying as no proxied HTTP/2 requests would work.

We use lua-resty-http in the Lambda, Galileo, OIDC, Azure Functions, Zipkin, and Forward Proxy. Of those, I think only Azure and Forward Proxy are likely affected by the same issue, as the others are using lua-resty-http to send data to an external service, and don't affect the response returned to clients.

Edit: Forward Proxy probably isn't affected as it uses lua-resty-http's proxy_response function, which includes its own mechanism to ignore the upstream Connection header.

@thibaultcha
Copy link
Member

@rainest Thanks for tracking them down. It indeed looks like Azure would be guilty of this as well (https://github.com/Kong/kong-plugin-azure-functions/blob/master/kong/plugins/azure-functions/handler.lua#L118). Will you be able to submit a fix for it as well?

@wbcustc
Copy link

wbcustc commented Nov 29, 2018

May worth directly create the PR to next branch. The plugin structure is largely refactored in the next branch.

@thibaultcha
Copy link
Member

No, bug fixes are to be submitted against the master branch. The fix is identical in the next branch version of the plugin anyways.

fix(aws-lambda) strip headers disallowed by HTTP/2
300eab6 
Remove additional headers mentioned by RFC 7540 8.1.2.2. Lambda does not
currently emit these in my tests, and the RFC indicates it's not strictly
necessary to strip them unless they're nominated by Connection, but
their presence will break some HTTP/2 implementations (libcurl and
Chrome at least, possibly others), so removing to future-proof against
Lambda adding them in the future.
@rainest rainest mentioned this pull request Nov 29, 2018
Closed
thibaultcha
thibaultcha requested changes Nov 29, 2018
View reviewed changes
kong/plugins/aws-lambda/handler.lua Outdated Show resolved Hide resolved
@thibaultcha thibaultcha added this to the 1.0.0rc4 milestone Nov 30, 2018
thibaultcha
thibaultcha reviewed Nov 30, 2018
View reviewed changes
kong/plugins/aws-lambda/handler.lua
headers["Proxy-Connection"] = nil
headers["Upgrade"] = nil
headers["Transfer-Encoding"] = nil
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for future reference: https://tools.ietf.org/html/rfc7540#section-8.1.2.2

@thibaultcha thibaultcha added the pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. label Nov 30, 2018
@CLAassistant
Copy link

CLAassistant commented Nov 30, 2018
edited
Loading

CLA assistant check
All committers have signed the CLA.

@thibaultcha thibaultcha merged commit f2ee98e into master Dec 3, 2018
@thibaultcha thibaultcha deleted the fix/lambda-http2 branch December 3, 2018 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thibaultcha thibaultcha thibaultcha approved these changes

Assignees
No one assigned
Labels
pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done.
Projects
None yet
Milestone
1.0.0rc4
Development

Successfully merging this pull request may close these issues.

Issue with invoking Lambda using plugin.
4 participants
@rainest @thibaultcha @wbcustc @CLAassistant