http3: support Http3Options for downstream

api/envoy/config/core/v3/protocol.proto

@@ -416,9 +416,15 @@ message GrpcProtocolOptions {
 
 // [#not-implemented-hide:]
 //
-// A message which allows using HTTP/3 as an upstream protocol.
-//
-// Eventually this will include configuration for tuning HTTP/3.
+// A message which allows using HTTP/3.
 message Http3ProtocolOptions {
   QuicProtocolOptions quic_protocol_options = 1;
+
+  // Allows invalid HTTP messaging and headers. When this option is disabled (default), then
+  // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However,
+  // when this option is enabled, only the offending stream is terminated.
+  //
+  // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging
+  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`.
+  google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2;
 }

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -34,7 +34,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]
 
-// [#next-free-field: 44]
+// [#next-free-field: 45]
 message HttpConnectionManager {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@@ -325,6 +325,10 @@ message HttpConnectionManager {
   config.core.v3.Http2ProtocolOptions http2_protocol_options = 9
       [(udpa.annotations.security).configure_for_untrusted_downstream = true];
 
+  // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec.
+  config.core.v3.Http3ProtocolOptions http3_protocol_options = 44
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];
+
   // An optional override that the connection manager will write to the server
   // header in responses. If not set, the default is *envoy*.
   string server_name = 10

docs/root/configuration/http/http_conn_man/response_code_details.rst

@@ -99,3 +99,16 @@ All http2 details are rooted at *http2.*
     http2.unexpected_underscore, Envoy was configured to drop requests with header keys beginning with underscores.
     http2.unknown.nghttp2.error, An unknown error was encountered by nghttp2
     http2.violation.of.messaging.rule, The stream was in violation of a HTTP/2 messaging rule.
+
+Http3 details
+~~~~~~~~~~~~~
+
+All http3 details are rooted at *http3.*
+
+.. csv-table::
+   :header: Name, Description
+   :widths: 1, 2
+
+    http3.invalid_header_field, One of the HTTP/3 headers was invalid
+    http3.headers.too.large, The size of headers (or trailers) exceeded the configured limits
+    http3.unexpected_underscore, Envoy was configured to drop or reject requests with header keys beginning with underscores.

include/envoy/http/codec.h

@@ -27,6 +27,10 @@ namespace Http2 {
 struct CodecStats;
 }
 
+namespace Http3 {
+struct CodecStats;
+}
+
 // Legacy default value of 60K is safely under both codec default limits.
 static constexpr uint32_t DEFAULT_MAX_REQUEST_HEADERS_KB = 60;
 // Default maximum number of headers.

include/envoy/upstream/upstream.h

@@ -995,6 +995,11 @@ class ClusterInfo {
    */
   virtual Http::Http2::CodecStats& http2CodecStats() const PURE;
 
+  /**
+   * @return the Http2 Codec Stats.
+   */
+  virtual Http::Http3::CodecStats& http3CodecStats() const PURE;
+
 protected:
   /**
    * Invoked by extensionProtocolOptionsTyped.

source/common/http/codec_client.cc

@@ -185,7 +185,9 @@ CodecClientProd::CodecClientProd(Type type, Network::ClientConnectionPtr&& conne
     codec_ = std::unique_ptr<ClientConnection>(
         Config::Utility::getAndCheckFactoryByName<Http::QuicHttpClientConnectionFactory>(
             Http::QuicCodecNames::get().Quiche)
-            .createQuicClientConnection(*connection_, *this));
+            .createQuicClientConnection(*connection_, *this, host->cluster().http3CodecStats(),
+                                        host->cluster().http3Options(),
+                                        Http::DEFAULT_MAX_REQUEST_HEADERS_KB));
     break;
   }
   }

source/common/http/http3/BUILD

@@ -25,9 +25,11 @@ envoy_cc_library(
     name = "quic_codec_factory_lib",
     hdrs = ["quic_codec_factory.h"],
     deps = [
+        ":codec_stats_lib",
         "//include/envoy/config:typed_config_interface",
         "//include/envoy/http:codec_interface",
         "//include/envoy/network:connection_interface",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )
 
@@ -47,3 +49,13 @@ envoy_cc_library(
     hdrs = ["well_known_names.h"],
     deps = ["//source/common/singleton:const_singleton"],
 )
+
+envoy_cc_library(
+    name = "codec_stats_lib",
+    hdrs = ["codec_stats.h"],
+    deps = [
+        "//include/envoy/stats:stats_interface",
+        "//include/envoy/stats:stats_macros",
+        "//source/common/common:thread_lib",
+    ],
+)

source/common/http/http3/quic_codec_factory.h

@@ -2,10 +2,13 @@
 
 #include <string>
 
+#include "envoy/config/core/v3/protocol.pb.h"
 #include "envoy/config/typed_config.h"
 #include "envoy/http/codec.h"
 #include "envoy/network/connection.h"
 
+#include "common/http/http3/codec_stats.h"
+
 namespace Envoy {
 namespace Http {
 
@@ -14,8 +17,13 @@ class QuicHttpServerConnectionFactory : public Config::UntypedFactory {
 public:
   ~QuicHttpServerConnectionFactory() override = default;
 
-  virtual std::unique_ptr<ServerConnection>
-  createQuicServerConnection(Network::Connection& connection, ConnectionCallbacks& callbacks) PURE;
+  virtual std::unique_ptr<ServerConnection> createQuicServerConnection(
+      Network::Connection& connection, ConnectionCallbacks& callbacks,
+      Http::Http3::CodecStats& stats,
+      const envoy::config::core::v3::Http3ProtocolOptions& http3_options,
+      const uint32_t max_request_headers_kb,
+      envoy::config::core::v3::HttpProtocolOptions::HeadersWithUnderscoresAction
+          headers_with_underscores_action) PURE;
 
   std::string category() const override { return "envoy.quic_client_codec"; }
 };
@@ -26,7 +34,10 @@ class QuicHttpClientConnectionFactory : public Config::UntypedFactory {
   ~QuicHttpClientConnectionFactory() override = default;
 
   virtual std::unique_ptr<ClientConnection>
-  createQuicClientConnection(Network::Connection& connection, ConnectionCallbacks& callbacks) PURE;
+  createQuicClientConnection(Network::Connection& connection, ConnectionCallbacks& callbacks,
+                             Http::Http3::CodecStats& stats,
+                             const envoy::config::core::v3::Http3ProtocolOptions& http3_options,
+                             const uint32_t max_request_headers_kb) PURE;
 
   std::string category() const override { return "envoy.quic_server_codec"; }
 };

source/common/http/utility.cc

@@ -223,6 +223,24 @@ initializeAndValidateOptions(const envoy::config::core::v3::Http2ProtocolOptions
 
 } // namespace Utility
 } // namespace Http2
+namespace Http3 {
+namespace Utility {
+envoy::config::core::v3::Http3ProtocolOptions
+initializeAndValidateOptions(const envoy::config::core::v3::Http3ProtocolOptions& options,
+                             bool hcm_stream_error_set,
+                             const Protobuf::BoolValue& hcm_stream_error) {
+  envoy::config::core::v3::Http3ProtocolOptions options_clone(options);
+  if (Runtime::runtimeFeatureEnabled(
+          "envoy.reloadable_features.hcm_stream_error_on_invalid_message") &&
+      !options.has_override_stream_error_on_invalid_http_message() && hcm_stream_error_set) {
+    options_clone.mutable_override_stream_error_on_invalid_http_message()->set_value(
+        hcm_stream_error.value());
+  }
+  return options_clone;
+}
+
+} // namespace Utility
+} // namespace Http3
 
 namespace Http {
 

source/common/http/utility.h

@@ -122,7 +122,15 @@ initializeAndValidateOptions(const envoy::config::core::v3::Http2ProtocolOptions
                              const Protobuf::BoolValue& hcm_stream_error);
 } // namespace Utility
 } // namespace Http2
+namespace Http3 {
+namespace Utility {
+envoy::config::core::v3::Http3ProtocolOptions
+initializeAndValidateOptions(const envoy::config::core::v3::Http3ProtocolOptions& options,
+                             bool hcm_stream_error_set,
+                             const Protobuf::BoolValue& hcm_stream_error);
 
+} // namespace Utility
+} // namespace Http3
 namespace Http {
 namespace Utility {
 

source/common/quic/BUILD

@@ -128,10 +128,12 @@ envoy_cc_library(
     tags = ["nofips"],
     deps = [
         ":envoy_quic_simulated_watermark_buffer_lib",
+        ":envoy_quic_utils_lib",
         ":quic_filter_manager_connection_lib",
         "//include/envoy/event:dispatcher_interface",
         "//include/envoy/http:codec_interface",
         "//source/common/http:codec_helper_lib",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )
 
@@ -189,8 +191,10 @@ envoy_cc_library(
         "//source/common/common:assert_lib",
         "//source/common/common:empty_string",
         "//source/common/http:header_map_lib",
+        "//source/common/http/http3:codec_stats_lib",
         "//source/common/network:connection_base_lib",
         "//source/common/stream_info:stream_info_lib",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )