Skip to content

Fix Pingora forwarding Connection: closed to upstream, causing the co… #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix Pingora forwarding Connection: closed to upstream, causing the co… #713

wants to merge 3 commits into from

Conversation

@deancollin
Copy link

@deancollin deancollin commented Oct 18, 2025

I discovered an important bug in Pingora: it forwards hop-by-hop headers directly to upstream servers, which violates HTTP specifications (RFC 7230 and RFC 7540) and causes serious performance degradation.

The most critical case is when clients send Connection: close, which Pingora incorrectly forwards to the upstream server. This causes the connection between Pingora and upstream to close unnecessarily, breaking connection reuse and severely impacting performance.

Problem Demonstration

Request from client:

GET / HTTP/1.1
Host: example.com
Connection: close

What Pingora currently forwards to upstream (WRONG):

GET / HTTP/1.1
Host: example.com
Connection: close  ← Should NOT be forwarded

Correct behavior (should be removed):

GET / HTTP/1.1
Host: example.com

Root Cause Analysis

Through code analysis, the problem occurs in several places:

  1. HTTP/1 → HTTP/1 forwarding path (pingora-proxy/src/proxy_h1.rs)

    • Directly clones all request headers without any filtering
    • Results in all hop-by-hop headers being forwarded

  2. HTTP/2 forwarding path (pingora-proxy/src/proxy_h2.rs)

    • Has partial hop-by-hop header handling but is incomplete
    • Missing handling for TE, Trailers, Proxy-* headers

  3. Lack of unified handling mechanism

    • Different code paths handle headers inconsistently
    • Easy for hop-by-hop headers to leak through in certain scenarios

RFC Specification Requirements

According to RFC 7230 (HTTP/1.1 Message Syntax) and RFC 7540 (HTTP/2), the following headers are hop-by-hop headers that proxies MUST remove:

  • Connection
  • Keep-Alive
  • Proxy-Authenticate
  • Proxy-Authorization
  • TE
  • Trailers
  • Transfer-Encoding
  • Upgrade

Additionally, RFC 7230 specifies that the Connection header can declare other headers as hop-by-hop (e.g., Connection: close, X-Custom-Header means X-Custom-Header should also be removed).

Solution

My fix includes the following:

1. Add unified hop-by-hop header removal method

Add new method remove_hop_by_hop_headers() to RequestHeader in pingora-http/src/lib.rs:

pub fn remove_hop_by_hop_headers(&mut self) {
    // 1. First extract hop-by-hop headers declared in Connection header
    // 2. Remove standard RFC-defined hop-by-hop headers
    // 3. Remove hop-by-hop headers declared in Connection header
}

This method handles:

  • ✅ All 8 RFC-defined standard hop-by-hop headers
  • ✅ Custom hop-by-hop headers declared in Connection header
  • ✅ Case-insensitive header names
  • ✅ Full RFC 7230/7540 compliance

2. Apply to all request forwarding paths

  • HTTP/1 forwarding (proxy_h1.rs): Call remove_hop_by_hop_headers() before forwarding
  • HTTP/2 forwarding (proxy_h2.rs): Unified use of new method replacing manual removal

3. Add comprehensive test cases

Add 3 test cases verifying:

  • Removal of standard hop-by-hop headers
  • Removal of headers declared in Connection
  • Case-insensitive header handling

Modified Files

  1. pingora-http/src/lib.rs

    • New remove_hop_by_hop_headers() method (~40 lines)
    • 3 new test cases (~80 lines)

  2. pingora-proxy/src/proxy_h1.rs

    • Add method call before request forwarding (2 lines)

  3. pingora-proxy/src/proxy_h2.rs

    • Replace manual header removal with new method (~5 lines)

Test Verification

All tests pass:

✅ test_remove_hop_by_hop_headers - Verify standard header removal
✅ test_connection_declared_headers - Verify declared header removal
✅ test_remove_hop_by_hop_headers_case_insensitive - Verify case handling
✅ Other 11 existing tests - All passing
✅ Build successful - No errors or warnings

Performance Impact

  • CPU overhead: None (only basic string comparison and header removal)
  • Memory usage: No increase
  • Latency improvement: Significant (maintains connection reuse, eliminates unnecessary TCP handshakes and TLS negotiation)

In high-traffic scenarios, the connection reuse improvement will provide very noticeable performance gains.

Backward Compatibility

This is a bug fix, not a new feature. Theoretically it's a breaking change, but will only affect code that relied on the incorrect behavior (forwarding hop-by-hop headers). Correct code is unaffected.

Verification

You can verify the fix by:

  1. Start the fixed Pingora proxy
  2. Start an upstream TCP listener (e.g., socat TCP-LISTEN:3000,reuseaddr,fork -)
  3. Send a request with Connection: close
  4. Verify the upstream does NOT receive the Connection header

References

Summary

This PR fixes a critical compliance and performance issue where Pingora was violating HTTP specifications by forwarding hop-by-hop headers. The fix is minimal, well-tested, and brings Pingora into full RFC 7230 and RFC 7540 compliance while significantly improving performance through maintained connection reuse.

nojima
nojima reviewed Oct 21, 2025
View reviewed changes
@deancollin deancollin requested a review from nojima October 21, 2025 13:20
nojima
nojima approved these changes Oct 21, 2025
View reviewed changes
Copy link

@nojima nojima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix for my comment (d6faac7) looks good to me.
I’m not a committer on this project, so I’ll leave any further reviews / the final approval and merge to the committers.

@deancollin
Copy link
Author

deancollin commented Oct 21, 2025

针对我评论 ( d6faac7 )的修复看起来不错。 我不是这个项目的提交者,所以我会把后续的审核/最终批准和合并留给提交者。

Thanks a lot! I've also added SNI refinement: **I've added SNI passthrough to the Rustls/TLS implementation in pingora-core; the runtime link can read SNI and write routing context and logs. I'm considering submitting this feature as well.

@drcaramelsyrup drcaramelsyrup self-assigned this Oct 24, 2025
@drcaramelsyrup drcaramelsyrup added the bug Something isn't working label Oct 24, 2025
@drcaramelsyrup
Copy link
Collaborator

drcaramelsyrup commented Oct 24, 2025

A few high level notes for now:

  • To be somewhat transparent, we deal with a lot of non-RFC-compliant traffic, so it's possible the addition of the new hop-by-hop headers may need to be optional (e.g. a function callable from upstream_request_filter) or otherwise feature flag configurable.
  • We would prefer if we kept other irrelevant commits out of the PR for the time being, the SNI one does not look like it's part of the immediate issue.

Generally speaking, by default I agree making sure the Connection header is stripped or overridden makes sense to avoid user footgun.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nojima nojima nojima approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@drcaramelsyrup drcaramelsyrup

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@deancollin @drcaramelsyrup @nojima @SunGreatSage