conformance: test cases for HTTPS connection coalescing #4364
+8
−4
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the relevant part of the spec is here:
gateway-api/apis/v1/gateway_types.go
Line 394 in f95fe2b
We're actually using RFC 2119 interpretation of keywords here, so SHOULD is a recommendation, not a requirement. With that said, I think we could justify an extended test (separate feature name) to cover this.
cc @youngnick @rikatz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we enforce this behaviour only for reused connections? If Cx is estabilishing a new connection per request then misdirected does not make sense.
@snorwin can you verify that connection is being reused in this test? I was looking into RoundTripper and I can see that DisableKeepAlives is set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the case of TLS, the connection’s host is determined by the SNI extension sent during the initial TLS handshake. In my opinion, it should not matter whether the connection was established specifically for this request or reused from a previous one.
@kl52752 which HTTP status code would you expect when a request sent over a newly established connection has a mismatch between the SNI value and the Host header?
Related references:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm referring to:
Imagine we have 2 listeners on the same port one with *.example.com and second one with foo.example.com.
Like you mentioned SNI is validated in initial TLS handshake, so if client is connecting to *.example.com and this is the only "destination" for this request I think that 200 should be returned because TLS handshake was performed for *.example.com.
What we should test is that after client connects to *.example.com and reuse this connection to foo.example.com on different listener then 421 should be returned.
Does it makes sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand your example. Let’s assume we have 2 listeners on the same port one with
*.example.comand second one withfoo.example.com.What HTTP error code would you expect for a request on a new connection with SNI
bar.example.comand a Host headerfoo.example.com?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh yeah sorry I missed the fact that SNI and host mismatch here. Now it makes sense :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, one thing i think is vague in the spec
Can an empty listener.hostname be "more specific wildcard entry"? On one hand, empty != wildcard, but on the other hand, empty is a complete wildcard.
We treat case 4
{host: "unknown-example.org", serverName: "second-example.org", statusCode: 404},as a 404. But, IMO, this seems like it should be misdirected: the fact the 'other listener' has no hostname disqualifies is irrelevant to users and show behave the same as a wildcard IMO.I am leaning towards changing this test and making the spec slightly tweaked...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, a closer look suggests this must be a 421 even with the current wording of the spec: