feat(ctp): add IgnoredUpgradeTypes to HTTP1Settings#8599
Merged
zirain merged 5 commits intoenvoyproxy:mainfrom Apr 1, 2026
Merged
feat(ctp): add IgnoredUpgradeTypes to HTTP1Settings#8599zirain merged 5 commits intoenvoyproxy:mainfrom
zirain merged 5 commits intoenvoyproxy:mainfrom
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
michalskalski
force-pushed
the
ms-http-11-upgrade
branch
from
f8ac2f6 to
968e302
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8599 +/- ##
==========================================
- Coverage 74.41% 74.39% -0.03%
==========================================
Files 243 243
Lines 38336 38345 +9
==========================================
- Hits 28526 28525 -1
- Misses 7814 7821 +7
- Partials 1996 1999 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
michalskalski
force-pushed
the
ms-http-11-upgrade
branch
from
946c6c4 to
4c883e3
Compare
Contributor
Author
|
/retest |
**What type of PR is this?** Feature - adds new API field and functionality **What this PR does / why we need it**: This PR adds support for `ignoreHTTP11Upgrade` in `ClientTrafficPolicy.spec.http1`, which allows Envoy to ignore HTTP/1.1 Upgrade requests instead of rejecting them with 403. This maps to Envoy's `ignore_http_11_upgrade` in https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-http1protocoloptions **Use Case**: Clients like Apache HttpClient 5.4+ send RFC-2817 TLS upgrade headers (`Upgrade: TLS/1.2`, `Connection: Upgrade`) by default on HTTP/1.1 requests. Envoy rejects these with 403 as a security measure against HTTP smuggling. This field allows users to configure matchers for upgrade values that should be ignored rather than rejected. **Example usage**: ```yaml apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy metadata: name: ignore-tls-upgrade spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: eg http1: ignoreHTTP11Upgrade: - type: Prefix value: "TLS/" ``` **Which issue(s) this PR fixes**: Fixes envoyproxy#7102 Release Notes: Yes Signed-off-by: Michal Skalski <michal@skalski.org>
Signed-off-by: Michal Skalski <michal@skalski.org>
Signed-off-by: Michal Skalski <michal@skalski.org>
michalskalski
force-pushed
the
ms-http-11-upgrade
branch
from
4c883e3 to
1cd6db2
Compare
Contributor
Author
|
/retest |
1 similar comment
Contributor
Author
|
/retest |
arkodg
previously approved these changes
Mar 31, 2026
arkodg
reviewed
Mar 31, 2026
As reviewers pointed out this option is already in HTTP1Settings and old name included redundant info. Signed-off-by: Michal Skalski <michal@skalski.org>
michalskalski
changed the title
Contributor
Author
|
/retest |
Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com>
zirain
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
Feature - adds new API field and functionality
What this PR does / why we need it:
This PR adds support for
ignoredUpgradeTypesinClientTrafficPolicy.spec.http1, which allows Envoy to ignore HTTP/1.1 Upgrade requests instead of rejecting them with 403. This maps to Envoy'signore_http_11_upgradein https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-http1protocoloptionsUse Case:
Clients like Apache HttpClient 5.4+ send RFC-2817 TLS upgrade headers (
Upgrade: TLS/1.2,Connection: Upgrade) by default on HTTP/1.1 requests. Envoy rejects these with 403 as a security measure against HTTP smuggling. This field allows users to configure matchers for upgrade values that should be ignored rather than rejected.Example usage:
Which issue(s) this PR fixes:
Fixes #7102
Release Notes: Yes