HTTP Inspector fails with http.inalid_authority on http1.1

[kovaxur]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

I'm using Kubernetes with ingress-nginx ingress controller. I'm planning to move to istio with envoy, as the first step I want to put the ingress controller into the mesh by injecting an envoy sidecar.

With the ingress-controller, I'm using external authentication (jwt), everything else works fine except the jwt authentication of the requests, when the ingress-controller's envoy returns the following when log level is set to debug (I'm using http1.1).

These are the logs when the ingress controller tries to authenticate the request with the jwt auth provider:

2024-06-12T07:28:30.012339Z    debug    envoy filter external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:69    original_dst: set destination to 172.20.142.80:80    thread=34
2024-06-12T07:28:30.012408Z    debug    envoy filter external/envoy/source/extensions/filters/listener/http_inspector/http_inspector.cc:139    http inspector: set application protocol to http/1.1    thread=34
2024-06-12T07:28:30.012459Z    debug    envoy conn_handler external/envoy/source/common/listener_manager/active_tcp_listener.cc:160    [Tags: "ConnectionId":"263"] new connection from 10.201.34.39:38818    thread=34
2024-06-12T07:28:30.012483Z    debug    envoy http external/envoy/source/common/http/conn_manager_impl.cc:398    [Tags: "ConnectionId":"263"] new stream    thread=34
2024-06-12T07:28:30.012548Z    debug    envoy http external/envoy/source/common/http/filter_manager.cc:1077    [Tags: "ConnectionId":"263","StreamId":"13433699386571971837"] Sending local reply with details http.invalid_authority    thread=34                                                                                                                   
2024-06-12T07:28:30.012587Z    debug    envoy http external/envoy/source/common/http/conn_manager_impl.cc:1772   [Tags: "ConnectionId":"263","StreamId":"13433699386571971837"] closing connection due to connection close header    thread=34            

As I understood, the authority header should be checked only when the protocol is http2.

When I set the jwt auth provider's kubernetes service port name from http-something to tcp-something, it starts to work.

Version

istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.22.1 (89 proxies)

kubectl version
client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.4-eks-036c24b

Additional Information

https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax

[hzxuzhonghu]

No matter http 1.1 or http2, host header is checked

[kovaxur]

I think I found the issue, just the invalid_authority error confused me, but it seems that for us the problem was on our ingress configuration side, the host contained also the path.

Thanks