Local Close Reason was not set - client_ssl_auth #34997
Comments
|
Looks like it is probably coming out of https://github.com/envoyproxy/envoy/blob/main/contrib/client_ssl_auth/filters/network/source/client_ssl_auth.cc#L133. I can add a PR to fix this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using envoy.filters.network.client_ssl_auth if the client fingerprint is not matched via the auth_api_cluster REST API an envoy bug is hit as shown from the log extract below.
This appears to have the same signature as issue #26856 which was resolved for RBAC under PR #26879
Tested carried out on envoy v1.30.3
[2024-07-01 15:00:12.307][1][info][config] [source/common/listener_manager/listener_manager_impl.cc:930] all dependencies initialized. starting workers
[2024-07-01 15:00:22.600][2146][error][envoy_bug] [source/common/http/conn_manager_impl.cc:597] envoy bug failure: !local_close_reason.empty(). Details: Local Close Reason was not set!
[2024-07-01 15:00:22.601][2146][error][envoy_bug] [./source/common/common/assert.h:38] stacktrace for envoy bug
[2024-07-01 15:00:22.603][2146][error][envoy_bug] [./source/common/common/assert.h:45] #0 UNKNOWN [0x40044be1fe]
[2024-07-01 15:00:22.603][2146][error][envoy_bug] [./source/common/common/assert.h:45] #1 UNKNOWN [0x40044b0f70]
[2024-07-01 15:00:22.603][2146][error][envoy_bug] [./source/common/common/assert.h:45] #2 UNKNOWN [0x40044b09ce]
[2024-07-01 15:00:22.604][2146][error][envoy_bug] [./source/common/common/assert.h:45] #3 UNKNOWN [0x40044af8bb]
[2024-07-01 15:00:22.604][2146][error][envoy_bug] [./source/common/common/assert.h:45] #4 UNKNOWN [0x4003e47ea2]
[2024-07-01 15:00:22.604][2146][error][envoy_bug] [./source/common/common/assert.h:45] #5 UNKNOWN [0x40044be1fe]
[2024-07-01 15:00:22.605][2146][error][envoy_bug] [./source/common/common/assert.h:45] #6 UNKNOWN [0x40044b0f70]
[2024-07-01 15:00:22.605][2146][error][envoy_bug] [./source/common/common/assert.h:45] #7 UNKNOWN [0x40040f6a48]
[2024-07-01 15:00:22.606][2146][error][envoy_bug] [./source/common/common/assert.h:45] #8 UNKNOWN [0x400410eb28]
[2024-07-01 15:00:22.606][2146][error][envoy_bug] [./source/common/common/assert.h:45] #9 UNKNOWN [0x40040f6adb]
[2024-07-01 15:00:22.606][2146][error][envoy_bug] [./source/common/common/assert.h:45] #10 UNKNOWN [0x40044b4de5]
[2024-07-01 15:00:22.607][2146][error][envoy_bug] [./source/common/common/assert.h:45] #11 UNKNOWN [0x40044b36a2]
[2024-07-01 15:00:22.607][2146][error][envoy_bug] [./source/common/common/assert.h:45] #12 UNKNOWN [0x40044916d1]
[2024-07-01 15:00:22.607][2146][error][envoy_bug] [./source/common/common/assert.h:45] #13 UNKNOWN [0x4004492c7d]
[2024-07-01 15:00:22.608][2146][error][envoy_bug] [./source/common/common/assert.h:45] #14 UNKNOWN [0x40053bd800]
[2024-07-01 15:00:22.608][2146][error][envoy_bug] [./source/common/common/assert.h:45] #15 UNKNOWN [0x40053bc141]
Sample configuration:
{ "static_resources": { "listeners": [ { "address": { "socket_address": { "address": "0.0.0.0", "port_value": "443" } }, "name": "api-gateway", "per_connection_buffer_limit_bytes": 250000000, "filter_chains": [ { "filters": [ { "name": "envoy.client_ssl_auth", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.network.client_ssl_auth.v3.ClientSSLAuth", "auth_api_cluster": "authn", "stat_prefix": "authn", "refresh_delay": "5s" } }, { "name": "envoy.http_connection_manager", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "codec_type": "auto", "stat_prefix": "api_gateway", "use_remote_address": false, "forward_client_cert_details": "SANITIZE_SET", "http_filters": [ { "name": "envoy.router", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" } } ], "route_config": { "name": "local_route", "virtual_hosts": [ { "name": "service", "domains": [ "*" ], "routes": [ { "match": { "safe_regex": { "google_re2": {}, "regex": ".*" } }, "direct_response": { "status": 200 } } ] } ] } } } ], "transport_socket": { "name": "envoy.transport_sockets.tls", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", "require_client_certificate": true, "common_tls_context": { "alpn_protocols": "h2,http/1.1", "tls_params": { "tls_minimum_protocol_version": "TLSv1_2" }, "tls_certificates": { "certificate_chain": { "filename": "/etc/ssl/service/service.cer" }, "private_key": { "filename": "/etc/ssl/service/service.key" } }, "validation_context": { "trusted_ca": { "filename": "/etc/ssl/certs/ca-certificates.crt" } } } } } } ] } ], "clusters": [ { "name": "authn", "connect_timeout": "0.25s", "type": "logical_dns", "lb_policy": "round_robin", "load_assignment": { "cluster_name": "authn", "endpoints": [ { "lb_endpoints": [ { "endpoint": { "address": { "socket_address": { "address": "authn", "port_value": 8080 } } } } ] } ] } } ] } }The text was updated successfully, but these errors were encountered: