From 4f190b35af0dd46bfd3e34be3a9129d63ceaeb8b Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Mon, 12 Apr 2021 11:13:31 -0400 Subject: [PATCH 01/20] docs: unhiding HTTP/3 and adding docs Signed-off-by: Alyssa Wilk --- api/envoy/config/core/v3/protocol.proto | 2 - api/envoy/config/core/v4alpha/protocol.proto | 2 - .../listener/v3/udp_listener_config.proto | 4 +- .../v4alpha/udp_listener_config.proto | 4 +- .../http/v3/http_protocol_options.proto | 8 ++-- .../http/v4alpha/http_protocol_options.proto | 8 ++-- .../configuration/best_practices/edge.rst | 2 +- .../best_practices/level_two.rst | 12 +++--- .../http/http_conn_man/stats.rst | 7 +++- .../http/http_filters/aws_lambda_filter.rst | 2 +- .../http_filters/grpc_http1_bridge_filter.rst | 2 +- .../grpc_http1_reverse_bridge_filter.rst | 2 +- .../http/http_filters/lua_filter.rst | 2 +- .../observability/access_log/stats.rst | 2 +- .../observability/access_log/usage.rst | 2 +- .../cluster_manager/cluster_runtime.rst | 5 +++ .../cluster_manager/cluster_stats.rst | 5 ++- docs/root/faq/configuration/flow_control.rst | 8 ++-- docs/root/faq/configuration/timeouts.rst | 2 +- .../faq/load_balancing/concurrency_lb.rst | 2 +- .../http/http_connection_management.rst | 6 +-- .../intro/arch_overview/http/upgrades.rst | 24 ++++++------ .../arch_overview/other_protocols/grpc.rst | 10 ++--- .../upstream/circuit_breaking.rst | 2 +- .../upstream/cluster_manager.rst | 4 +- .../upstream/connection_pooling.rst | 39 ++++++++++++++++--- .../intro/deployment_types/double_proxy.rst | 2 +- .../intro/deployment_types/front_proxy.rst | 2 +- .../deployment_types/service_to_service.rst | 4 +- docs/root/intro/what_is_envoy.rst | 7 +++- docs/root/start/sandboxes/grpc_bridge.rst | 3 +- docs/root/version_history/current.rst | 1 + .../envoy/config/core/v3/protocol.proto | 2 - .../envoy/config/core/v4alpha/protocol.proto | 2 - .../listener/v3/udp_listener_config.proto | 4 +- .../v4alpha/udp_listener_config.proto | 4 +- .../http/v3/http_protocol_options.proto | 8 ++-- .../http/v4alpha/http_protocol_options.proto | 8 ++-- 38 files changed, 128 insertions(+), 87 deletions(-) diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto index 4109b19a4abd..a4d7a47e16ac 100644 --- a/api/envoy/config/core/v3/protocol.proto +++ b/api/envoy/config/core/v3/protocol.proto @@ -416,8 +416,6 @@ message GrpcProtocolOptions { Http2ProtocolOptions http2_protocol_options = 1; } -// [#not-implemented-hide:] -// // A message which allows using HTTP/3. message Http3ProtocolOptions { QuicProtocolOptions quic_protocol_options = 1; diff --git a/api/envoy/config/core/v4alpha/protocol.proto b/api/envoy/config/core/v4alpha/protocol.proto index 1e14ae5ee999..ffa8addaa1b8 100644 --- a/api/envoy/config/core/v4alpha/protocol.proto +++ b/api/envoy/config/core/v4alpha/protocol.proto @@ -410,8 +410,6 @@ message GrpcProtocolOptions { Http2ProtocolOptions http2_protocol_options = 1; } -// [#not-implemented-hide:] -// // A message which allows using HTTP/3. message Http3ProtocolOptions { option (udpa.annotations.versioning).previous_message_type = diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index 614f7e9d323e..dae6d3d44249 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -33,8 +33,8 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. - // [#not-implemented-hide:] - // [#comment:Unhide when QUIC alpha is announced with other docs.] + // .. note:: + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index fc99b86dd420..da4dbcc5e1b8 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -33,8 +33,8 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. - // [#not-implemented-hide:] - // [#comment:Unhide when QUIC alpha is announced with other docs.] + // .. note:: + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index 00cac9d27336..8bf12371d6f9 100644 --- a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -59,7 +59,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#next-free-field: 6] message HttpProtocolOptions { // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. message ExplicitHttpConfig { oneof protocol_config { option (validate.required) = true; @@ -68,7 +68,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -80,7 +81,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index e3cf4476983a..876e81bcd526 100644 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -63,7 +63,7 @@ message HttpProtocolOptions { "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"; // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. message ExplicitHttpConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig"; @@ -75,7 +75,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -90,7 +91,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/docs/root/configuration/best_practices/edge.rst b/docs/root/configuration/best_practices/edge.rst index d61c4684c71a..fdeb376d23b4 100644 --- a/docs/root/configuration/best_practices/edge.rst +++ b/docs/root/configuration/best_practices/edge.rst @@ -20,7 +20,7 @@ HTTP proxies should additionally configure: to true (to avoid consuming HTTP headers from external clients, see :ref:`HTTP header sanitizing ` for details), * :ref:`connection and stream timeouts `, -* :ref:`HTTP/2 maximum concurrent streams limit ` to 100, +* :ref:`HTTP/2 maximum concurrent streams limit ` and :ref:`HTTP/3 maximum concurrent streams limit ` to 100 * :ref:`HTTP/2 initial stream window size limit ` to 64 KiB, * :ref:`HTTP/2 initial connection window size limit ` to 1 MiB. * :ref:`headers_with_underscores_action setting ` to REJECT_REQUEST, to protect upstream services that treat '_' and '-' as interchangeable. diff --git a/docs/root/configuration/best_practices/level_two.rst b/docs/root/configuration/best_practices/level_two.rst index 857649ce6787..18d26b0318c9 100644 --- a/docs/root/configuration/best_practices/level_two.rst +++ b/docs/root/configuration/best_practices/level_two.rst @@ -10,20 +10,20 @@ edge use case may need to be adjusted when using Envoy in a multi-level deployme .. image:: /_static/multilevel_deployment.svg **In summary, if you run level two Envoy version 1.11.1 or greater which terminates -HTTP/2, we strongly advise you to change the HttpConnectionManager configuration of your level +HTTP/2 or above, we strongly advise you to change the HttpConnectionManager configuration of your level two Envoy, by setting its downstream** :ref:`validation of HTTP messaging option ` **to true.** -If there is an invalid HTTP/2 request and this option is not set, the Envoy in +If there is an invalid request and this option is not set, the Envoy in question will reset the entire connection. This behavior was changed as part of the 1.11.1 security release, to increase the security of Edge Envoys. Unfortunately, -because there are no guarantees that edge proxies will enforce HTTP/1 or HTTP/2 -standards compliance as rigorously as Envoy’s HTTP/2 stack does, this can result +because there are no guarantees that edge proxies will enforce HTTP +standards compliance as rigorously as Envoy’s stack does, this can result in a problem as follows. If one client sends a request that for example passes level one proxy's validation checks, and it is forwarded over an upstream multiplexed -HTTP/2 connection (potentially shared with other clients) the strict enforcement on -the level two Envoy HTTP/2 will reset all the streams on that connection, causing +connection (potentially shared with other clients) the strict enforcement on +the level two Envoy will reset all the streams on that connection, causing a service disruption to the clients sharing that L1-L2 connection. If a malicious user has insight into what traffic will bypass level one checks, they could spray “bad” traffic across the level one fleet, causing serious disruption to other users’ diff --git a/docs/root/configuration/http/http_conn_man/stats.rst b/docs/root/configuration/http/http_conn_man/stats.rst index c6aa07f284d4..e1162bb16d7a 100644 --- a/docs/root/configuration/http/http_conn_man/stats.rst +++ b/docs/root/configuration/http/http_conn_man/stats.rst @@ -15,6 +15,7 @@ statistics: downstream_cx_http1_total, Counter, Total HTTP/1.1 connections downstream_cx_upgrades_total, Counter, Total successfully upgraded connections. These are also counted as total http1/http2 connections. downstream_cx_http2_total, Counter, Total HTTP/2 connections + downstream_cx_http3_total, Counter, Total HTTP/3 connections downstream_cx_destroy, Counter, Total connections destroyed downstream_cx_destroy_remote, Counter, Total connections destroyed due to remote close downstream_cx_destroy_local, Counter, Total connections destroyed due to local close @@ -26,6 +27,7 @@ statistics: downstream_cx_http1_active, Gauge, Total active HTTP/1.1 connections downstream_cx_upgrades_active, Gauge, Total active upgraded connections. These are also counted as active http1/http2 connections. downstream_cx_http2_active, Gauge, Total active HTTP/2 connections + downstream_cx_http3_active, Gauge, Total active HTTP/3 connections downstream_cx_protocol_error, Counter, Total protocol errors downstream_cx_length_ms, Histogram, Connection length milliseconds downstream_cx_rx_bytes_total, Counter, Total bytes received @@ -41,6 +43,7 @@ statistics: downstream_rq_total, Counter, Total requests downstream_rq_http1_total, Counter, Total HTTP/1.1 requests downstream_rq_http2_total, Counter, Total HTTP/2 requests + downstream_rq_http3_total, Counter, Total HTTP/3 requests downstream_rq_active, Gauge, Total active requests downstream_rq_response_before_rq_complete, Counter, Total responses sent before the request was complete downstream_rq_rx_reset, Counter, Total request resets received @@ -149,8 +152,8 @@ On the upstream side all http2 statistics are rooted at *cluster..http2.* .. attention:: - The HTTP/2 `streams_active` gauge may be greater than the HTTP connection manager - `downstream_rq_active` gauge due to differences in stream accounting between the codec and the + The HTTP `streams_active` gauges may be greater than the HTTP connection manager + `downstream_rq_active` gauge due to differences in stream accounting between the codecs and the HTTP connection manager. Tracing statistics diff --git a/docs/root/configuration/http/http_filters/aws_lambda_filter.rst b/docs/root/configuration/http/http_filters/aws_lambda_filter.rst index d281de9b0ab7..b311e5cc9dea 100644 --- a/docs/root/configuration/http/http_filters/aws_lambda_filter.rst +++ b/docs/root/configuration/http/http_filters/aws_lambda_filter.rst @@ -11,7 +11,7 @@ AWS Lambda The AWS Lambda filter is currently under active development. -The HTTP AWS Lambda filter is used to trigger an AWS Lambda function from a standard HTTP/1.x or HTTP/2 request. +The HTTP AWS Lambda filter is used to trigger an AWS Lambda function from a standard HTTP request. It supports a few options to control whether to pass through the HTTP request payload as is or to wrap it in a JSON schema. diff --git a/docs/root/configuration/http/http_filters/grpc_http1_bridge_filter.rst b/docs/root/configuration/http/http_filters/grpc_http1_bridge_filter.rst index 5454468c5ac2..e1cb31cab22a 100644 --- a/docs/root/configuration/http/http_filters/grpc_http1_bridge_filter.rst +++ b/docs/root/configuration/http/http_filters/grpc_http1_bridge_filter.rst @@ -32,7 +32,7 @@ response trailers to a compliant gRPC server. It works by doing the following: work with unary gRPC APIs. This filter also collects stats for all gRPC requests that transit, even if those requests are -normal gRPC requests over HTTP/2. +normal gRPC requests over HTTP/2 or above. More info: wire format in `gRPC over HTTP/2 `_. diff --git a/docs/root/configuration/http/http_filters/grpc_http1_reverse_bridge_filter.rst b/docs/root/configuration/http/http_filters/grpc_http1_reverse_bridge_filter.rst index d8d918c76c3b..96e1c4979042 100644 --- a/docs/root/configuration/http/http_filters/grpc_http1_reverse_bridge_filter.rst +++ b/docs/root/configuration/http/http_filters/grpc_http1_reverse_bridge_filter.rst @@ -8,7 +8,7 @@ gRPC HTTP/1.1 reverse bridge * This filter should be configured with the name *envoy.filters.http.grpc_http1_reverse_bridge*. This is a filter that enables converting an incoming gRPC request into a HTTP/1.1 request to allow -a server that does not understand HTTP/2 or gRPC semantics to handle the request. +a server that does not understand HTTP/2 or HTTP/3 or gRPC semantics to handle the request. The filter works by: diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst index 119086b7acd4..da91f96680fe 100644 --- a/docs/root/configuration/http/http_filters/lua_filter.rst +++ b/docs/root/configuration/http/http_filters/lua_filter.rst @@ -659,7 +659,7 @@ protocol() streamInfo:protocol() Returns the string representation of :repo:`HTTP protocol ` -used by the current request. The possible values are: *HTTP/1.0*, *HTTP/1.1*, and *HTTP/2*. +used by the current request. The possible values are: *HTTP/1.0*, *HTTP/1.1*, *HTTP/2* and *HTTP/3*. downstreamLocalAddress() ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/root/configuration/observability/access_log/stats.rst b/docs/root/configuration/observability/access_log/stats.rst index 9ea5d26ccec0..632ebaf48283 100644 --- a/docs/root/configuration/observability/access_log/stats.rst +++ b/docs/root/configuration/observability/access_log/stats.rst @@ -15,7 +15,7 @@ The gRPC access log has statistics rooted at *access_logs.grpc_access_log.* with :widths: 1, 1, 2 logs_written, Counter, Total log entries sent to the logger which were not dropped. This does not imply the logs have been flushed to the gRPC endpoint yet. - logs_dropped, Counter, Total log entries dropped due to network or HTTP/2 back up. + logs_dropped, Counter, Total log entries dropped due to network or application level back up. File access log statistics diff --git a/docs/root/configuration/observability/access_log/usage.rst b/docs/root/configuration/observability/access_log/usage.rst index 4eb2b0b8e7b5..b74049f4efc8 100644 --- a/docs/root/configuration/observability/access_log/usage.rst +++ b/docs/root/configuration/observability/access_log/usage.rst @@ -181,7 +181,7 @@ The following command operators are supported: %PROTOCOL% HTTP - Protocol. Currently either *HTTP/1.1* or *HTTP/2*. + Protocol. Currently either *HTTP/1.1* *HTTP/2* or *HTTP/3*. TCP Not implemented ("-"). diff --git a/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst b/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst index 9f6c8808d17e..086e7c098b4f 100644 --- a/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst +++ b/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst @@ -143,6 +143,11 @@ upstream.use_http2 Whether the cluster utilizes the *http2* if configured in `HttpProtocolOptions `. Set to 0 to disable HTTP/2 even if the feature is configured. Defaults to enabled. +upstream.use_http3 + Whether the cluster utilizes the *http3* if configured in `HttpProtocolOptions `. + Set to 0 to disable HTTP/3 even if the feature is configured. Defaults to enabled. + + .. _config_cluster_manager_cluster_runtime_zone_routing: Zone aware load balancing diff --git a/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst b/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst index dec6e20fb7d7..055240a77172 100644 --- a/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst +++ b/docs/root/configuration/upstream/cluster_manager/cluster_stats.rst @@ -38,6 +38,7 @@ Every cluster has a statistics tree rooted at *cluster..* with the followi upstream_cx_active, Gauge, Total active connections upstream_cx_http1_total, Counter, Total HTTP/1.1 connections upstream_cx_http2_total, Counter, Total HTTP/2 connections + upstream_cx_http3_total, Counter, Total HTTP/3 connections upstream_cx_connect_fail, Counter, Total connection failures upstream_cx_connect_timeout, Counter, Total connection connect timeouts upstream_cx_idle_timeout, Counter, Total connection idle timeouts @@ -51,7 +52,7 @@ Every cluster has a statistics tree rooted at *cluster..* with the followi upstream_cx_destroy_with_active_rq, Counter, Total connections destroyed with 1+ active request upstream_cx_destroy_local_with_active_rq, Counter, Total connections destroyed locally with 1+ active request upstream_cx_destroy_remote_with_active_rq, Counter, Total connections destroyed remotely with 1+ active request - upstream_cx_close_notify, Counter, Total connections closed via HTTP/1.1 connection close header or HTTP/2 GOAWAY + upstream_cx_close_notify, Counter, Total connections closed via HTTP/1.1 connection close header or HTTP/2 or HTTP/3 GOAWAY upstream_cx_rx_bytes_total, Counter, Total received connection bytes upstream_cx_rx_bytes_buffered, Gauge, Received connection bytes currently buffered upstream_cx_tx_bytes_total, Counter, Total sent connection bytes @@ -63,7 +64,7 @@ Every cluster has a statistics tree rooted at *cluster..* with the followi upstream_rq_total, Counter, Total requests upstream_rq_active, Gauge, Total active requests upstream_rq_pending_total, Counter, Total requests pending a connection pool connection - upstream_rq_pending_overflow, Counter, Total requests that overflowed connection pool or requests (mainly for HTTP/2) circuit breaking and were failed + upstream_rq_pending_overflow, Counter, Total requests that overflowed connection pool or requests (mainly for HTTP/2 and above) circuit breaking and were failed upstream_rq_pending_failure_eject, Counter, Total requests that were failed due to a connection pool connection failure or remote connection termination upstream_rq_pending_active, Gauge, Total active requests pending a connection pool connection upstream_rq_cancelled, Counter, Total requests cancelled before obtaining a connection pool connection diff --git a/docs/root/faq/configuration/flow_control.rst b/docs/root/faq/configuration/flow_control.rst index 9bbce146a95e..6bc3ef3e0133 100644 --- a/docs/root/faq/configuration/flow_control.rst +++ b/docs/root/faq/configuration/flow_control.rst @@ -22,12 +22,12 @@ and downstream. The listener limits are also propogated to the HttpConnectionManager, and applied on a per-stream basis to HTTP/1.1 L7 buffers described below. As such they limit the size of HTTP/1 requests and -response bodies that can be buffered. For HTTP/2, as many streams can be multiplexed over one TCP +response bodies that can be buffered. For HTTP/2 and HTTP/3, as many streams can be multiplexed over one connection, the L7 and L4 buffer limits can be tuned separately, and the configuration option :ref:`http2 stream limits ` -is applied to all of the L7 buffers. Note that for both HTTP/1 and -HTTP/2 Envoy can and will proxy arbitrarily large bodies on routes where all L7 filters are -streaming, but many filters such as the transcoder or buffer filters require the full HTTP body to +is applied to all of the L7 buffers. Note that for all version of HTTP Envoy can and will proxy +arbitrarily large bodies on routes where all L7 filters are streaming, but many filters such as the transcoder +or buffer filters require the full HTTP body to be buffered, so limit the request and response size based on the listener limit. The cluster limits affect how much raw data will be read per read() call from upstream, as diff --git a/docs/root/faq/configuration/timeouts.rst b/docs/root/faq/configuration/timeouts.rst index 33640d6bcdcd..53a2366f4cf2 100644 --- a/docs/root/faq/configuration/timeouts.rst +++ b/docs/root/faq/configuration/timeouts.rst @@ -60,7 +60,7 @@ context request/stream is interchangeable. is the amount of time that the connection manager will allow a stream to exist with no upstream or downstream activity. The default stream idle timeout is *5 minutes*. This timeout is strongly recommended for all requests (not just streaming requests/responses) as it additionally defends - against an HTTP/2 peer that does not open stream window once an entire response has been buffered + against a peer that does not open stream window once an entire response has been buffered to be sent to a downstream client. * The HTTP protocol :ref:`max_stream_duration ` is defined in a generic message used by the HTTP connection manager. The max stream duration is the diff --git a/docs/root/faq/load_balancing/concurrency_lb.rst b/docs/root/faq/load_balancing/concurrency_lb.rst index 0c247da7a17a..682d9b1ef69a 100644 --- a/docs/root/faq/load_balancing/concurrency_lb.rst +++ b/docs/root/faq/load_balancing/concurrency_lb.rst @@ -7,5 +7,5 @@ load balancing policies such as :ref:`round robin ` are not shared between workers. diff --git a/docs/root/intro/arch_overview/http/http_connection_management.rst b/docs/root/intro/arch_overview/http/http_connection_management.rst index 2cc332d2f814..8719ccccf238 100644 --- a/docs/root/intro/arch_overview/http/http_connection_management.rst +++ b/docs/root/intro/arch_overview/http/http_connection_management.rst @@ -19,14 +19,14 @@ HTTP connection manager :ref:`configuration `. HTTP protocols -------------- -Envoy’s HTTP connection manager has native support for HTTP/1.1, WebSockets, and HTTP/2. It does not support -SPDY. Envoy’s HTTP support was designed to first and foremost be an HTTP/2 multiplexing proxy. +Envoy’s HTTP connection manager has native support for HTTP/1.1, WebSockets, HTTP/2 and HTTP/3. It does not support +SPDY. Envoy’s HTTP support was designed to first and foremost be an HTTP/2+ multiplexing proxy. Internally, HTTP/2 terminology is used to describe system components. For example, an HTTP request and response take place on a *stream*. A codec API is used to translate from different wire protocols into a protocol agnostic form for streams, requests, responses, etc. In the case of HTTP/1.1, the codec translates the serial/pipelining capabilities of the protocol into something that looks like HTTP/2 to higher layers. This means that the majority of the code does not need to -understand whether a stream originated on an HTTP/1.1 or HTTP/2 connection. +understand whether a stream originated on an HTTP/1.1, HTTP/2, or HTTP/3 connection. HTTP header sanitizing ---------------------- diff --git a/docs/root/intro/arch_overview/http/upgrades.rst b/docs/root/intro/arch_overview/http/upgrades.rst index 532b22e16f3e..5175b58e4502 100644 --- a/docs/root/intro/arch_overview/http/upgrades.rst +++ b/docs/root/intro/arch_overview/http/upgrades.rst @@ -40,30 +40,30 @@ Note that the statistics for upgrades are all bundled together so WebSocket and :ref:`statistics ` are tracked by stats such as downstream_cx_upgrades_total and downstream_cx_upgrades_active -Websocket over HTTP/2 hops -^^^^^^^^^^^^^^^^^^^^^^^^^^ +Websocket over HTTP/2 or HTTP/3 hops +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -While HTTP/2 support for WebSockets is off by default, Envoy does support tunneling WebSockets over -HTTP/2 streams for deployments that prefer a uniform HTTP/2 mesh throughout; this enables, for example, +While HTTP/2 and HTTP/3 support for WebSockets is off by default, Envoy does support tunneling WebSockets over +HTTP/2 and above for deployments that prefer a uniform HTTP/2+ mesh throughout; this enables, for example, a deployment of the form: [Client] ---- HTTP/1.1 ---- [Front Envoy] ---- HTTP/2 ---- [Sidecar Envoy ---- H1 ---- App] In this case, if a client is for example using WebSocket, we want the Websocket to arrive at the -upstream server functionally intact, which means it needs to traverse the HTTP/2 hop. +upstream server functionally intact, which means it needs to traverse the HTTP/2+ hop. This is accomplished via `Extended CONNECT (RFC8441) `_ support, turned on by setting :ref:`allow_connect ` true at the second layer Envoy. The -WebSocket request will be transformed into an HTTP/2 CONNECT stream, with :protocol header -indicating the original upgrade, traverse the HTTP/2 hop, and be downgraded back into an HTTP/1 +WebSocket request will be transformed into an HTTP/2+ CONNECT stream, with :protocol header +indicating the original upgrade, traverse the HTTP/2+ hop, and be downgraded back into an HTTP/1 WebSocket Upgrade. This same Upgrade-CONNECT-Upgrade transformation will be performed on any -HTTP/2 hop, with the documented flaw that the HTTP/1.1 method is always assumed to be GET. +HTTP/2+ hop, with the documented flaw that the HTTP/1.1 method is always assumed to be GET. Non-WebSocket upgrades are allowed to use any valid HTTP method (i.e. POST) and the current upgrade/downgrade mechanism will drop the original method and transform the Upgrade request to a GET method on the final Envoy-Upstream hop. -Note that the HTTP/2 upgrade path has very strict HTTP/1.1 compliance, so will not proxy WebSocket +Note that the HTTP/2+ upgrade path has very strict HTTP/1.1 compliance, so will not proxy WebSocket upgrade requests or responses with bodies. CONNECT support @@ -73,7 +73,7 @@ Envoy CONNECT support is off by default (Envoy will send an internally generated CONNECT requests). CONNECT support can be enabled via the upgrade options described above, setting the upgrade value to the special keyword "CONNECT". -While for HTTP/2, CONNECT request may have a path, in general and for HTTP/1.1 CONNECT requests do +While for HTTP/2 and above, CONNECT request may have a path, in general and for HTTP/1.1 CONNECT requests do not have a path, and can only be matched using a :ref:`connect_matcher `. Please also note that when doing non-wildcard domain matching for CONNECT requests, the CONNECT target is matched @@ -110,7 +110,7 @@ Tunneling TCP over HTTP Envoy also has support for tunneling raw TCP over HTTP CONNECT or HTTP POST requests. Find below some usage scenarios. -HTTP/2 CONNECT can be used to proxy multiplexed TCP over pre-warmed secure connections and amortize +HTTP/2+ CONNECT can be used to proxy multiplexed TCP over pre-warmed secure connections and amortize the cost of any TLS handshake. An example set up proxying SMTP would look something like this: @@ -124,7 +124,7 @@ supporting HTTP/2): Note that when using HTTP/1 CONNECT you will end up having a TCP connection between L1 and L2 Envoy for each TCP client connection, it is preferable to use -HTTP/2 when you have the choice. +HTTP/2 or above when you have the choice. HTTP POST can also be used to proxy multiplexed TCP when intermediate proxies that don't support CONNECT. An example set up proxying HTTP would look something like this: diff --git a/docs/root/intro/arch_overview/other_protocols/grpc.rst b/docs/root/intro/arch_overview/other_protocols/grpc.rst index 01275183b155..201af54d21c9 100644 --- a/docs/root/intro/arch_overview/other_protocols/grpc.rst +++ b/docs/root/intro/arch_overview/other_protocols/grpc.rst @@ -4,12 +4,12 @@ gRPC ==== `gRPC `_ is an RPC framework from Google. It uses protocol buffers as the -underlying serialization/IDL format. At the transport layer it uses HTTP/2 for request/response +underlying serialization/IDL format. At the transport layer it uses HTTP/2 or above for request/response multiplexing. Envoy has first class support for gRPC both at the transport layer as well as at the application layer: -* gRPC makes use of HTTP/2 trailers to convey request status. Envoy is one of very few HTTP proxies - that correctly supports HTTP/2 trailers and is thus one of the few proxies that can transport +* gRPC makes use of trailers to convey request status. Envoy is one of very few HTTP proxies + that correctly supports trailers and is thus one of the few proxies that can transport gRPC requests and responses. * The gRPC runtime for some languages is relatively immature. See :ref:`below ` for an overview of filters that can help bring gRPC to more languages. @@ -29,7 +29,7 @@ gRPC bridging Envoy supports two gRPC bridges: * :ref:`grpc_http1_bridge filter ` which allows gRPC requests to be sent to Envoy over - HTTP/1.1. Envoy then translates the requests to HTTP/2 for transport to the target server. The response is translated back to HTTP/1.1. + HTTP/1.1. Envoy then translates the requests to HTTP/2 or HTTP/3 for transport to the target server. The response is translated back to HTTP/1.1. When installed, the bridge filter gathers per RPC statistics in addition to the standard array of global HTTP statistics. * :ref:`grpc_http1_reverse_bridge filter ` which allows gRPC requests to be sent to Envoy and then translated to HTTP/1.1 when sent to the upstream. The response is then converted back into gRPC when sent to the downstream. @@ -52,7 +52,7 @@ When specifying gRPC services, it's necessary to specify the use of either the discuss the tradeoffs in this choice below. The Envoy gRPC client is a minimal custom implementation of gRPC that makes use -of Envoy's HTTP/2 upstream connection management. Services are specified as +of Envoy's HTTP/2 or HTTP/3 upstream connection management. Services are specified as regular Envoy :ref:`clusters `, with regular treatment of :ref:`timeouts, retries `, endpoint :ref:`discovery `/:ref:`load diff --git a/docs/root/intro/arch_overview/upstream/circuit_breaking.rst b/docs/root/intro/arch_overview/upstream/circuit_breaking.rst index 5c808e4d4c06..13de15649c14 100644 --- a/docs/root/intro/arch_overview/upstream/circuit_breaking.rst +++ b/docs/root/intro/arch_overview/upstream/circuit_breaking.rst @@ -31,7 +31,7 @@ configure and code each application independently. Envoy supports various types configured, all requests will be multiplexed over the same connection so this circuit breaker will only be hit when no connection is already established. If this circuit breaker overflows the :ref:`upstream_rq_pending_overflow ` counter for the cluster will - increment. + increment. For HTTP/3 the equivalent to HTTP/2's :ref:`max concurrent streams ` is :ref:`max concurrent streams ` * **Cluster maximum requests**: The maximum number of requests that can be outstanding to all hosts in a cluster at any given time. If this circuit breaker overflows the :ref:`upstream_rq_pending_overflow ` counter for the cluster will increment. diff --git a/docs/root/intro/arch_overview/upstream/cluster_manager.rst b/docs/root/intro/arch_overview/upstream/cluster_manager.rst index 8550d3a0655b..fd367d4e959a 100644 --- a/docs/root/intro/arch_overview/upstream/cluster_manager.rst +++ b/docs/root/intro/arch_overview/upstream/cluster_manager.rst @@ -11,11 +11,11 @@ Upstream clusters and hosts are abstracted from the network/HTTP filter stack gi clusters and hosts may be used for any number of different proxy tasks. The cluster manager exposes APIs to the filter stack that allow filters to obtain a L3/L4 connection to an upstream cluster, or a handle to an abstract HTTP connection pool to an upstream cluster (whether the upstream host -supports HTTP/1.1 or HTTP/2 is hidden). A filter stage determines whether it needs an L3/L4 +supports HTTP/1.1, HTTP/2, or HTTP/3 is hidden). A filter stage determines whether it needs an L3/L4 connection or a new HTTP stream and the cluster manager handles all of the complexity of knowing which hosts are available and healthy, load balancing, thread local storage of upstream connection data (since most Envoy code is written to be single threaded), upstream connection type (TCP/IP, -UDS), upstream protocol where applicable (HTTP/1.1, HTTP/2), etc. +UDS), upstream protocol where applicable (HTTP/1.1, HTTP/2, HTTP/3), etc. Clusters known to the cluster manager can be configured either statically, or fetched dynamically via the cluster discovery service (CDS) API. Dynamic cluster fetches allow more configuration to diff --git a/docs/root/intro/arch_overview/upstream/connection_pooling.rst b/docs/root/intro/arch_overview/upstream/connection_pooling.rst index dc794404f630..2ac987efc490 100644 --- a/docs/root/intro/arch_overview/upstream/connection_pooling.rst +++ b/docs/root/intro/arch_overview/upstream/connection_pooling.rst @@ -4,7 +4,7 @@ Connection pooling ================== For HTTP traffic, Envoy supports abstract connection pools that are layered on top of the underlying -wire protocol (HTTP/1.1 or HTTP/2). The utilizing filter code does not need to be aware of whether +wire protocol (HTTP/1.1, HTTP/2, HTTP/3). The utilizing filter code does not need to be aware of whether the underlying protocol supports true multiplexing or not. In practice the underlying implementations have the following high level properties: @@ -32,17 +32,44 @@ pool will drain the affected connection. Once a connection reaches its :ref:`max stream limit `, it will be marked as busy until a stream is available. New connections are established anytime there is a pending request without a connection that can be dispatched to (up to circuit breaker limits for -connections). HTTP/2 is the preferred communication protocol, as connections rarely, if ever, get -severed. +connections). HTTP/2 is the preferred communication protocol when Envoy is operating as a reverse proxy, +as connections rarely, if ever, get severed. + +HTTP/3 +------ + +The HTTP/3 connection pool multiplexes multiple requests over a single connection, up to the limits +imposed by :ref:`max concurrent streams +` and :ref:`max +requests per connection `. +The HTTP/3 connection pool establishes as many connections as are needed to serve requests. With no +limits, this will be only a single connection. If a GOAWAY frame is received or if the connection +reaches the :ref:`maximum requests per connection +` limit, the connection +pool will drain the affected connection. Once a connection reaches its :ref:`maximum concurrent +stream limit `, it +will be marked as busy until a stream is available. New connections are established anytime there is +a pending request without a connection that can be dispatched to (up to circuit breaker limits for +connections). HTTP/3 upstream support is currently only usable in situations where HTTP/3 is guaranteed +to work, but automatic failover to TCP is coming soon!. + +Automatic protocol selection +---------------------------- + +For Envoy acting as a forward proxy, the preferred configuration is the +`AutoHttpConfig ` +, configued via +`http_protocol_options `. +By default it will use TCP and ALPN to select the best available protocol of HTTP/2 and HTTP/1.1. .. _arch_overview_conn_pool_how_many: Number of connection pools -------------------------- -Each host in each cluster will have one or more connection pools. If the cluster is HTTP/1 or HTTP/2 -only, then the host may have only a single connection pool. However, if the cluster supports multiple -upstream protocols, then at least one connection pool per protocol will be allocated. Separate +Each host in each cluster will have one or more connection pools. If the cluster has a single explicit +protocol configured, then the host may have only a single connection pool. However, if the cluster supports multiple +upstream protocols, then unless it is using ALPN, one connection pool per protocol may be allocated. Separate connection pools are also allocated for each of the following features: * :ref:`Routing priority ` diff --git a/docs/root/intro/deployment_types/double_proxy.rst b/docs/root/intro/deployment_types/double_proxy.rst index 84d882d2bb5a..cbf6cef40f4b 100644 --- a/docs/root/intro/deployment_types/double_proxy.rst +++ b/docs/root/intro/deployment_types/double_proxy.rst @@ -11,7 +11,7 @@ another Envoy cluster running as a *double proxy*. The idea behind the double pr more efficient to terminate TLS and client connections as close as possible to the user (shorter round trip times for the TLS handshake, faster TCP CWND expansion, less chance for packet loss, etc.). Connections that terminate in the double proxy are then multiplexed onto long lived HTTP/2 -connections running in the main data center. +or HTTP/3 connections running in the main data center. In the above diagram, the front Envoy proxy running in region 1 authenticates itself with the front Envoy proxy running in region 2 via TLS mutual authentication and pinned certificates. This allows diff --git a/docs/root/intro/deployment_types/front_proxy.rst b/docs/root/intro/deployment_types/front_proxy.rst index f335f7a05d00..a8a11d4177c9 100644 --- a/docs/root/intro/deployment_types/front_proxy.rst +++ b/docs/root/intro/deployment_types/front_proxy.rst @@ -10,7 +10,7 @@ configuration sitting behind an Envoy cluster used as an HTTP L7 edge reverse pr reverse proxy provides the following features: * Terminates TLS. -* Supports both HTTP/1.1 and HTTP/2. +* Supports HTTP/1.1, HTTP/2, and HTTP/3. * Full HTTP L7 routing support. * Talks to the service to service Envoy clusters via the standard :ref:`ingress port ` and using the discovery service for host diff --git a/docs/root/intro/deployment_types/service_to_service.rst b/docs/root/intro/deployment_types/service_to_service.rst index 73e785bda9e6..af29030d9447 100644 --- a/docs/root/intro/deployment_types/service_to_service.rst +++ b/docs/root/intro/deployment_types/service_to_service.rst @@ -14,7 +14,7 @@ Service to service egress listener ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is the port used by applications to talk to other services in the infrastructure. For example, -*http://localhost:9001*. HTTP and gRPC requests use the HTTP/1.1 *host* header or the HTTP/2 +*http://localhost:9001*. HTTP and gRPC requests use the HTTP/1.1 *host* header or the HTTP/2 or HTTP/3 *:authority* header to indicate which remote cluster the request is destined for. Envoy handles service discovery, load balancing, rate limiting, etc. depending on the details in the configuration. Services only need to know about the local Envoy and do not need to concern @@ -38,7 +38,7 @@ performs buffering, circuit breaking, etc. as needed. Our default configurations use HTTP/2 for all Envoy to Envoy communication, regardless of whether the application uses HTTP/1.1 or HTTP/2 when egressing out of a local Envoy. HTTP/2 provides -better performance via long lived connections and explicit reset notifications. +better performance than HTTP/1.1 via long lived connections and explicit reset notifications. .. image:: /_static/service_to_service_ingress_listener.svg :width: 55% diff --git a/docs/root/intro/what_is_envoy.rst b/docs/root/intro/what_is_envoy.rst index 9f89575877d6..84acb61ac087 100644 --- a/docs/root/intro/what_is_envoy.rst +++ b/docs/root/intro/what_is_envoy.rst @@ -46,13 +46,16 @@ clients and target servers can be bridged. The recommended service to service co HTTP/2 between all Envoys to create a mesh of persistent connections that requests and responses can be multiplexed over. +**HTTP/3 support (currently in alpha):** As of 1.19.0, Envoy now supports HTTP/3 upstream and downstream, +and translating between any combination of HTTP/1.1, HTTP/2 and HTTP/3 in either direction. + **HTTP L7 routing:** When operating in HTTP mode, Envoy supports a :ref:`routing ` subsystem that is capable of routing and redirecting requests based on path, authority, content type, :ref:`runtime ` values, etc. This functionality is most useful when using Envoy as a front/edge proxy but is also leveraged when building a service to service mesh. -**gRPC support:** `gRPC `_ is an RPC framework from Google that uses HTTP/2 +**gRPC support:** `gRPC `_ is an RPC framework from Google that uses HTTP/2 or above as the underlying multiplexed transport. Envoy :ref:`supports ` all of the HTTP/2 features required to be used as the routing and load balancing substrate for gRPC requests and responses. The two systems are very complementary. @@ -88,7 +91,7 @@ racing. **Front/edge proxy support:** There is substantial benefit in using the same software at the edge (observability, management, identical service discovery and load balancing algorithms, etc.). Envoy has a feature set that makes it well suited as an edge proxy for most modern web application use -cases. This includes :ref:`TLS ` termination, HTTP/1.1 and HTTP/2 :ref:`support +cases. This includes :ref:`TLS ` termination, HTTP/1.1 HTTP/2 and HTTP/3 :ref:`support `, as well as HTTP L7 :ref:`routing `. **Best in class observability:** As stated above, the primary goal of Envoy is to make the network diff --git a/docs/root/start/sandboxes/grpc_bridge.rst b/docs/root/start/sandboxes/grpc_bridge.rst index 90b98021729b..e3ce921141c0 100644 --- a/docs/root/start/sandboxes/grpc_bridge.rst +++ b/docs/root/start/sandboxes/grpc_bridge.rst @@ -13,7 +13,8 @@ The gRPC bridge sandbox is an example usage of Envoy's This is an example of a key-value store where an ``http``-based client CLI, written in ``Python``, updates a remote store, written in ``Go``, using the stubs generated for both languages. -The client send messages through a proxy that upgrades the HTTP requests from ``http/1.1`` to ``http/2``. +The client send messages through a proxy that upgrades the HTTP requests from ``http/1.1`` to ``http/2`` or +``http/3`` ``[client](http/1.1) -> [client-egress-proxy](http/2) -> [server-ingress-proxy](http/2) -> [server]`` diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index a3c7b27d34e0..3b24a321bbd6 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -143,6 +143,7 @@ New Features * http: added support for :ref:`preconnecting `. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1. * http: added new runtime config `envoy.reloadable_features.check_unsupported_typed_per_filter_config`, the default value is true. When the value is true, envoy will reject virtual host-specific typed per filter config when the filter doesn't support it. * http: added the ability to preserve HTTP/1 header case across the proxy. See the :ref:`header casing ` documentation for more information. +* http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options ` for downstream and the new http3_protocol_options in :ref:`http_protocol_options ` for upstream HTTP/3. * http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false. * json: introduced new JSON parser (https://github.com/nlohmann/json) to replace RapidJSON. The new parser is disabled by default. To test the new RapidJSON parser, enable the runtime feature `envoy.reloadable_features.remove_legacy_json`. * kill_request: :ref:`Kill Request ` Now supports bidirection killing. diff --git a/generated_api_shadow/envoy/config/core/v3/protocol.proto b/generated_api_shadow/envoy/config/core/v3/protocol.proto index 4109b19a4abd..a4d7a47e16ac 100644 --- a/generated_api_shadow/envoy/config/core/v3/protocol.proto +++ b/generated_api_shadow/envoy/config/core/v3/protocol.proto @@ -416,8 +416,6 @@ message GrpcProtocolOptions { Http2ProtocolOptions http2_protocol_options = 1; } -// [#not-implemented-hide:] -// // A message which allows using HTTP/3. message Http3ProtocolOptions { QuicProtocolOptions quic_protocol_options = 1; diff --git a/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto b/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto index 85032f663735..7ab30212ba6d 100644 --- a/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto +++ b/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto @@ -422,8 +422,6 @@ message GrpcProtocolOptions { Http2ProtocolOptions http2_protocol_options = 1; } -// [#not-implemented-hide:] -// // A message which allows using HTTP/3. message Http3ProtocolOptions { option (udpa.annotations.versioning).previous_message_type = diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 8c89ad0032ac..29e72a4e36e8 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -34,8 +34,8 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. - // [#not-implemented-hide:] - // [#comment:Unhide when QUIC alpha is announced with other docs.] + // .. note:: + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index fc99b86dd420..da4dbcc5e1b8 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -33,8 +33,8 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. - // [#not-implemented-hide:] - // [#comment:Unhide when QUIC alpha is announced with other docs.] + // .. note:: + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index 00cac9d27336..8bf12371d6f9 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -59,7 +59,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#next-free-field: 6] message HttpProtocolOptions { // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. message ExplicitHttpConfig { oneof protocol_config { option (validate.required) = true; @@ -68,7 +68,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -80,7 +81,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index e3cf4476983a..876e81bcd526 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -63,7 +63,7 @@ message HttpProtocolOptions { "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"; // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. message ExplicitHttpConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig"; @@ -75,7 +75,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -90,7 +91,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] + // .. note:: + // QUIC support is currently alpha and should be used with caution. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } From bb5e9342bec0060cc40500868e8f0566a5c8525f Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Mon, 12 Apr 2021 12:45:34 -0400 Subject: [PATCH 02/20] spacing Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v3/udp_listener_config.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index dae6d3d44249..495fd7edf2dd 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -34,7 +34,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } From 28a6ea6f21d733f1526b485fe950c68ac111e667 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Mon, 12 Apr 2021 13:54:56 -0400 Subject: [PATCH 03/20] format, proto, format, proto, format? Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v4alpha/udp_listener_config.proto | 2 +- .../envoy/config/listener/v3/udp_listener_config.proto | 2 +- .../envoy/config/listener/v4alpha/udp_listener_config.proto | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index da4dbcc5e1b8..883abec0ef05 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -34,7 +34,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 29e72a4e36e8..2c7109bdc89f 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -35,7 +35,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index da4dbcc5e1b8..883abec0ef05 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -34,7 +34,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } From f20546ff7d164e1f34646bed78edfa043ba6886a Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Mon, 12 Apr 2021 15:47:37 -0400 Subject: [PATCH 04/20] docs build? Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v3/udp_listener_config.proto | 3 ++- api/envoy/config/listener/v4alpha/udp_listener_config.proto | 3 ++- .../envoy/config/listener/v3/udp_listener_config.proto | 3 ++- .../envoy/config/listener/v4alpha/udp_listener_config.proto | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index 495fd7edf2dd..8b9e2bdbc5dc 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -33,8 +33,9 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. + // // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 883abec0ef05..5ec802a5557c 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -33,8 +33,9 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. + // // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 2c7109bdc89f..ebdca1ef640c 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -34,8 +34,9 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. + // // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index 883abec0ef05..5ec802a5557c 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -33,8 +33,9 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. + // // .. note:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. QuicProtocolOptions quic_options = 7; } From 0bad720903991661fb2c5b5f086b7fce02d6ca76 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 29 Apr 2021 11:38:16 -0400 Subject: [PATCH 05/20] more detail Signed-off-by: Alyssa Wilk --- .../http/jwt_authn/v2alpha/config.proto | 3 +- .../listener/v3/udp_listener_config.proto | 9 +++ .../v4alpha/udp_listener_config.proto | 9 +++ .../filters/http/jwt_authn/v3/config.proto | 3 +- .../http/jwt_authn/v4alpha/config.proto | 3 +- .../http/v3/http_protocol_options.proto | 22 ++++++-- .../http/v4alpha/http_protocol_options.proto | 22 ++++++-- ...xy_io_proxy_http3_downstream.template.yaml | 4 ++ docs/root/intro/arch_overview/http/http.rst | 1 + docs/root/intro/arch_overview/http/http3.rst | 37 +++++++++++++ .../upstream/connection_pooling.rst | 13 +++++ docs/root/version_history/current.rst | 55 ------------------- .../http/jwt_authn/v2alpha/config.proto | 3 +- .../listener/v3/udp_listener_config.proto | 9 +++ .../v4alpha/udp_listener_config.proto | 9 +++ .../filters/http/jwt_authn/v3/config.proto | 3 +- .../http/jwt_authn/v4alpha/config.proto | 3 +- .../http/v3/http_protocol_options.proto | 22 ++++++-- .../http/v4alpha/http_protocol_options.proto | 22 ++++++-- tools/spelling/spelling_dictionary.txt | 1 + 20 files changed, 176 insertions(+), 77 deletions(-) create mode 100644 docs/root/intro/arch_overview/http/http3.rst diff --git a/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto b/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto index 07044f92201e..847e36f163ba 100644 --- a/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto +++ b/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto @@ -390,7 +390,8 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map requires = 3; + map + requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index 8b9e2bdbc5dc..92c4d6f4a108 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -36,6 +36,15 @@ message UdpListenerConfig { // // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // For known outstanding issues before Envoy QUIC support is GA, you can + // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example + // QUIC does not currently support in place filter chain updates, so users + // requiring dynamic config reload for QUIC should wait until + // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // + // For general feature requets beyond production readiness, you can track + // https://github.com/envoyproxy/envoy/labels/area%2Fquic QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 5ec802a5557c..0cf6a4b4e9c9 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -36,6 +36,15 @@ message UdpListenerConfig { // // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // For known outstanding issues before Envoy QUIC support is GA, you can + // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example + // QUIC does not currently support in place filter chain updates, so users + // requiring dynamic config reload for QUIC should wait until + // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // + // For general feature requets beyond production readiness, you can track + // https://github.com/envoyproxy/envoy/labels/area%2Fquic QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 08ef7a09feb2..c1d8326cec3b 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -449,7 +449,8 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map requires = 3; + map + requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 7656f09912e9..48ceb05906f0 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -449,7 +449,8 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map requires = 3; + map + requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index 113dd2d6f89e..b325fdd65227 100644 --- a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -70,6 +70,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -83,6 +86,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } @@ -100,11 +106,19 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present. If HTTP/3 is present, attempts to connect will first be made - // via HTTP/3, and if the HTTP/3 connection fails, TCP (HTTP/1 or HTTP/2 - // based on ALPN) will be used instead. + // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. + // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a + // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be + // attempted as well. + // See :ref:`here ` for more information. + // + // .. note:: + // QUIC support is currently alpha and should be used with caution, and + // the auto config is undergoing especially rapid change. + // + // See comments :ref:`here ` + // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 0c208e33ff7c..0b2ce20dede8 100644 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -77,6 +77,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -93,6 +96,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } @@ -113,11 +119,19 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present. If HTTP/3 is present, attempts to connect will first be made - // via HTTP/3, and if the HTTP/3 connection fails, TCP (HTTP/1 or HTTP/2 - // based on ALPN) will be used instead. + // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. + // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a + // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be + // attempted as well. + // See :ref:`here ` for more information. + // + // .. note:: + // QUIC support is currently alpha and should be used with caution, and + // the auto config is undergoing especially rapid change. + // + // See comments :ref:`here ` + // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml b/configs/envoyproxy_io_proxy_http3_downstream.template.yaml index 2e7ace6c478a..ced3062c0a67 100644 --- a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml +++ b/configs/envoyproxy_io_proxy_http3_downstream.template.yaml @@ -41,6 +41,10 @@ static_resources: name: local_route virtual_hosts: - name: local_service + response_headers_to_add: + - header: + key: alt-svc + value: h3=":10000"; ma=86400, h3-29=":10000"; ma=86400 domains: ["*"] routes: - match: diff --git a/docs/root/intro/arch_overview/http/http.rst b/docs/root/intro/arch_overview/http/http.rst index 33b7ebffa6fa..0877cf3e62db 100644 --- a/docs/root/intro/arch_overview/http/http.rst +++ b/docs/root/intro/arch_overview/http/http.rst @@ -7,5 +7,6 @@ HTTP http_connection_management http_filters http_routing + http3 upgrades http_proxy diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst new file mode 100644 index 000000000000..7e225e9bc85c --- /dev/null +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -0,0 +1,37 @@ +.. _arch_overview_http3: + +HTTP3 downstream +================ + +HTTP/3 downstream support is still in Alpha, and should be used with caution. +Outstanding issues required for HTTP/3 to go GA can be found +`here `_ + +Envoy HTTP/3 support can be turned up via adding +:ref:`quic_options ` and +ensuring the downstream transport socket is a QuicDownstreamTransport. + +See example :repo:`downstream HTTP/3 configuration ` for example configuration. + +Note that the example configuration includes both a TCP and a UDP listener, and the TCP +listener is advertising http/3 support via alt-svc header. Advertising HTTP/3 is not necessary for +in-house deployments where HTTP/3 is explicitly configured, but is needed for internet facing deployments +where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if it is explicitly advertised. + +By default the example configuration uses kernel UDP support, but for production performance, use of +BPF is strongly advised. BPF docs `coming soon `_ + +HTTP3 upstream +=============== + +HTTP/3 downstream support is still in Alpha, and should be used with caution. +Outstanding issues required for HTTP/3 to go GA can be found +`here `_ + +Envoy HTTP/3 support can be turned up by turning up HTTP/3 support in +:ref:`http_protocol_options `, +Either configuring HTTP/3 explicitly on, or using the auto_http option to use HTTP/3 if it is supported. + +See :ref:`here ` for more information about HTTP/3 connection pooling. + +An example upstream HTTP/3 configuration file can be found :repo:`here . diff --git a/docs/root/intro/arch_overview/upstream/connection_pooling.rst b/docs/root/intro/arch_overview/upstream/connection_pooling.rst index 2ac987efc490..e468b56a1dec 100644 --- a/docs/root/intro/arch_overview/upstream/connection_pooling.rst +++ b/docs/root/intro/arch_overview/upstream/connection_pooling.rst @@ -62,6 +62,19 @@ For Envoy acting as a forward proxy, the preferred configuration is the `http_protocol_options `. By default it will use TCP and ALPN to select the best available protocol of HTTP/2 and HTTP/1.1. +.. _arch_overview_http3_upstream: + +If HTTP/3 is configured in the automatic pool, it will currently attempt an QUIC connection first, +then 300ms later, attempt a TCP connection. Whichever handshake succeeds will be used for the initial +stream, but if both TCP and QUIC connections are established, QUIC will eventually be preferred. + +Upcoming versions of HTTP/3 support will include only selecting HTTP/3 if the server advertises support +via alt-svc headers, and "QUIC hints" where attempting QUIC but failing over can be hard-coded. This code +path is alpha and rapidly undergoing improvements with the goal of having the default behavior result in +optimal latency for internet environments, so please be patient and follow along with Envoy release notes +to stay aprised of the latest and greatest changes. + + .. _arch_overview_conn_pool_how_many: Number of connection pools diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index ea813de55ef4..35f9493e9ddb 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -46,62 +46,7 @@ Removed Config or Runtime New Features ------------ -* access log: added a new :ref:`OpenTelemetry access logger ` extension, allowing a flexible log structure with native Envoy access log formatting. -* access log: added the new response flag `NC` for upstream cluster not found. The error flag is set when the http or tcp route is found for the request but the cluster is not available. -* access log: added the :ref:`formatters ` extension point for custom formatters (command operators). -* access log: added support for cross platform writing to :ref:`standard output ` and :ref:`standard error `. -* access log: support command operator: %FILTER_CHAIN_NAME% for the downstream tcp and http request. -* access log: support command operator: %REQUEST_HEADERS_BYTES%, %RESPONSE_HEADERS_BYTES%, and %RESPONSE_TRAILERS_BYTES%. -* admin: added support for :ref:`access loggers ` to the admin interface. -* compression: add brotli :ref:`compressor ` and :ref:`decompressor `. -* compression: extended the compression allow compressing when the content length header is not present. This behavior may be temporarily reverted by setting `envoy.reloadable_features.enable_compression_without_content_length_header` to false. -* config: add `envoy.features.fail_on_any_deprecated_feature` runtime key, which matches the behaviour of compile-time flag `ENVOY_DISABLE_DEPRECATED_FEATURES`, i.e. use of deprecated fields will cause a crash. -* config: the ``Node`` :ref:`dynamic context parameters ` are populated in discovery requests when set on the server instance. -* dispatcher: supports a stack of `Envoy::ScopeTrackedObject` instead of a single tracked object. This will allow Envoy to dump more debug information on crash. -* ext_authz: added :ref:`response_headers_to_add ` to support sending response headers to downstream clients on OK authorization checks via gRPC. -* ext_authz: added :ref:`allowed_client_headers_on_success ` to support sending response headers to downstream clients on OK external authorization checks via HTTP. -* grpc_json_transcoder: added :ref:`request_validation_options ` to reject invalid requests early. -* grpc_json_transcoder: filter can now be configured on per-route/per-vhost level as well. Leaving empty list of services in the filter configuration disables transcoding on the specific route. -* http: added support for `Envoy::ScopeTrackedObject` for HTTP/1 and HTTP/2 dispatching. Crashes while inside the dispatching loop should dump debug information. Furthermore, HTTP/1 and HTTP/2 clients now dumps the originating request whose response from the upstream caused Envoy to crash. -* http: added support for :ref:`preconnecting `. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1. -* http: added new runtime config `envoy.reloadable_features.check_unsupported_typed_per_filter_config`, the default value is true. When the value is true, envoy will reject virtual host-specific typed per filter config when the filter doesn't support it. -* http: added the ability to preserve HTTP/1 header case across the proxy. See the :ref:`header casing ` documentation for more information. * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options ` for downstream and the new http3_protocol_options in :ref:`http_protocol_options ` for upstream HTTP/3. -* http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false. -* json: introduced new JSON parser (https://github.com/nlohmann/json) to replace RapidJSON. The new parser is disabled by default. To test the new RapidJSON parser, enable the runtime feature `envoy.reloadable_features.remove_legacy_json`. -* kill_request: :ref:`Kill Request ` Now supports bidirection killing. -* loadbalancer: added the ability to specify the hash_key for a host when using a consistent hashing loadbalancer (ringhash, maglev) using the :ref:`LbEndpoint.Metadata ` e.g.: ``"envoy.lb": {"hash_key": "..."}``. -* log: added a new custom flag ``%j`` to the log pattern to print the actual message to log as JSON escaped string. -* oauth filter: added the optional parameter :ref:`resources `. Set this value to add multiple "resource" parameters in the Authorization request sent to the OAuth provider. This acts as an identifier representing the protected resources the client is requesting a token for. -* original_dst: added support for :ref:`Original Destination ` on Windows. This enables the use of Envoy as a sidecar proxy on Windows. -* overload: add support for scaling :ref:`transport connection timeouts`. This can be used to reduce the TLS handshake timeout in response to overload. -* postgres: added ability to :ref:`terminate SSL`. -* rbac: added :ref:`shadow_rules_stat_prefix ` to allow adding custom prefix to the stats emitted by shadow rules. -* route config: added :ref:`allow_post field ` for allowing POST payload as raw TCP. -* route config: added :ref:`max_direct_response_body_size_bytes ` to set maximum :ref:`direct response body ` size in bytes. If not specified the default remains 4096 bytes. -* server: added *fips_mode* to :ref:`server compilation settings ` related statistic. -* server: added :option:`--enable-core-dump` flag to enable core dumps via prctl (Linux-based systems only). -* tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation ` for details. -* tcp_proxy: added a :ref:`use_post field ` for using HTTP POST to proxy TCP streams. -* tcp_proxy: added a :ref:`headers_to_add field ` for setting additional headers to the HTTP requests for TCP proxing. -* thrift_proxy: added a :ref:`max_requests_per_connection field ` for setting maximum requests for per downstream connection. -* thrift_proxy: added per upstream metrics within the :ref:`thrift router ` for messagetype in request/response. -* tls peer certificate validation: added :ref:`SPIFFE validator ` for supporting isolated multiple trust bundles in a single listener or cluster. -* tracing: added the :ref:`pack_trace_reason ` - field as well as explicit configuration for the built-in :ref:`UuidRequestIdConfig ` - request ID implementation. See the trace context propagation :ref:`architecture overview - ` for more information. -* udp: added :ref:`downstream ` and - :ref:`upstream ` statistics for dropped datagrams. -* udp: added :ref:`downstream_socket_config ` - listener configuration to allow configuration of downstream max UDP datagram size. Also added - :ref:`upstream_socket_config ` - UDP proxy configuration to allow configuration of upstream max UDP datagram size. The defaults for - both remain 1500 bytes. -* udp: added configuration for :ref:`GRO - `. The default is disabled for - :ref:`downstream sockets ` - and enabled for :ref:`upstream sockets `. * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels ` field to true. Deprecated diff --git a/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto b/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto index 07044f92201e..847e36f163ba 100644 --- a/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto +++ b/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto @@ -390,7 +390,8 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map requires = 3; + map + requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index ebdca1ef640c..372db8513a41 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -37,6 +37,15 @@ message UdpListenerConfig { // // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // For known outstanding issues before Envoy QUIC support is GA, you can + // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example + // QUIC does not currently support in place filter chain updates, so users + // requiring dynamic config reload for QUIC should wait until + // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // + // For general feature requets beyond production readiness, you can track + // https://github.com/envoyproxy/envoy/labels/area%2Fquic QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index 5ec802a5557c..0cf6a4b4e9c9 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -36,6 +36,15 @@ message UdpListenerConfig { // // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // For known outstanding issues before Envoy QUIC support is GA, you can + // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example + // QUIC does not currently support in place filter chain updates, so users + // requiring dynamic config reload for QUIC should wait until + // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // + // For general feature requets beyond production readiness, you can track + // https://github.com/envoyproxy/envoy/labels/area%2Fquic QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 08ef7a09feb2..c1d8326cec3b 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -449,7 +449,8 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map requires = 3; + map + requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 7656f09912e9..48ceb05906f0 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -449,7 +449,8 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map requires = 3; + map + requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index 113dd2d6f89e..b325fdd65227 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -70,6 +70,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -83,6 +86,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } @@ -100,11 +106,19 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present. If HTTP/3 is present, attempts to connect will first be made - // via HTTP/3, and if the HTTP/3 connection fails, TCP (HTTP/1 or HTTP/2 - // based on ALPN) will be used instead. + // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. + // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a + // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be + // attempted as well. + // See :ref:`here ` for more information. + // + // .. note:: + // QUIC support is currently alpha and should be used with caution, and + // the auto config is undergoing especially rapid change. + // + // See comments :ref:`here ` + // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 0c208e33ff7c..0b2ce20dede8 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -77,6 +77,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -93,6 +96,9 @@ message HttpProtocolOptions { // .. note:: // QUIC support is currently alpha and should be used with caution. + // + // See comments :ref:`here ` + // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } @@ -113,11 +119,19 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // [#not-implemented-hide:] // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present. If HTTP/3 is present, attempts to connect will first be made - // via HTTP/3, and if the HTTP/3 connection fails, TCP (HTTP/1 or HTTP/2 - // based on ALPN) will be used instead. + // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. + // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a + // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be + // attempted as well. + // See :ref:`here ` for more information. + // + // .. note:: + // QUIC support is currently alpha and should be used with caution, and + // the auto config is undergoing especially rapid change. + // + // See comments :ref:`here ` + // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 16b5fac73870..431974d32122 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -1132,6 +1132,7 @@ subtypes subzone superclass superset +svc symlink symlinked symlinks From 8ccb35a286d4b62d5ef40a42073845710cefd8c0 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 29 Apr 2021 11:52:03 -0400 Subject: [PATCH 06/20] configs Signed-off-by: Alyssa Wilk --- ...xy_io_proxy_http3_downstream.template.yaml | 54 +++++++++++++++++-- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml b/configs/envoyproxy_io_proxy_http3_downstream.template.yaml index ced3062c0a67..edc0d11471ba 100644 --- a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml +++ b/configs/envoyproxy_io_proxy_http3_downstream.template.yaml @@ -6,6 +6,56 @@ admin: address: 0.0.0.0 port_value: 9901 static_resources: + listeners: + - name: listener_tcp + address: + socket_address: + protocol: TCP + address: 0.0.0.0 + port_value: 10000 + reuse_port: true + udp_listener_config: + quic_options: {} + downstream_socket_config: + prefer_gro: true + filter_chains: + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + downstream_tls_context: + common_tls_context: + alpn_protocols: h3 + tls_certificates: + certificate_chain: + filename: test/config/integration/certs/servercert.pem + private_key: + filename: test/config/integration/certs/serverkey.pem + filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + codec_type: HTTP2 + stat_prefix: ingress_http + route_config: + name: local_route + virtual_hosts: + - name: local_service + response_headers_to_add: + - header: + key: alt-svc + value: h3=":10000"; ma=86400, h3-29=":10000"; ma=86400 + domains: ["*"] + routes: + - match: + prefix: "/" + route: + host_rewrite_literal: www.envoyproxy.io + cluster: service_envoyproxy_io + http3_protocol_options: + http_filters: + - name: envoy.filters.http.router + listeners: - name: listener_udp address: @@ -41,10 +91,6 @@ static_resources: name: local_route virtual_hosts: - name: local_service - response_headers_to_add: - - header: - key: alt-svc - value: h3=":10000"; ma=86400, h3-29=":10000"; ma=86400 domains: ["*"] routes: - match: From 1702e4c5f8e88c94b5b2f33aac838815da2e24cd Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 29 Apr 2021 12:32:38 -0400 Subject: [PATCH 07/20] format Signed-off-by: Alyssa Wilk --- api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto | 3 +-- api/envoy/extensions/filters/http/jwt_authn/v3/config.proto | 3 +-- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 3 +-- .../envoy/config/filter/http/jwt_authn/v2alpha/config.proto | 3 +-- .../envoy/extensions/filters/http/jwt_authn/v3/config.proto | 3 +-- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 3 +-- 6 files changed, 6 insertions(+), 12 deletions(-) diff --git a/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto b/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto index 847e36f163ba..07044f92201e 100644 --- a/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto +++ b/api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto @@ -390,8 +390,7 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map - requires = 3; + map requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index c1d8326cec3b..08ef7a09feb2 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -449,8 +449,7 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map - requires = 3; + map requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 48ceb05906f0..7656f09912e9 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -449,8 +449,7 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map - requires = 3; + map requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto b/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto index 847e36f163ba..07044f92201e 100644 --- a/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto +++ b/generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto @@ -390,8 +390,7 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map - requires = 3; + map requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index c1d8326cec3b..08ef7a09feb2 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -449,8 +449,7 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map - requires = 3; + map requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 48ceb05906f0..7656f09912e9 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -449,8 +449,7 @@ message FilterStateRule { // A map of string keys to requirements. The string key is the string value // in the FilterState with the name specified in the *name* field above. - map - requires = 3; + map requires = 3; } // This is the Envoy HTTP filter config for JWT authentication. From 7c9c5fae23151f9d5cddaf9abc2f79857f9ee9fd Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 29 Apr 2021 15:29:06 -0400 Subject: [PATCH 08/20] comments Signed-off-by: Alyssa Wilk --- .../config/listener/v3/udp_listener_config.proto | 12 ++++++------ .../listener/v4alpha/udp_listener_config.proto | 12 ++++++------ .../upstreams/http/v3/http_protocol_options.proto | 9 ++++----- .../http/v4alpha/http_protocol_options.proto | 9 ++++----- docs/root/intro/arch_overview/http/http3.rst | 5 +++-- .../http/http_connection_management.rst | 2 +- .../arch_overview/upstream/connection_pooling.rst | 14 ++++++++------ .../config/listener/v3/udp_listener_config.proto | 12 ++++++------ .../listener/v4alpha/udp_listener_config.proto | 12 ++++++------ .../upstreams/http/v3/http_protocol_options.proto | 9 ++++----- .../http/v4alpha/http_protocol_options.proto | 9 ++++----- 11 files changed, 52 insertions(+), 53 deletions(-) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index 92c4d6f4a108..a64be42977d5 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -37,14 +37,14 @@ message UdpListenerConfig { // .. note:: // QUIC support is currently alpha and should be used with caution. // - // For known outstanding issues before Envoy QUIC support is GA, you can - // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example - // QUIC does not currently support in place filter chain updates, so users + // For known outstanding issues before Envoy QUIC support is GA, issues + // are tracked `here `_. + // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // `#13115 _` has been addressed. // - // For general feature requets beyond production readiness, you can track - // https://github.com/envoyproxy/envoy/labels/area%2Fquic + // For general feature requests beyond production readiness, you can track + // updates `here `. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 0cf6a4b4e9c9..6850d7db283e 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -37,14 +37,14 @@ message UdpListenerConfig { // .. note:: // QUIC support is currently alpha and should be used with caution. // - // For known outstanding issues before Envoy QUIC support is GA, you can - // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example - // QUIC does not currently support in place filter chain updates, so users + // For known outstanding issues before Envoy QUIC support is GA, issues + // are tracked `here `_. + // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // `#13115 _` has been addressed. // - // For general feature requets beyond production readiness, you can track - // https://github.com/envoyproxy/envoy/labels/area%2Fquic + // For general feature requests beyond production readiness, you can track + // updates `here `. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index b325fdd65227..0b764d3ebb2b 100644 --- a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -107,11 +107,10 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. - // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a - // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be - // attempted as well. - // See :ref:`here ` for more information. + // present, and (soon) only if there is an indication of server side + // support. + // See :ref:`here ` for more information on + // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: // QUIC support is currently alpha and should be used with caution, and diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 0b2ce20dede8..9b34124df24f 100644 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -120,11 +120,10 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. - // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a - // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be - // attempted as well. - // See :ref:`here ` for more information. + // present, and (soon) only if there is an indication of server side + // support. + // See :ref:`here ` for more information on + // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: // QUIC support is currently alpha and should be used with caution, and diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index 7e225e9bc85c..c8ae58cf774f 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -24,7 +24,7 @@ BPF is strongly advised. BPF docs `coming soon `_ @@ -32,6 +32,7 @@ Envoy HTTP/3 support can be turned up by turning up HTTP/3 support in :ref:`http_protocol_options `, Either configuring HTTP/3 explicitly on, or using the auto_http option to use HTTP/3 if it is supported. -See :ref:`here ` for more information about HTTP/3 connection pooling. +See :ref:`here ` for more information about HTTP/3 connection pooling, including +detailed information of where QUIC will be used, and how it fails over to TCP when QUIC use is configured to be optional. An example upstream HTTP/3 configuration file can be found :repo:`here . diff --git a/docs/root/intro/arch_overview/http/http_connection_management.rst b/docs/root/intro/arch_overview/http/http_connection_management.rst index 8c9596f2e2fe..f25d721cc52e 100644 --- a/docs/root/intro/arch_overview/http/http_connection_management.rst +++ b/docs/root/intro/arch_overview/http/http_connection_management.rst @@ -20,7 +20,7 @@ HTTP protocols -------------- Envoy’s HTTP connection manager has native support for HTTP/1.1, WebSockets, HTTP/2 and HTTP/3. It does not support -SPDY. Envoy’s HTTP support was designed to first and foremost be an HTTP/2+ multiplexing proxy. +SPDY. Envoy’s HTTP support was designed to first and foremost be an HTTP/2 multiplexing proxy. Internally, HTTP/2 terminology is used to describe system components. For example, an HTTP request and response take place on a *stream*. A codec API is used to translate from different wire protocols into a protocol agnostic form for streams, requests, responses, etc. In the case of diff --git a/docs/root/intro/arch_overview/upstream/connection_pooling.rst b/docs/root/intro/arch_overview/upstream/connection_pooling.rst index e468b56a1dec..804e991644c1 100644 --- a/docs/root/intro/arch_overview/upstream/connection_pooling.rst +++ b/docs/root/intro/arch_overview/upstream/connection_pooling.rst @@ -64,14 +64,16 @@ By default it will use TCP and ALPN to select the best available protocol of HTT .. _arch_overview_http3_upstream: -If HTTP/3 is configured in the automatic pool, it will currently attempt an QUIC connection first, -then 300ms later, attempt a TCP connection. Whichever handshake succeeds will be used for the initial +If HTTP/3 is configured in the automatic pool it will currently attempt an QUIC connection first, +then 300ms later, if a QUIC connection is not established, will also attempt to establish a TCP connection. +Whichever handshake succeeds will be used for the initial stream, but if both TCP and QUIC connections are established, QUIC will eventually be preferred. -Upcoming versions of HTTP/3 support will include only selecting HTTP/3 if the server advertises support -via alt-svc headers, and "QUIC hints" where attempting QUIC but failing over can be hard-coded. This code -path is alpha and rapidly undergoing improvements with the goal of having the default behavior result in -optimal latency for internet environments, so please be patient and follow along with Envoy release notes +Upcoming versions of HTTP/3 support will include only selecting HTTP/3 if the upstream advertises support +either via `HTTP Alternative Services `_, +`HTTPS DNS RR `_, "QUIC hints" which +will be manually configured. This path is alpha and rapidly undergoing improvements with the goal of having +the default behavior result in optimal latency for internet environments, so please be patient and follow along with Envoy release notes to stay aprised of the latest and greatest changes. diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 372db8513a41..a3bf928c6625 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -38,14 +38,14 @@ message UdpListenerConfig { // .. note:: // QUIC support is currently alpha and should be used with caution. // - // For known outstanding issues before Envoy QUIC support is GA, you can - // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example - // QUIC does not currently support in place filter chain updates, so users + // For known outstanding issues before Envoy QUIC support is GA, issues + // are tracked `here `_. + // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // `#13115 _` has been addressed. // - // For general feature requets beyond production readiness, you can track - // https://github.com/envoyproxy/envoy/labels/area%2Fquic + // For general feature requests beyond production readiness, you can track + // updates `here `. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index 0cf6a4b4e9c9..6850d7db283e 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -37,14 +37,14 @@ message UdpListenerConfig { // .. note:: // QUIC support is currently alpha and should be used with caution. // - // For known outstanding issues before Envoy QUIC support is GA, you can - // track https://github.com/envoyproxy/envoy/labels/quic-mvp for example - // QUIC does not currently support in place filter chain updates, so users + // For known outstanding issues before Envoy QUIC support is GA, issues + // are tracked `here `_. + // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // https://github.com/envoyproxy/envoy/issues/13115 has been addressed. + // `#13115 _` has been addressed. // - // For general feature requets beyond production readiness, you can track - // https://github.com/envoyproxy/envoy/labels/area%2Fquic + // For general feature requests beyond production readiness, you can track + // updates `here `. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index b325fdd65227..0b764d3ebb2b 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -107,11 +107,10 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. - // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a - // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be - // attempted as well. - // See :ref:`here ` for more information. + // present, and (soon) only if there is an indication of server side + // support. + // See :ref:`here ` for more information on + // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: // QUIC support is currently alpha and should be used with caution, and diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 0b2ce20dede8..9b34124df24f 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -120,11 +120,10 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present, and will eventually rely on server-side alt-svc advertisement to try HTTP/3. - // If HTTP/3 is configured via HTTP/3, and if the HTTP/3 connection fails (currently controlled by a - // hard-coded timeout) TCP (HTTP/1 or HTTP/2 based on ALPN) will be - // attempted as well. - // See :ref:`here ` for more information. + // present, and (soon) only if there is an indication of server side + // support. + // See :ref:`here ` for more information on + // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: // QUIC support is currently alpha and should be used with caution, and From f4ccb1d787fc0234f9e1478fc1a7dd5ea1afdfe3 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Mon, 3 May 2021 15:58:21 -0400 Subject: [PATCH 09/20] comments + BPF Signed-off-by: Alyssa Wilk --- docs/root/intro/arch_overview/http/http3.rst | 10 ++++++++-- .../arch_overview/upstream/connection_pooling.rst | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index c8ae58cf774f..8bb3b1f9ccab 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -18,8 +18,14 @@ listener is advertising http/3 support via alt-svc header. Advertising HTTP/3 is in-house deployments where HTTP/3 is explicitly configured, but is needed for internet facing deployments where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if it is explicitly advertised. -By default the example configuration uses kernel UDP support, but for production performance, use of -BPF is strongly advised. BPF docs `coming soon `_ +By default the example configuration uses kernel UDP support, but for production performance on Linux, use of +BPF is strongly advised. Note that while Envoy will attepmt to use BPF by default, but only works if + + #. Envoy is running as root + #. BPF has been configured to run by non-root users. This can be configured for + + * for kernels >= 5.8, Envoy is run with sudo setcap cap_bpf+ep + * for kernels < 5.8, Envoy is run with sudo cap_net_admin,cap_sys_admin+ep HTTP3 upstream =============== diff --git a/docs/root/intro/arch_overview/upstream/connection_pooling.rst b/docs/root/intro/arch_overview/upstream/connection_pooling.rst index 804e991644c1..0c1a26d79dca 100644 --- a/docs/root/intro/arch_overview/upstream/connection_pooling.rst +++ b/docs/root/intro/arch_overview/upstream/connection_pooling.rst @@ -71,7 +71,7 @@ stream, but if both TCP and QUIC connections are established, QUIC will eventual Upcoming versions of HTTP/3 support will include only selecting HTTP/3 if the upstream advertises support either via `HTTP Alternative Services `_, -`HTTPS DNS RR `_, "QUIC hints" which +`HTTPS DNS RR `_, or "QUIC hints" which will be manually configured. This path is alpha and rapidly undergoing improvements with the goal of having the default behavior result in optimal latency for internet environments, so please be patient and follow along with Envoy release notes to stay aprised of the latest and greatest changes. From 4ec43573981c6e9d35b0d7cbf4e3eb00e553ee27 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Tue, 4 May 2021 10:19:44 -0400 Subject: [PATCH 10/20] more BPF Signed-off-by: Alyssa Wilk --- docs/root/intro/arch_overview/http/http3.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index 8bb3b1f9ccab..d13bde51703e 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -19,7 +19,8 @@ in-house deployments where HTTP/3 is explicitly configured, but is needed for in where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if it is explicitly advertised. By default the example configuration uses kernel UDP support, but for production performance on Linux, use of -BPF is strongly advised. Note that while Envoy will attepmt to use BPF by default, but only works if +BPF is strongly advised if Envoy is running with multiple worker threads. Envoy will attepmt to +use BPF by default if multiple worker threads are configured, but only works if #. Envoy is running as root #. BPF has been configured to run by non-root users. This can be configured for @@ -27,6 +28,8 @@ BPF is strongly advised. Note that while Envoy will attepmt to use BPF by defaul * for kernels >= 5.8, Envoy is run with sudo setcap cap_bpf+ep * for kernels < 5.8, Envoy is run with sudo cap_net_admin,cap_sys_admin+ep +Envoy will log a warning on start-up if BPF is attempted and fails. + HTTP3 upstream =============== From e4151ae929ad3cbb1ef767cb42b072bfcd38169d Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Tue, 4 May 2021 11:56:19 -0400 Subject: [PATCH 11/20] clean up Signed-off-by: Alyssa Wilk --- configs/envoyproxy_io_proxy_http3_downstream.template.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml b/configs/envoyproxy_io_proxy_http3_downstream.template.yaml index edc0d11471ba..e71ed1aad08d 100644 --- a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml +++ b/configs/envoyproxy_io_proxy_http3_downstream.template.yaml @@ -13,11 +13,6 @@ static_resources: protocol: TCP address: 0.0.0.0 port_value: 10000 - reuse_port: true - udp_listener_config: - quic_options: {} - downstream_socket_config: - prefer_gro: true filter_chains: transport_socket: name: envoy.transport_sockets.tls From 76f04d60af8adad535efadbc736372abdd0c93f2 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Tue, 4 May 2021 15:08:29 -0400 Subject: [PATCH 12/20] hopefully final docs update Signed-off-by: Alyssa Wilk --- docs/root/intro/arch_overview/http/http3.rst | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index d13bde51703e..f8f73fdbc697 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -20,15 +20,8 @@ where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if By default the example configuration uses kernel UDP support, but for production performance on Linux, use of BPF is strongly advised if Envoy is running with multiple worker threads. Envoy will attepmt to -use BPF by default if multiple worker threads are configured, but only works if - - #. Envoy is running as root - #. BPF has been configured to run by non-root users. This can be configured for - - * for kernels >= 5.8, Envoy is run with sudo setcap cap_bpf+ep - * for kernels < 5.8, Envoy is run with sudo cap_net_admin,cap_sys_admin+ep - -Envoy will log a warning on start-up if BPF is attempted and fails. +use BPF by default if multiple worker threads are configured, but may require root, or at least sudo-with-permissions +(e.g. sudo setcap cap_bpf+ep). Envoy will log a warning on start-up if BPF is attempted and fails. HTTP3 upstream =============== From c2496a313c1febfea6e8bcf7d8aa362fc87af60d Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Wed, 5 May 2021 09:02:23 -0400 Subject: [PATCH 13/20] missed comments Signed-off-by: Alyssa Wilk --- .../extensions/upstreams/http/v3/http_protocol_options.proto | 5 +++-- .../upstreams/http/v4alpha/http_protocol_options.proto | 5 +++-- .../upstream/cluster_manager/cluster_runtime.rst | 4 ++-- docs/root/intro/arch_overview/http/http3.rst | 2 +- .../extensions/upstreams/http/v3/http_protocol_options.proto | 5 +++-- .../upstreams/http/v4alpha/http_protocol_options.proto | 5 +++-- 6 files changed, 15 insertions(+), 11 deletions(-) diff --git a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index 0b764d3ebb2b..ad476c620c5e 100644 --- a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -113,8 +113,9 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: - // QUIC support is currently alpha and should be used with caution, and - // the auto config is undergoing especially rapid change. + // QUIC support is currently alpha and should be used with caution. + // AutoHttpConfig config is undergoing especially rapid change and as it + // is alpha is not guaranteed to be API-stable. // // See comments :ref:`here ` // for details. diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 9b34124df24f..42e125f7ebd6 100644 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -126,8 +126,9 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: - // QUIC support is currently alpha and should be used with caution, and - // the auto config is undergoing especially rapid change. + // QUIC support is currently alpha and should be used with caution. + // AutoHttpConfig config is undergoing especially rapid change and as it + // is alpha is not guaranteed to be API-stable. // // See comments :ref:`here ` // for details. diff --git a/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst b/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst index 086e7c098b4f..8a2a3dad612a 100644 --- a/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst +++ b/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst @@ -140,11 +140,11 @@ upstream.healthy_panic_threshold Defaults to 50%. upstream.use_http2 - Whether the cluster utilizes the *http2* if configured in `HttpProtocolOptions `. + Whether the cluster uses *http2* if configured in `HttpProtocolOptions `. Set to 0 to disable HTTP/2 even if the feature is configured. Defaults to enabled. upstream.use_http3 - Whether the cluster utilizes the *http3* if configured in `HttpProtocolOptions `. + Whether the cluster uses *http3* if configured in `HttpProtocolOptions `. Set to 0 to disable HTTP/3 even if the feature is configured. Defaults to enabled. diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index f8f73fdbc697..3bc65d3f6cbd 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -14,7 +14,7 @@ ensuring the downstream transport socket is a QuicDownstreamTransport. See example :repo:`downstream HTTP/3 configuration ` for example configuration. Note that the example configuration includes both a TCP and a UDP listener, and the TCP -listener is advertising http/3 support via alt-svc header. Advertising HTTP/3 is not necessary for +listener is advertising http/3 support via an alt-svc header. Advertising HTTP/3 is not necessary for in-house deployments where HTTP/3 is explicitly configured, but is needed for internet facing deployments where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if it is explicitly advertised. diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index 0b764d3ebb2b..ad476c620c5e 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -113,8 +113,9 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: - // QUIC support is currently alpha and should be used with caution, and - // the auto config is undergoing especially rapid change. + // QUIC support is currently alpha and should be used with caution. + // AutoHttpConfig config is undergoing especially rapid change and as it + // is alpha is not guaranteed to be API-stable. // // See comments :ref:`here ` // for details. diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 9b34124df24f..42e125f7ebd6 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -126,8 +126,9 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. note:: - // QUIC support is currently alpha and should be used with caution, and - // the auto config is undergoing especially rapid change. + // QUIC support is currently alpha and should be used with caution. + // AutoHttpConfig config is undergoing especially rapid change and as it + // is alpha is not guaranteed to be API-stable. // // See comments :ref:`here ` // for details. From 58aa631d0a6bd645e9dcfa21c6c6567eeb37f229 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Wed, 5 May 2021 10:28:24 -0400 Subject: [PATCH 14/20] fix links Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v3/udp_listener_config.proto | 4 ++-- api/envoy/config/listener/v4alpha/udp_listener_config.proto | 4 ++-- .../envoy/config/listener/v3/udp_listener_config.proto | 4 ++-- .../envoy/config/listener/v4alpha/udp_listener_config.proto | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index a64be42977d5..f7ef0f315721 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -41,10 +41,10 @@ message UdpListenerConfig { // are tracked `here `_. // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // `#13115 _` has been addressed. + // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `. + // updates `here `_. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 6850d7db283e..0c2023a6ae86 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -41,10 +41,10 @@ message UdpListenerConfig { // are tracked `here `_. // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // `#13115 _` has been addressed. + // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `. + // updates `here `_. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index a3bf928c6625..52ae8ba00337 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -42,10 +42,10 @@ message UdpListenerConfig { // are tracked `here `_. // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // `#13115 _` has been addressed. + // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `. + // updates `here `_. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index 6850d7db283e..0c2023a6ae86 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -41,10 +41,10 @@ message UdpListenerConfig { // are tracked `here `_. // For example QUIC does not currently support in-place filter chain updates, so users // requiring dynamic config reload for QUIC should wait until - // `#13115 _` has been addressed. + // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `. + // updates `here `_. QuicProtocolOptions quic_options = 7; } From d2ad3abf725f643ec21c876f8ec409c7c61c3d15 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Wed, 5 May 2021 11:19:52 -0400 Subject: [PATCH 15/20] docs fix Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v3/udp_listener_config.proto | 2 +- api/envoy/config/listener/v4alpha/udp_listener_config.proto | 2 +- .../envoy/config/listener/v3/udp_listener_config.proto | 2 +- .../envoy/config/listener/v4alpha/udp_listener_config.proto | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index f7ef0f315721..f9532a91736c 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -44,7 +44,7 @@ message UdpListenerConfig { // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `_. + // the `area-quic `_ tag. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 0c2023a6ae86..188fd9cfdd10 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -44,7 +44,7 @@ message UdpListenerConfig { // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `_. + // `area-quic `_. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 52ae8ba00337..80d7e88fa26c 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -45,7 +45,7 @@ message UdpListenerConfig { // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `_. + // the `area-quic `_ tag. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index 0c2023a6ae86..b35c1d6e50b3 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -44,7 +44,7 @@ message UdpListenerConfig { // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // updates `here `_. + // the `area-quic `_ tag. QuicProtocolOptions quic_options = 7; } From aa1f4ef3b5e0d6f34c2cf87629331b61b46d4c04 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Wed, 5 May 2021 12:12:07 -0400 Subject: [PATCH 16/20] format Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v4alpha/udp_listener_config.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 188fd9cfdd10..b35c1d6e50b3 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -44,7 +44,7 @@ message UdpListenerConfig { // `#13115 `_ has been addressed. // // For general feature requests beyond production readiness, you can track - // `area-quic `_. + // the `area-quic `_ tag. QuicProtocolOptions quic_options = 7; } From 4fa9c31a63ed66f2746913112a2ba14845bef132 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Wed, 5 May 2021 14:33:05 -0400 Subject: [PATCH 17/20] comments Signed-off-by: Alyssa Wilk --- api/envoy/config/listener/v3/udp_listener_config.proto | 2 +- .../config/listener/v4alpha/udp_listener_config.proto | 2 +- .../upstreams/http/v3/http_protocol_options.proto | 8 ++++---- .../upstreams/http/v4alpha/http_protocol_options.proto | 8 ++++---- docs/root/configuration/http/http_filters/lua_filter.rst | 2 +- .../upstream/cluster_manager/cluster_runtime.rst | 4 ++-- docs/root/faq/configuration/timeouts.rst | 2 +- docs/root/intro/arch_overview/http/http3.rst | 9 ++++++--- docs/root/intro/deployment_types/service_to_service.rst | 2 +- .../envoy/config/listener/v3/udp_listener_config.proto | 2 +- .../config/listener/v4alpha/udp_listener_config.proto | 2 +- .../upstreams/http/v3/http_protocol_options.proto | 8 ++++---- .../upstreams/http/v4alpha/http_protocol_options.proto | 8 ++++---- 13 files changed, 31 insertions(+), 28 deletions(-) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index f9532a91736c..add422dd2307 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -34,7 +34,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // For known outstanding issues before Envoy QUIC support is GA, issues diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index b35c1d6e50b3..7721dfc89e0c 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -34,7 +34,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // For known outstanding issues before Envoy QUIC support is GA, issues diff --git a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index ad476c620c5e..c9437e24b219 100644 --- a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -59,7 +59,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#next-free-field: 6] message HttpProtocolOptions { // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. message ExplicitHttpConfig { oneof protocol_config { option (validate.required) = true; @@ -68,7 +68,7 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -84,7 +84,7 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -112,7 +112,7 @@ message HttpProtocolOptions { // See :ref:`here ` for more information on // when HTTP/3 will be used, and when Envoy will fail over to TCP. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 42e125f7ebd6..8f98e9ac3e3d 100644 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -63,7 +63,7 @@ message HttpProtocolOptions { "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"; // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. message ExplicitHttpConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig"; @@ -75,7 +75,7 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -94,7 +94,7 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -125,7 +125,7 @@ message HttpProtocolOptions { // See :ref:`here ` for more information on // when HTTP/3 will be used, and when Envoy will fail over to TCP. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst index 9e40a205b006..05cd149fc6ba 100644 --- a/docs/root/configuration/http/http_filters/lua_filter.rst +++ b/docs/root/configuration/http/http_filters/lua_filter.rst @@ -659,7 +659,7 @@ protocol() streamInfo:protocol() Returns the string representation of :repo:`HTTP protocol ` -used by the current request. The possible values are: *HTTP/1.0*, *HTTP/1.1*, *HTTP/2* and *HTTP/3*. +used by the current request. The possible values are: ``HTTP/1.0``, ``HTTP/1.1``, ``HTTP/2`` and ``HTTP/3*``. downstreamLocalAddress() ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst b/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst index 8a2a3dad612a..1efe95bc7936 100644 --- a/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst +++ b/docs/root/configuration/upstream/cluster_manager/cluster_runtime.rst @@ -140,11 +140,11 @@ upstream.healthy_panic_threshold Defaults to 50%. upstream.use_http2 - Whether the cluster uses *http2* if configured in `HttpProtocolOptions `. + Whether the cluster uses ``HTTP/2`` if configured in `HttpProtocolOptions `. Set to 0 to disable HTTP/2 even if the feature is configured. Defaults to enabled. upstream.use_http3 - Whether the cluster uses *http3* if configured in `HttpProtocolOptions `. + Whether the cluster uses ``HTTP/3`` if configured in `HttpProtocolOptions `. Set to 0 to disable HTTP/3 even if the feature is configured. Defaults to enabled. diff --git a/docs/root/faq/configuration/timeouts.rst b/docs/root/faq/configuration/timeouts.rst index 7d6a0d933557..fd530474ea34 100644 --- a/docs/root/faq/configuration/timeouts.rst +++ b/docs/root/faq/configuration/timeouts.rst @@ -60,7 +60,7 @@ context request/stream is interchangeable. is the amount of time that the connection manager will allow a stream to exist with no upstream or downstream activity. The default stream idle timeout is *5 minutes*. This timeout is strongly recommended for all requests (not just streaming requests/responses) as it additionally defends - against a peer that does not open stream window once an entire response has been buffered + against a peer that does not open the stream window once an entire response has been buffered to be sent to a downstream client. * The HTTP protocol :ref:`max_stream_duration ` is defined in a generic message used by the HTTP connection manager. The max stream duration is the diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index 3bc65d3f6cbd..2dfcf52e3941 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -1,7 +1,10 @@ .. _arch_overview_http3: +HTTP3 overview +============== + HTTP3 downstream -================ +---------------- HTTP/3 downstream support is still in Alpha, and should be used with caution. Outstanding issues required for HTTP/3 to go GA can be found @@ -14,7 +17,7 @@ ensuring the downstream transport socket is a QuicDownstreamTransport. See example :repo:`downstream HTTP/3 configuration ` for example configuration. Note that the example configuration includes both a TCP and a UDP listener, and the TCP -listener is advertising http/3 support via an alt-svc header. Advertising HTTP/3 is not necessary for +listener is advertising http/3 support via an ``alt-svc header``. Advertising HTTP/3 is not necessary for in-house deployments where HTTP/3 is explicitly configured, but is needed for internet facing deployments where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if it is explicitly advertised. @@ -24,7 +27,7 @@ use BPF by default if multiple worker threads are configured, but may require ro (e.g. sudo setcap cap_bpf+ep). Envoy will log a warning on start-up if BPF is attempted and fails. HTTP3 upstream -=============== +-------------- HTTP/3 upstream support is still in Alpha, and should be used with caution. Outstanding issues required for HTTP/3 to go GA can be found diff --git a/docs/root/intro/deployment_types/service_to_service.rst b/docs/root/intro/deployment_types/service_to_service.rst index af29030d9447..eb5dde1101d7 100644 --- a/docs/root/intro/deployment_types/service_to_service.rst +++ b/docs/root/intro/deployment_types/service_to_service.rst @@ -14,7 +14,7 @@ Service to service egress listener ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is the port used by applications to talk to other services in the infrastructure. For example, -*http://localhost:9001*. HTTP and gRPC requests use the HTTP/1.1 *host* header or the HTTP/2 or HTTP/3 +http://localhost:9001. HTTP and gRPC requests use the HTTP/1.1 *host* header or the HTTP/2 or HTTP/3 *:authority* header to indicate which remote cluster the request is destined for. Envoy handles service discovery, load balancing, rate limiting, etc. depending on the details in the configuration. Services only need to know about the local Envoy and do not need to concern diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 80d7e88fa26c..0c6b26f94d19 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -35,7 +35,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // For known outstanding issues before Envoy QUIC support is GA, issues diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index b35c1d6e50b3..7721dfc89e0c 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -34,7 +34,7 @@ message UdpListenerConfig { // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set // to the default object to enable QUIC without modifying any additional options. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // For known outstanding issues before Envoy QUIC support is GA, issues diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index ad476c620c5e..c9437e24b219 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -59,7 +59,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#next-free-field: 6] message HttpProtocolOptions { // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. message ExplicitHttpConfig { oneof protocol_config { option (validate.required) = true; @@ -68,7 +68,7 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -84,7 +84,7 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -112,7 +112,7 @@ message HttpProtocolOptions { // See :ref:`here ` for more information on // when HTTP/3 will be used, and when Envoy will fail over to TCP. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 42e125f7ebd6..8f98e9ac3e3d 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -63,7 +63,7 @@ message HttpProtocolOptions { "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"; // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 or above should generally be used for upstream clusters doing gRPC. + // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. message ExplicitHttpConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig"; @@ -75,7 +75,7 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -94,7 +94,7 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // // See comments :ref:`here ` @@ -125,7 +125,7 @@ message HttpProtocolOptions { // See :ref:`here ` for more information on // when HTTP/3 will be used, and when Envoy will fail over to TCP. // - // .. note:: + // .. warning:: // QUIC support is currently alpha and should be used with caution. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. From bdb245f69755dcda1d6c5dda16d9324897841381 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 6 May 2021 09:19:43 -0400 Subject: [PATCH 18/20] comments Signed-off-by: Alyssa Wilk --- .../listener/v3/udp_listener_config.proto | 12 ++--------- .../v4alpha/udp_listener_config.proto | 12 ++--------- .../http/v3/http_protocol_options.proto | 18 ++++++----------- .../http/v4alpha/http_protocol_options.proto | 18 ++++++----------- ...envoyproxy_io_proxy_http3_downstream.yaml} | 8 ++++---- docs/root/intro/arch_overview/http/http3.rst | 20 +++++++++++++------ .../listener/v3/udp_listener_config.proto | 12 ++--------- .../v4alpha/udp_listener_config.proto | 12 ++--------- .../http/v3/http_protocol_options.proto | 18 ++++++----------- .../http/v4alpha/http_protocol_options.proto | 18 ++++++----------- 10 files changed, 50 insertions(+), 98 deletions(-) rename configs/{envoyproxy_io_proxy_http3_downstream.template.yaml => envoyproxy_io_proxy_http3_downstream.yaml} (92%) diff --git a/api/envoy/config/listener/v3/udp_listener_config.proto b/api/envoy/config/listener/v3/udp_listener_config.proto index add422dd2307..57088ac5fe1f 100644 --- a/api/envoy/config/listener/v3/udp_listener_config.proto +++ b/api/envoy/config/listener/v3/udp_listener_config.proto @@ -35,16 +35,8 @@ message UdpListenerConfig { // to the default object to enable QUIC without modifying any additional options. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // For known outstanding issues before Envoy QUIC support is GA, issues - // are tracked `here `_. - // For example QUIC does not currently support in-place filter chain updates, so users - // requiring dynamic config reload for QUIC should wait until - // `#13115 `_ has been addressed. - // - // For general feature requests beyond production readiness, you can track - // the `area-quic `_ tag. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto index 7721dfc89e0c..3cd272de3172 100644 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -35,16 +35,8 @@ message UdpListenerConfig { // to the default object to enable QUIC without modifying any additional options. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // For known outstanding issues before Envoy QUIC support is GA, issues - // are tracked `here `_. - // For example QUIC does not currently support in-place filter chain updates, so users - // requiring dynamic config reload for QUIC should wait until - // `#13115 `_ has been addressed. - // - // For general feature requests beyond production readiness, you can track - // the `area-quic `_ tag. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. QuicProtocolOptions quic_options = 7; } diff --git a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index c9437e24b219..6f28a4f4b234 100644 --- a/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -69,10 +69,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -85,10 +83,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } @@ -113,12 +109,10 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. - // - // See comments :ref:`here ` - // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 8f98e9ac3e3d..8545b77c1f0b 100644 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -76,10 +76,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -95,10 +93,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } @@ -126,12 +122,10 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. - // - // See comments :ref:`here ` - // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml b/configs/envoyproxy_io_proxy_http3_downstream.yaml similarity index 92% rename from configs/envoyproxy_io_proxy_http3_downstream.template.yaml rename to configs/envoyproxy_io_proxy_http3_downstream.yaml index e71ed1aad08d..6efe83e6c77d 100644 --- a/configs/envoyproxy_io_proxy_http3_downstream.template.yaml +++ b/configs/envoyproxy_io_proxy_http3_downstream.yaml @@ -23,9 +23,9 @@ static_resources: alpn_protocols: h3 tls_certificates: certificate_chain: - filename: test/config/integration/certs/servercert.pem + filename: certs/servercert.pem private_key: - filename: test/config/integration/certs/serverkey.pem + filename: certs/serverkey.pem filters: - name: envoy.filters.network.http_connection_manager typed_config: @@ -73,9 +73,9 @@ static_resources: alpn_protocols: h3 tls_certificates: certificate_chain: - filename: test/config/integration/certs/servercert.pem + filename: certs/servercert.pem private_key: - filename: test/config/integration/certs/serverkey.pem + filename: certs/serverkey.pem filters: - name: envoy.filters.network.http_connection_manager typed_config: diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index 2dfcf52e3941..297e4da86120 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -3,18 +3,26 @@ HTTP3 overview ============== +.. warning:: + + HTTP/3 support is still in Alpha, and should be used with caution. + Outstanding issues required for HTTP/3 to go GA can be found + `here `_ + For example QUIC does not currently support in-place filter chain updates, so users + requiring dynamic config reload for QUIC should wait until + `#13115 `_ has been addressed. + + For general feature requests beyond production readiness, you can track + the `area-quic `_ tag. + HTTP3 downstream ---------------- -HTTP/3 downstream support is still in Alpha, and should be used with caution. -Outstanding issues required for HTTP/3 to go GA can be found -`here `_ - -Envoy HTTP/3 support can be turned up via adding +Downstream Envoy HTTP/3 support can be turned up via adding :ref:`quic_options ` and ensuring the downstream transport socket is a QuicDownstreamTransport. -See example :repo:`downstream HTTP/3 configuration ` for example configuration. +See example :repo:`downstream HTTP/3 configuration ` for example configuration. Note that the example configuration includes both a TCP and a UDP listener, and the TCP listener is advertising http/3 support via an ``alt-svc header``. Advertising HTTP/3 is not necessary for diff --git a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto index 0c6b26f94d19..276e98153aeb 100644 --- a/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v3/udp_listener_config.proto @@ -36,16 +36,8 @@ message UdpListenerConfig { // to the default object to enable QUIC without modifying any additional options. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // For known outstanding issues before Envoy QUIC support is GA, issues - // are tracked `here `_. - // For example QUIC does not currently support in-place filter chain updates, so users - // requiring dynamic config reload for QUIC should wait until - // `#13115 `_ has been addressed. - // - // For general feature requests beyond production readiness, you can track - // the `area-quic `_ tag. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. QuicProtocolOptions quic_options = 7; oneof config_type { diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto index 7721dfc89e0c..3cd272de3172 100644 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -35,16 +35,8 @@ message UdpListenerConfig { // to the default object to enable QUIC without modifying any additional options. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // For known outstanding issues before Envoy QUIC support is GA, issues - // are tracked `here `_. - // For example QUIC does not currently support in-place filter chain updates, so users - // requiring dynamic config reload for QUIC should wait until - // `#13115 `_ has been addressed. - // - // For general feature requests beyond production readiness, you can track - // the `area-quic `_ tag. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. QuicProtocolOptions quic_options = 7; } diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto index c9437e24b219..6f28a4f4b234 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -69,10 +69,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -85,10 +83,8 @@ message HttpProtocolOptions { config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } @@ -113,12 +109,10 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. - // - // See comments :ref:`here ` - // for details. config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; } diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto index 8f98e9ac3e3d..8545b77c1f0b 100644 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto @@ -76,10 +76,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } } @@ -95,10 +93,8 @@ message HttpProtocolOptions { config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; // .. warning:: - // QUIC support is currently alpha and should be used with caution. - // - // See comments :ref:`here ` - // for details. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } @@ -126,12 +122,10 @@ message HttpProtocolOptions { // when HTTP/3 will be used, and when Envoy will fail over to TCP. // // .. warning:: - // QUIC support is currently alpha and should be used with caution. + // QUIC support is currently alpha and should be used with caution. Please + // see :ref:`here ` for details. // AutoHttpConfig config is undergoing especially rapid change and as it // is alpha is not guaranteed to be API-stable. - // - // See comments :ref:`here ` - // for details. config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; } From 752afc78f630f6d7be9c3bd265972d2c6cdf0ccf Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 6 May 2021 11:12:07 -0400 Subject: [PATCH 19/20] config cleanup Signed-off-by: Alyssa Wilk --- configs/envoyproxy_io_proxy_http3_downstream.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/configs/envoyproxy_io_proxy_http3_downstream.yaml b/configs/envoyproxy_io_proxy_http3_downstream.yaml index 6efe83e6c77d..2037b192af08 100644 --- a/configs/envoyproxy_io_proxy_http3_downstream.yaml +++ b/configs/envoyproxy_io_proxy_http3_downstream.yaml @@ -14,15 +14,14 @@ static_resources: address: 0.0.0.0 port_value: 10000 filter_chains: - transport_socket: + - transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext downstream_tls_context: common_tls_context: - alpn_protocols: h3 tls_certificates: - certificate_chain: + - certificate_chain: filename: certs/servercert.pem private_key: filename: certs/serverkey.pem @@ -64,15 +63,14 @@ static_resources: downstream_socket_config: prefer_gro: true filter_chains: - transport_socket: + - transport_socket: name: envoy.transport_sockets.quic typed_config: '@type': type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport downstream_tls_context: common_tls_context: - alpn_protocols: h3 tls_certificates: - certificate_chain: + - certificate_chain: filename: certs/servercert.pem private_key: filename: certs/serverkey.pem From e2ee7a9f0b012f1ab0a903e72e24db03a8a80cdb Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Thu, 6 May 2021 12:20:43 -0400 Subject: [PATCH 20/20] bpf Signed-off-by: Alyssa Wilk --- docs/root/intro/arch_overview/http/http3.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/root/intro/arch_overview/http/http3.rst b/docs/root/intro/arch_overview/http/http3.rst index 297e4da86120..8f10cc4b4b8c 100644 --- a/docs/root/intro/arch_overview/http/http3.rst +++ b/docs/root/intro/arch_overview/http/http3.rst @@ -29,10 +29,11 @@ listener is advertising http/3 support via an ``alt-svc header``. Advertising HT in-house deployments where HTTP/3 is explicitly configured, but is needed for internet facing deployments where TCP is the default, and clients such as Chrome will only attempt HTTP/3 if it is explicitly advertised. -By default the example configuration uses kernel UDP support, but for production performance on Linux, use of +By default the example configuration uses kernel UDP support, but for production performance use of BPF is strongly advised if Envoy is running with multiple worker threads. Envoy will attepmt to -use BPF by default if multiple worker threads are configured, but may require root, or at least sudo-with-permissions -(e.g. sudo setcap cap_bpf+ep). Envoy will log a warning on start-up if BPF is attempted and fails. +use BPF on Linux by default if multiple worker threads are configured, but may require root, or at least +sudo-with-permissions (e.g. sudo setcap cap_bpf+ep). If multiple worker threads are configured, Envoy will +log a warning on start-up if BPF is unsupported on the platform, or is attempted and fails. HTTP3 upstream --------------