Skip to content

outbound: Strip peer-sent l5d-proxy-error headers #1285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 23, 2021
Merged

outbound: Strip peer-sent l5d-proxy-error headers #1285

merged 2 commits into from
Sep 23, 2021

Conversation

olix0r
Copy link
Member

@olix0r olix0r commented Sep 22, 2021

If the outbound proxy is not configured to emit headers, then we
shouldn't surface l5d-proxy-error headers sent by peer proxies.

This change adds a module to the outbound HTTP endpoint stack to strip
these headers when appropriate.

@olix0r
outbound: Strip peer-sent l5d-proxy-error headers
0731170 
If the outbound proxy is not configured to emit headers, then we
shouldn't surface `l5d-proxy-error` headers sent by peer proxies.

This change adds a module to the outbound HTTP endpoint stack to strip
these headers when appropriate.
@olix0r olix0r requested a review from a team September 22, 2021 23:30
hawkw
hawkw approved these changes Sep 22, 2021
View reviewed changes
Copy link
Contributor

@hawkw hawkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems fine to me! i'm unsure if modifying strip-header to take an Option is the best approach, but it seems fine?

@olix0r olix0r merged commit 3f89e1b into main Sep 23, 2021
@olix0r olix0r deleted the ver/strip-errors branch September 23, 2021 00:39
olix0r added a commit to linkerd/linkerd2 that referenced this pull request Sep 23, 2021
@olix0r
proxy: v2.160.0
aaca8f8 
This release improves the proxy's error handling, introducing a new
`l5d-proxy-connection` header to signal from an inbound proxy when its
peers outbound connections should be torn down.

Furthermore, error handling has been improved so that the
`l5d-proxy-error` header is only sent to trusted peers--the inbound
proxy only emits this header when its client is meshed; and the outbound
proxy can be configured to disable these headers via configuration.

---

* build(deps): bump hyper from 0.14.12 to 0.14.13 (linkerd/linkerd2-proxy#1273)
* build(deps): bump tracing-subscriber from 0.2.22 to 0.2.23 (linkerd/linkerd2-proxy#1274)
* tracing: use `Span::or_current` when spawning tasks (linkerd/linkerd2-proxy#1272)
* dns: Log TTL with resolution (linkerd/linkerd2-proxy#1275)
* error-respond: Support stack target configuration (linkerd/linkerd2-proxy#1276)
* build(deps): bump tracing-subscriber from 0.2.23 to 0.2.24 (linkerd/linkerd2-proxy#1277)
* build(deps): bump tracing from 0.1.27 to 0.1.28 (linkerd/linkerd2-proxy#1278)
* build(deps): bump tokio from 1.11.0 to 1.12.0 (linkerd/linkerd2-proxy#1279)
* build(deps): bump http from 0.2.4 to 0.2.5 (linkerd/linkerd2-proxy#1280)
* Support a `l5d-proxy-connection: close` header (linkerd/linkerd2-proxy#1281)
* Avoid emitting informational headers to untrusted clients (linkerd/linkerd2-proxy#1282)
* outbound: Only honor the `l5d-proxy-connection` header when meshed (linkerd/linkerd2-proxy#1283)
* outbound: Disable informational headers by config (linkerd/linkerd2-proxy#1284)
* outbound: Strip peer-sent `l5d-proxy-error` headers (linkerd/linkerd2-proxy#1285)
@olix0r olix0r mentioned this pull request Sep 23, 2021
Merged
alpeb pushed a commit to linkerd/linkerd2 that referenced this pull request Sep 23, 2021
@olix0r
proxy: v2.160.0 (#6956)
bb33347 
This release improves the proxy's error handling, introducing a new
`l5d-proxy-connection` header to signal from an inbound proxy when its
peers outbound connections should be torn down.

Furthermore, error handling has been improved so that the
`l5d-proxy-error` header is only sent to trusted peers--the inbound
proxy only emits this header when its client is meshed; and the outbound
proxy can be configured to disable these headers via configuration.

---

* build(deps): bump hyper from 0.14.12 to 0.14.13 (linkerd/linkerd2-proxy#1273)
* build(deps): bump tracing-subscriber from 0.2.22 to 0.2.23 (linkerd/linkerd2-proxy#1274)
* tracing: use `Span::or_current` when spawning tasks (linkerd/linkerd2-proxy#1272)
* dns: Log TTL with resolution (linkerd/linkerd2-proxy#1275)
* error-respond: Support stack target configuration (linkerd/linkerd2-proxy#1276)
* build(deps): bump tracing-subscriber from 0.2.23 to 0.2.24 (linkerd/linkerd2-proxy#1277)
* build(deps): bump tracing from 0.1.27 to 0.1.28 (linkerd/linkerd2-proxy#1278)
* build(deps): bump tokio from 1.11.0 to 1.12.0 (linkerd/linkerd2-proxy#1279)
* build(deps): bump http from 0.2.4 to 0.2.5 (linkerd/linkerd2-proxy#1280)
* Support a `l5d-proxy-connection: close` header (linkerd/linkerd2-proxy#1281)
* Avoid emitting informational headers to untrusted clients (linkerd/linkerd2-proxy#1282)
* outbound: Only honor the `l5d-proxy-connection` header when meshed (linkerd/linkerd2-proxy#1283)
* outbound: Disable informational headers by config (linkerd/linkerd2-proxy#1284)
* outbound: Strip peer-sent `l5d-proxy-error` headers (linkerd/linkerd2-proxy#1285)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@hawkw hawkw hawkw approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@olix0r @hawkw