Created
May 28, 2026 22:20
-
-
Save trevorbox/f4aff06208552af1077115af456aa2b8 to your computer and use it in GitHub Desktop.
EnvoyFilter to ignore TLS upgrade headers on HTTP/1.1 requests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ignore RFC 2817 TLS upgrade headers on HTTP/1.1 requests https://www.ietf.org/rfc/rfc2817.txt | |
| # | |
| # Requires Envoy >= 1.34 (ignore_http_11_upgrade in Http1ProtocolOptions). | |
| # Fixes https://github.com/istio/istio/issues/53239 for workloads that send | |
| # Connection: Upgrade | |
| # Upgrade: TLS/1.2 | |
| # on cleartext http:// mesh traffic. | |
| # Test: | |
| # curl -sv -H "Connection: Upgrade" -H "Upgrade: TLS/1.2" http://${TARGET} | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: EnvoyFilter | |
| metadata: | |
| name: ignore-http11-upgrade | |
| spec: | |
| configPatches: | |
| # Outbound: client requests from this pod (matches upgrade_failed in istio-proxy logs). | |
| - applyTo: NETWORK_FILTER | |
| match: | |
| context: SIDECAR_OUTBOUND | |
| listener: | |
| filterChain: | |
| filter: | |
| name: envoy.filters.network.http_connection_manager | |
| patch: | |
| operation: MERGE | |
| value: | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| http_protocol_options: | |
| ignore_http_11_upgrade: | |
| - ignore_case: true | |
| prefix: TLS/ | |
| # Inbound: requests arriving at this pod from other mesh clients. | |
| - applyTo: NETWORK_FILTER | |
| match: | |
| context: SIDECAR_INBOUND | |
| listener: | |
| filterChain: | |
| filter: | |
| name: envoy.filters.network.http_connection_manager | |
| patch: | |
| operation: MERGE | |
| value: | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| http_protocol_options: | |
| ignore_http_11_upgrade: | |
| - ignore_case: true | |
| prefix: TLS/ | |
| # Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. | |
| # If omitted, the set of patches in this configuration will be applied to all workload instances in the same namespace. | |
| # If the EnvoyFilter is present in the config root namespace, it will be applied to all applicable workloads in any namespace. | |
| # workloadSelector: | |
| # labels: | |
| # app.kubernetes.io/instance: my-app | |
| # app.kubernetes.io/name: my-app |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment