Recommandation: Enforce the canonical scheme at the edge by validating the scheme header on every request and rewriting X-Forwarded-Proto to https for HTTPS backends, ensuring downstream services see a single, unambiguous scheme.
Ambiguity arises when frontends sit behind TLS termination or reverse proxies. The abstract policy layer can clash with real traffic patterns, so deploy a scenario-driven rule set that marks unauthenticated requests and record the chosen scheme for traceability. When the header is missing or inconsistent, prefer the TLS-derived scheme over upstream hints rather than blindly trusting a value that can be spoofed.
For alpine deployments, ensure the load balancer preserves the scheme and forwards it to the backend via X-Forwarded-Proto or a dedicated ceph-mdstarget mapping. For opensuse environments, align the frontends configuration to avoid double termination and keep pagination of header checks small and predictable. Include allusions to dias workflows and tune the policy to accommodate buildops pipelines.
Use a scenario-based approach: define a baseline policy, test it across buildops pipelines, and verify that each path resolves to a consistent scheme. Maintain a record of decisions and outcomes so that future changes stay auditable and reproducible. Reference ceph-mdstarget targets to ensure storage routing stays aligned with the chosen scheme.
In practice, ignore unauthenticated requests for redirect decisions, apply explicit scheme handling in the abstract layer, and use a dedicated black/white rule set to minimize risk. When you manage HTTP/2 frontends, avoid routing mismatches under high load by keeping the canonical scheme authoritative at the edge and logging every decision to support dias and alpine deployments alike.
How the Scheme header influences HTTP/2 load balancer routing decisions
Recommended action: Treat the Scheme header as a decisive routing signal and map http to the http_pool and https to the https_pool. Use TLS termination at the load balancer when possible to preserve :scheme accuracy and simplify downstream policy.
- Architecture alignment: create_lvs rules that bind each scheme to a distinct backend group. This keeps size and volume balanced, reduces tail latency, and simplifies troubleshooting. Mount the server groups behind separate backends to avoid cross-scheme state leakage.
- Observability and verification: instrument metrics per scheme to verify correctness. Track verified events, channel depth, and rpath decisions. Use test data from mockapetris to simulate real requests and catch keyerror in header parsing early. Check for no-unused-variable in config templates to prevent stray rules.
- Configuration hygiene: avoid typos in header names and in the :scheme evaluation. Diff checks and code reviews catch mismatches that would otherwise misroute even when the header exists. Properly document each backend choice and align with the chosen framework.
- Security and performance considerations: ensure clients cannot forge the scheme value to reach the wrong pool. Use --connect-timeout to bound connection setup and configure decompress properly to avoid exposing backend misclassification via compressed payloads. When using haproxy, communicate decisions to the backend via clear headers and maintain consistent rpath to avoid routing surprises.
- Operational guidance: define a fallback path in case :scheme is missing; prefer explicit http or https routing, and log the fallback for quick triage. If the header arrives with an unexpected value, route to a safe default and immediately notify engineers (wanghongxu or others) via your channel.
Testing and rollout: start with a controlled subset (shen as a pilot) and measure impact on latency and error rate. Validate that the size of each pool adapts to observed volume and that create_lvs configurations hold under peak load. Use a jewel-like alerting threshold to signal deviations in routing, and track the diff between expected and actual outcomes. For HAProxy, keep communication clean between the front-end and back-end clusters and verify that decompression and header inspection do not break TLS flow.
Setting up scheme-aware routing rules on popular HTTP/2 load balancers
Start by enabling scheme-aware routing at the edge and split traffic into two pools: http_backend and https_backend. Ensure the :scheme pseudo-header travels through the load balancer without alteration so downstream services see the correct scheme and apply the right policy. Prepare a smaller, clearly scoped shard of rules for the two cases to minimize risk and speed up iteration; if this is the proposed approach, you can evolve later.
Envoy makes this straightforward: define a route that matches the :scheme header and forwards to the corresponding cluster. For the proposed model, use two clusters named http_backend and https_backend, enable light health checks, and ensure the case is resolved quickly by keeping the route narrow. In logs, tag the route with osdpeeringstatecc as a trace marker to help cross-run alignment across environments. When you push changes, coordinate with your deployment party and verify behavior in a test case that mirrors production conditions.
NGINX with HTTP/2: use the $scheme variable to route requests. Create a map that assigns http to http_backend and https to https_backend. Example snippet lines described in plain words; keep the config changes smaller. If the platform supports a startup flag, set --proxy-cert-type to legacy to preserve compatibility with older clients. On the system side, ensure libfuse and udev rules are ready so dynamic modules load correctly in containerized environments.
HAProxy: implement a front-end rule that inspects the scheme and selects a backend. Use separate backends, keep timeouts tuned to avoid tail latency, and enable keep-alive for performance. Validate with targeted curl tests and telemetry dashboards to confirm the resolution of requests to the appropriate shard and to catch any misrouting early.
Traefik: create two routers, one for http and one for https, with entrypoints aligned to http and https, connecting to the corresponding services. Ensure TLS terminates at the edge and apply a scheme-based rule, then monitor latency and error rates. This approach works strongly across multiple platforms, with a cohesive configuration that stays maintainable as the project grows.
Testing and maintenance: run a docreleasesmimic environment to simulate prod, cross-check the resolved status of requests, and verify that http and https traffic stay in their intended shard. Keep logs succinct and searchable, and annotate changes with symbolic names for quick rollbacks. Use a case-based review process and coordinate with the kupczyk team members to align with internal naming conventions. Consider a compromise between security and performance by enabling strict TLS settings on https paths while keeping http paths lightweight.
Case studies and ongoing notes: document the outcomes under the project umbrella, record adjectives describing routing behavior (for example, "agile" vs "rigid" flow), and ensure that the smaller changes are easily reversible. Confirm that the platform remains resilient when TLS certificates rotate, and use explicit testing to validate the scheme-aware routing rules under slow or high-latency conditions. Ensure that the rules remain completely compatible with legacy backends while preserving the ability to re-route on demand.
Crafting globbing patterns to route traffic by host and path across schemes
Start with initialization: load hostGlobs and pathGlobs into a monmap-backed router, then initialize a dns-based lookup to resolve hostnames before applying patterns. Expose a sub-command to refresh rules without downtime, and keep a clear vector of destinations for each match. Treat stopped rules as safely removable and log the transition for auditability.
Define paired sets: host glob patterns determine the subdomain scope, while path glob patterns define the resource space. Use host patterns like *.example.com for subdomains and docs.example.org for precise hosts; pair them with path patterns such as /api/* or /assets/**. When a request arrives on any scheme, apply host Globs first, then path Globs, and finally resolve to the backend specified in the monmap. If multiple matches occur, resolve deterministically by a numeric priority, then use a dedicated vector to pick the final route. For edge cases, fall back to regex matches as a controlled safety net.
Architectural signals: flag private endpoints where internal services live behind VPNs or private DNS zones, and store those destinations in the monmap with a distinct numeric weight. Use a dart-host label for nodes handling dart-capable workloads, and route them through the same host/path logic. A kclient fetches routing blobs periodically, while a sub-command can trigger a clean reinitialization. Store rules as blobs to speed reloads and keep changes atomic.
Concrete pattern examples: (hostGlob, pathGlob) => backend. (*.example.com, /api/*) routes to Backend-A; (shop.*.example.org, /checkout/*) routes to Backend-B; (private.*.corp, /internal/*) routes to Backend-Private. If a host resolves to an unrecognized value, route to a default sink and log for telemetry. Use a smallest possible set of regex fallbacks to preserve speed-time performance, reserving regex only for truly ambiguous cases.
Operational guidance: annotate entries with seidensal to aid diagnostics across dashboards, and if a rule becomes stale, remove it via the sub-command and re-run initialization. For proxies, consider --socks5-basic to influence tunnel behavior, while dns-based routing keeps host decisions independent of client-side schemes. Logs may show historic netscape user-agents; ensure routing decisions rely on host and path, not UA strings.
Security and maintenance: keep private routes isolated from public surface, terminate TLS at edge nodes when possible, and rely on host/path matching to steer traffic rather than query parameters. Maintain a lean set of rules; heavy globbing is avoided unless backed by caching on the initialization path. Regularly review the monmap vector of destinations and prune unused blobs to keep routing decisions fast and predictable.
Security considerations: avoiding header spoofing and misrouting with globbing
Enforce exact-header validation at the edge and drop untrusted headers before routing. Do not rely on globbing to select backends; use an allowlist for precise header names and values, and place the policy at the edge gateway. Override Host and X-Forwarded-For with trusted data, then attach a signed session-id to each request after validation. Implement a metric to fill gaps in detection and a timer to flag rapid changes in header patterns. Disable legacy TLS like --tlsv11 and require TLS 1.2+, isolating legacy clients behind a separate proxy. Use braces to define pattern blocks in config and flatten multi-value headers to a single normalized value to prevent misrouting. Rewind to a known-good state if anomalies appear and continue testing with benign traffic. The plan, introducing a layered approach, stays adaptable inside the proxy stack; lean on tslint for policy scripts and tcmalloc for fast allocations; store audit logs on ceph-disk to simplify replay during investigations. The collaboration with xiaofei and enming guides ongoing corrections and refinement while the proxy handles headers alone, not business data.
Implementation details
Edge policy scrubs untrusted headers and applies an allowlist for exact header names and values; drop any header that does not match. Stop globbing in routing decisions; map only to a single, fixed backend per policy. Bind session-id to the client after TLS validation and retain it in the internal correlation store. Flag spoof attempts in a metric and trigger a timer-based alert when values shift outside expected ranges. Avoid --proxy-tlspassword and --form-string for credentials; prefer TLS client authentication and secure secret management. Keep pattern blocks in braces in the config and flatten multi-value headers to a single value before forwarding. If anomalies occur, rewind to the last known-good config and re-test with safe traffic. Use ceph-disk for durable logs, rely on tcmalloc to reduce allocation pressure, and lint policy scripts with tslint to catch mistakes before deployment. Coordinate with xiaofei and enming to ensure rapid corrective actions when issues arise.
Operational extensions
Establish metric-driven monitoring: track spoof attempts, misroutes, and blocked headers; fill gaps by linking header activity to session-id correlations. Run lint steps with tslint on policy scripts and audit allocations with tcmalloc. Keep a small, allowed set of headers; place rate limits per IP and per header family using a timer to prevent bursts. Maintain logs in ceph-disk for post-incident analysis and support rewind of configurations if a problem is detected. Do not expose --proxy-tlspassword or --form-string in logs; rotate secrets and prefer TLS client authentication. Inside the edge, separate policy logic from traffic shaping, so changes by xiaofei or enming won't affect routing without review. This approach reduces the risk of spoofing and misrouting when globbing patterns are involved.
Practical debugging: tests and logs to verify scheme and globbing behavior
Enable verbose edge and backend logs, then run the kamoltat test suite to verify scheme resolution and path globbing across all routes. Capture the :scheme pseudo-header, Forwarded, and X-Forwarded-Proto fields at each hop to confirm that the design enforces the intended policy and that modified headers align with the purposes of your routing rules.
Tests to verify scheme handling
Run targeted requests that exercise both cleartext and TLS paths, then inspect backend logs for the exact scheme seen by the upstream modules. Use emulation if necessary to reproduce real-client behavior, and rely on forward-facing headers to corroborate what the backend actually receives. For each test, mark the expected scheme (http or https) and verify consistency across iterations. Include a baseline with inheritance of headers in inherited routes to ensure backward compatibility and to detect stale behavior introduced by recent changes.
Logs to collect and interpret
At edge and origin, log the following fields: request path, :scheme, Forwarded, X-Forwarded-Proto, and the matched glob pattern. Note any discrepancies between the client-visible scheme and the upstream scheme, and map them to the corresponding route rules. Keep a focused set of logs by enabling minimal, useful verbosity and by excluding noisy entries from non-critical modules. If you modify a route, tag the event as modified and verify that the change propagates to downstream services. Use spnego and other authentication headers sparingly in tests to avoid masking the core scheme behavior.
| Scenario | Command or Log Field | Expected Result | Notes |
|---|---|---|---|
| Basic HTTP request | curl -sS http://lb.local/api/public -D - -o /dev/null | Backend sees :scheme=http; Forwarded and X-Forwarded-Proto reflect http | Verify fallback path in design for cleartext clients; confirm no unintended redirection. |
| TLS termination upstream visibility | curl -sS https://lb.local/api/public -D - -o /dev/null | Backend sees :scheme=https; X-Forwarded-Proto:https | Ensure that TLS termination at the edge preserves the intended scheme downstream. |
| Globbing pattern test: /api/* vs /api/** | GET /api/v1/users; GET /api/v1/users/123/details | First path matches /api/*; second matches /api/**; upstream receives the original path when allowed | Document which glob pattern is active for the route and verify against modified path rewrites. |
| Stale header behavior under cache purging | curl -sS https://lb.local/cache-test -D - -o /dev/null | Headers reflect current policy after purge; no stale Forwarded values | Confirm cache invalidation impacts headers as designed; useful for deprecate plan notes. |
