有一组专门用于 grpc 请求的 istio-gateway 网关,但是会被通过 HTTP1.1 的请求做漏洞扫描,istio gateway 仍然能够处理,并且会将这个请求转发给后端的服务,后端服务由于协议不匹配,会直接断开连接,istio gateway 就会返回 503。

这样会误触发告警,并且也会影响观测正常的监控。

通过 EnvoyFilter 禁用 HTTP1

GRPC 网关的 Gateway,明确声明了端口的 protocol 为 grpc。

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-ingressgateway-grpc
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway-grpc
    istio: ingressgateway-grpc
  servers:
  - hosts:
    - '*'
    port:
      name: grpc
      number: 80
      protocol: GRPC

通过 EnvoyFilter 将 httpconnection manager 的 codec type 修改为只支持 HTTP2。

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-grpc-ingress-h1
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway-grpc
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: MERGE
      value:
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: HTTP2

测试

没有修改之前:

curl http://192.168.1.1/test -v -H 'Host: example.com'
* About to connect() to 192.168.1.1 port 80 (#0)
*   Trying 192.168.1.1...
* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)
> GET /test HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Host: example.com
>
< HTTP/1.1 503 Service Unavailable
< content-length: 85
< content-type: text/plain
< date: Tue, 11 Oct 2022 14:07:29 GMT
< server: istio-envoy
< x-envoy-upstream-service-time: 19
<
* Connection #0 to host 192.168.1.1 left intact

修改之后:

curl http://192.168.1.1/test -v -H 'Host: example.com'
* About to connect() to 192.168.1.1 port 80 (#0)
*   Trying 192.168.1.1...
* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)
> GET /test HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Host: exxample.com
>
* Empty reply from server
* Connection #0 to host 192.168.1.1 left intact

istio-gateway 的日志:

[2022-10-11T14:07:30.560Z] "- - HTTP/1.1" 400 DPE http1.codec_error - "-" 0 11 0 - "-" "-" "-" "-" "-" - - 192.168.1.2:8080 192.168.10.1:40934 - - "Internal"
[2022-10-11T14:07:31.572Z] "- - HTTP/1.1" 400 DPE http1.codec_error - "-" 0 11 0 - "-" "-" "-" "-" "-" - - 192.168.1.2:8080 192.168.10.1:40954 - - "Internal"
[2022-10-11T14:07:50.622Z] "- - HTTP/1.1" 400 DPE http1.codec_error - "-" 0 11 0 - "-" "-" "-" "-" "-" - - 192.168.1.2:8080 192.168.10.1:41316 - - "Internal"

可能由于 codec 阶段就拒掉了,并没有在 http filter 的 metrics 中体现,也就不会影响到监控告警。