TLS configuration doesn't work with HTTP/2 #341

New issue

Closed

opened 2024-03-27 15:14:23 +00:00 by alexvanin · 0 comments

alexvanin commented 2024-03-27 15:14:23 +00:00

Owner

Copy link

Expected Behavior

HTTP/2 requests are processed correctly when TLS is enabled.

Current Behavior

HTTP/2 requests are failed.

$ curl -k --aws-sigv4 aws:amz:us-east-1:iam --user <access>:<secret> \
  --head --http2-prior-knowledge -v https://<endpoint>/bucket-name

curl: (56) Remote peer returned unexpected data while we expected SETTINGS frame.  Perhaps, peer does not support HTTP/2 properly. 

Meanwhile log contains reques information, but it fails to authenticate request due to missing headers

info        request start        {"request_id": "111bfe7a-cff8-4ff2-949f-9b61fc37a7ed", "host": "", "remote_host": "...", "namespace": ""}                                                                                                                          
error        policy validation failed        {"request_id": "111bfe7a-cff8-4ff2-949f-9b61fc37a7ed", "error": "nns: couldn't resolve container '*': contract invocation: invocation failed: at instruction 5394 (THROW): unhandled exception: \"invalid domain name format\""} 

Possible Solution

http.Server documentation says

HTTP/2 support is only enabled if the Listener returns *tls.Conn connections and they were configured with "h2" in the TLS Config.NextProtos.

This fix works fine for HTTP/2 and HTTP/1 requests.

Steps to Reproduce (for bugs)

1. Configure TLS on S3 endpoint
2. Send curl request with --http2-prior-knowledge flag

Regression

No.

Your Environment

v0.29.0-rc.3

## Expected Behavior HTTP/2 requests are processed correctly when TLS is enabled. ## Current Behavior HTTP/2 requests are failed. ``` $ curl -k --aws-sigv4 aws:amz:us-east-1:iam --user <access>:<secret> \ --head --http2-prior-knowledge -v https://<endpoint>/bucket-name curl: (56) Remote peer returned unexpected data while we expected SETTINGS frame. Perhaps, peer does not support HTTP/2 properly. ``` Meanwhile log contains reques information, but it fails to authenticate request due to missing headers ``` info request start {"request_id": "111bfe7a-cff8-4ff2-949f-9b61fc37a7ed", "host": "", "remote_host": "...", "namespace": ""} error policy validation failed {"request_id": "111bfe7a-cff8-4ff2-949f-9b61fc37a7ed", "error": "nns: couldn't resolve container '*': contract invocation: invocation failed: at instruction 5394 (THROW): unhandled exception: \"invalid domain name format\""} ``` ## Possible Solution `http.Server` documentation [says](https://pkg.go.dev/net/http#Server.Serve) > HTTP/2 support is only enabled if the Listener returns *tls.Conn connections and they were configured with "h2" in the TLS Config.NextProtos. This fix works fine for HTTP/2 and HTTP/1 requests. ## Steps to Reproduce (for bugs) 1. Configure TLS on S3 endpoint 2. Send curl request with `--http2-prior-knowledge` flag ## Regression No. ## Your Environment v0.29.0-rc.3

alexvanin added the

bug

label 2024-03-27 15:14:23 +00:00

alexvanin self-assigned this 2024-03-27 15:14:23 +00:00

alexvanin referenced this issue from a pull request that will close it, 2024-03-27 16:11:53 +00:00

Allow HTTP/2 requests #342

alexvanin referenced this issue from TrueCloudLab/frostfs-http-gw 2024-03-27 16:25:13 +00:00

Allow HTTP/2 requests #110

alexvanin closed this issue 2024-04-03 12:04:51 +00:00

alexvanin referenced this issue from a commit 2024-04-03 12:04:53 +00:00

[#341] Test HTTP/2 requests

alexvanin referenced this issue from a commit 2024-04-03 12:04:53 +00:00

[#341] Add "h2" as next proto to allow HTTP/2 requests in http.Serve

alexvanin referenced this issue from a commit 2024-04-03 12:04:53 +00:00

[#341] Update CHANGELOG

alexvanin added this to the v0.30.0 milestone 2024-05-27 11:07:59 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.30

support/v0.29

support/v0.28

support/v0.27

v0.31.0

v0.31.0-rc.6

v0.31.0-rc.5

v0.31.0-rc.4

v0.30.8

v0.31.0-rc.3

v0.30.7

v0.31.0-rc.2

v0.31.0-rc.1

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.30.0-rc.5

v0.29.2

v0.30.0-rc.4

v0.30.0-rc.3

v0.30.0-rc.2

v0.29.1

v0.30.0-rc.1

v0.29.0

v0.28.2

v0.29.0-rc.11

v0.29.0-rc.10

v0.29.0-rc.9

v0.29.0-rc.8

v0.29.0-rc.7

v0.29.0-rc.6

v0.29.0-rc.5

v0.29.0-rc.4

v0.29.0-rc.3

v0.29.0-rc.2

v0.29.0-rc.1

v0.28.1

v0.28.0

v0.28.0-rc.1

v0.27.0

v0.27.0-rc.2

v0.27.0-rc.1

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

good first issue

Good for newcomers

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

good first issue

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

v0.30.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

alexvanin

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#341

No description provided.