nit(app): remove frivolous code (#4094 )

this commit removes a piece of code that has been commented out. it additionally removes a variable binding that is not needed. `dst` is not moved, so we do not need to bind the address of the destination service to a variable, nor do we need to clone it. Signed-off-by: katelyn martin <kate@buoyant.io>
build(deps): bump tempfile from 3.20.0 to 3.21.0 (#4093 )
2025-08-20 11:31:09 -04:00 · 2025-08-20 10:13:45 -04:00 · 2025-08-20 10:13:04 -04:00 · 2025-08-20 10:12:43 -04:00 · 2025-08-19 15:40:53 -04:00 · 2025-08-19 15:40:39 -04:00
479 changed files with 27301 additions and 10766 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -4,6 +4,8 @@ FROM ghcr.io/linkerd/dev:${DEV_VERSION}
 RUN scurl https://run.linkerd.io/install-edge | sh && \
    mkdir -p "$HOME/bin" && ln -s "$HOME/.linkerd2/bin/linkerd" "$HOME/bin/linkerd"

+ENV RUSTFLAGS="--cfg tokio_unstable"
+
 # XXX(ver) This doesn't currently work, because it puts
 # /usr/local/cargo/registry into a weird state with regard to permissions.
 #RUN rustup toolchain install --profile=minimal nightly
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -3,7 +3,7 @@
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			"DEV_VERSION": "v43",
+			"DEV_VERSION": "v47",
 			"http_proxy": "${localEnv:http_proxy}",
 			"https_proxy": "${localEnv:https_proxy}"
 		}
@ -23,7 +23,15 @@
 				"zxh404.vscode-proto3"
 			],
 			"settings": {
-				"files.insertFinalNewline": true
+				"files.insertFinalNewline": true,
+				"[git-commit]": {
+					"editor.rulers": [
+						72,
+						80
+					],
+					"editor.wordWrap": "wordWrapColumn",
+					"editor.wordWrapColumn": 80
+				}
 			}
 		}
 	},
@ -42,7 +50,8 @@
 	"overrideCommand": false,
 	"remoteUser": "code",
 	"containerEnv": {
-		"CXX": "clang++-14",
+		"CXX": "clang++-19",
+		"RUSTFLAGS": "--cfg tokio_unstable"
 	},
 	"mounts": [
 		{
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@ -0,0 +1,156 @@
+# Linkerd2 Proxy Copilot Instructions
+
+## Code Generation
+
+- Code MUST pass `cargo fmt`.
+- Code MUST pass `cargo clippy --all-targets --all-features -- -D warnings`.
+- Markdown MUST pass `markdownlint-cli2`.
+- Prefer `?` for error propagation.
+- Avoid `unwrap()` and `expect()` outside tests.
+- Use `tracing` crate macros (`tracing::info!`, etc.) for structured logging.
+
+### Comments
+
+Comments should explain **why**, not **what**. Focus on high-level rationale and
+design intent at the function or block level, rather than line-by-line
+descriptions.
+
+- Use comments to capture:
+  - System-facing or interface-level concerns
+  - Key invariants, preconditions, and postconditions
+  - Design decisions and trade-offs
+  - Cross-references to architecture or design documentation
+- Avoid:
+  - Line-by-line commentary explaining obvious code
+  - Restating what the code already clearly expresses
+- For public APIs:
+  - Use `///` doc comments to describe the contract, behavior, parameters, and
+    usage examples
+- For internal rationale:
+  - Use `//` comments sparingly to note non-obvious reasoning or edge-case
+    handling
+- Be neutral and factual.
+
+### Rust File Organization
+
+For Rust source files, enforce this layout:
+
+1. **Non‑public imports**  
+   - Declare all `use` statements for private/internal crates first.  
+   - Group imports to avoid duplicates and do **not** add blank lines between
+     `use` statements.
+
+2. **Module declarations**  
+   - List all `mod` declarations.
+
+3. **Re‑exports**  
+   - Follow with `pub use` statements.
+
+4. **Type definitions**  
+   - Define `struct`, `enum`, `type`, and `trait` declarations.  
+   - Sort by visibility: `pub` first, then `pub(crate)`, then private.
+   - Public types should be documented with `///` comments.
+
+5. **Impl blocks**  
+   - Implement methods in the same order as types above.  
+   - Precede each type’s `impl` block with a header comment: `// === <TypeName> ===`
+
+6. **Tests**  
+   - End with a `tests` module guarded by `#[cfg(test)]`.
+   - If the in‑file test module exceeds 100 lines, move it to
+     `tests/<filename>.rs` as a child integration‑test module.
+
+## Test Generation
+
+- Async tests MUST use `tokio::test`.
+- Synchronous tests use `#[test]`.
+- Include at least one failing‑edge‑case test per public function.
+- Use `tracing::info!` for logging in tests, usually in place of comments.
+
+## Code Review
+
+### Rust
+
+- Point out any `unsafe` blocks and justify their safety.
+- Flag functions >50 LOC for refactor suggestions.
+- Highlight missing docs on public items.
+
+### Markdown
+
+- Use `markdownlint-cli2` to check for linting errors.
+- Lines SHOULD be wrapped at 80 characters.
+- Fenced code blocks MUST include a language identifier.
+
+### Copilot Instructions
+
+- Start each instruction with an imperative, present‑tense verb.
+- Keep each instruction under 120 characters.
+- Provide one directive per instruction; avoid combining multiple ideas.
+- Use "MUST" and "SHOULD" sparingly to emphasize critical rules.
+- Avoid semicolons and complex punctuation within bullets.
+- Do not reference external links, documents, or specific coding standards.
+
+## Commit Messages
+
+Commits follow the Conventional Commits specification:
+
+### Subject
+
+Subjects are in the form: `<type>[optional scope]: <description>`
+
+- **Type**: feat, fix, docs, refactor, test, chore, ci, build, perf, revert
+  (others by agreement)
+- **Scope**: optional, lowercase; may include `/` to denote sub‑modules (e.g.
+  `http/detect`)
+- **Description**: imperative mood, present tense, no trailing period
+- MUST be less than 72 characters
+- Omit needless words!
+
+### Body
+
+Non-trivial commits SHOULD include a body summarizing the change.
+
+- Explain *why* the change was needed.  
+- Describe *what* was done at a high level.
+- Use present-tense narration.
+- Use complete sentences, paragraphs, and punctuation.
+- Preceded by a blank line.
+- Wrapped at 80 characters.
+- Omit needless words!
+
+### Breaking changes
+
+If the change introduces a backwards-incompatible change, it MUST be marked as
+such.
+
+- Indicated by `!` after the type/scope (e.g. `feat(inbound)!: …`)  
+- Optionally including a `BREAKING CHANGE:` section in the footer explaining the
+  change in behavior.
+
+### Examples
+
+```text
+feat(auth): add JWT refresh endpoint
+
+There is currently no way to refresh a JWT token.
+
+This exposes a new `/refresh` route that returns a refreshed token.
+```
+
+```text
+feat(api)!: remove deprecated v1 routes
+
+The `/v1/*` endpoints have been deprecated for a long time and are no
+longer called by clients.
+
+This change removes the `/v1/*` endpoints and all associated code,
+including integration tests and documentation.
+
+BREAKING CHANGE: The previously-deprecated `/v1/*` endpoints were removed.
+```
+
+## Pull Requests
+
+- The subject line MUST be in the conventional commit format.
+- Auto‑generate a PR body summarizing the problem, solution, and verification steps.
+- List breaking changes under a separate **Breaking Changes** heading.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -11,12 +11,6 @@ updates:
    allow:
      - dependency-type: "all"
    ignore:
-      # These dependencies will be updated via higher-level aggregator dependencies like `clap`,
-      # `futures`, `prost`, `tracing`, and `trust-dns-resolver`:
-      - dependency-name: "futures-*"
-      - dependency-name: "prost-derive"
-      - dependency-name: "tracing-*"
-      - dependency-name: "trust-dns-proto"
      # These dependencies are for platforms that we don't support:
      - dependency-name: "hermit-abi"
      - dependency-name: "redox_*"
@ -24,6 +18,38 @@ updates:
      - dependency-name: "wasm-bindgen"
      - dependency-name: "web-sys"
      - dependency-name: "windows*"
+    groups:
+      boring:
+        patterns:
+          - "tokio-boring"
+          - "boring*"
+      futures:
+        patterns:
+          - "futures*"
+      grpc:
+        patterns:
+          - "prost*"
+          - "tonic*"
+      hickory:
+        patterns:
+          - "hickory*"
+      icu4x:
+        patterns:
+          - "icu_*"
+      opentelemetry:
+        patterns:
+          - "opentelemetry*"
+      rustls:
+        patterns:
+          - "tokio-rustls"
+          - "rustls*"
+          - "ring"
+      symbolic:
+        patterns:
+          - "symbolic-*"
+      tracing:
+        patterns:
+          - "tracing*"

  - package-ecosystem: cargo
    directory: /linkerd/addr/fuzz
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@ -15,20 +15,20 @@ env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
  RUSTUP_MAX_RETRIES: 10
-  RUSTFLAGS: "-D warnings"
+  RUSTFLAGS: "-D warnings --cfg tokio_unstable"

 permissions:
  contents: read

 jobs:
  build:
-    runs-on: ubuntu-latest
-    container: ghcr.io/linkerd/dev:v43-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
    timeout-minutes: 20
    continue-on-error: true
    steps:
      - run: rustup toolchain install --profile=minimal beta
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
      - run: just toolchain=beta fetch
      - run: just toolchain=beta build
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@ -15,17 +15,17 @@ concurrency:
 env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
-  RUSTFLAGS: "-D warnings -A deprecated -C debuginfo=2"
+  RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable -C debuginfo=2"
  RUSTUP_MAX_RETRIES: 10

 jobs:
  meta:
    timeout-minutes: 5
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - id: changed
-        uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            .codecov.yml
@ -40,19 +40,19 @@ jobs:
  codecov:
    needs: meta
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.meta.outputs.any_changed == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 30
    container:
-      image: docker://ghcr.io/linkerd/dev:v43-rust
+      image: docker://ghcr.io/linkerd/dev:v47-rust
      options: --security-opt seccomp=unconfined # 🤷
    env:
-      CXX: "/usr/bin/clang++-14"
+      CXX: "/usr/bin/clang++-19"
    steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
      - run: cargo tarpaulin --locked --workspace --exclude=linkerd2-proxy --exclude=linkerd-transport-header --exclude=opencensus-proto --exclude=spire-proto --no-run
      - run: cargo tarpaulin --locked --workspace --exclude=linkerd2-proxy --exclude=linkerd-transport-header --exclude=opencensus-proto --exclude=spire-proto --skip-clean --ignore-tests --no-fail-fast --out=Xml
        # Some tests are especially flakey in coverage tests. That's fine. We
        # only really care to measure how much of our codebase is covered.
        continue-on-error: true
-      - uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17
+      - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
--- a/.github/workflows/fuzzers.yml
+++ b/.github/workflows/fuzzers.yml
@ -17,7 +17,7 @@ env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
  RUST_BACKTRACE: short
-  RUSTFLAGS: "-D warnings -A deprecated -C debuginfo=0"
+  RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable -C debuginfo=0"
  RUSTUP_MAX_RETRIES: 10

 permissions:
@ -26,13 +26,13 @@ permissions:
 jobs:
  list-changed:
    timeout-minutes: 3
-    runs-on: ubuntu-latest
-    container: docker://rust:1.76.0
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: docker://rust:1.88.0
    steps:
      - run: apt update && apt install -y jo
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
+      - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        id: changed-files
      - name: list changed crates
        id: list-changed
@ -47,15 +47,15 @@ jobs:
  build:
    needs: [list-changed]
    timeout-minutes: 40
-    runs-on: ubuntu-latest
-    container: docker://rust:1.76.0
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: docker://rust:1.88.0
    strategy:
      matrix:
        dir: ${{ fromJson(needs.list-changed.outputs.dirs) }}
    steps:
      - run: rustup toolchain add nightly
      - run: cargo install cargo-fuzz
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
      - working-directory: ${{matrix.dir}}
        run: cargo +nightly fetch
--- a/.github/workflows/markdown.yml
+++ b/.github/workflows/markdown.yml
@ -12,9 +12,9 @@ on:
 jobs:
  markdownlint:
    timeout-minutes: 5
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
-      - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e
        with:
            globs: "**/*.md"
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -14,7 +14,7 @@ on:
 env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
-  RUSTFLAGS: "-D warnings -A opaque_hidden_inferred_bound -C debuginfo=0"
+  RUSTFLAGS: "-D warnings -A opaque_hidden_inferred_bound --cfg tokio_unstable -C debuginfo=0"
  RUSTUP_MAX_RETRIES: 10

 permissions:
@ -22,13 +22,13 @@ permissions:

 jobs:
  build:
-    runs-on: ubuntu-latest
-    container: ghcr.io/linkerd/dev:v43-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
    timeout-minutes: 20
    continue-on-error: true
    steps:
      - run: rustup toolchain install --profile=minimal nightly
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
      - run: just toolchain=nightly fetch
      - run: just toolchain=nightly profile=release build
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -5,7 +5,7 @@ env:
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
  RUSTUP_MAX_RETRIES: 10
-  RUSTFLAGS: "-D warnings -D deprecated -C debuginfo=0"
+  RUSTFLAGS: "-D warnings -D deprecated --cfg tokio_unstable -C debuginfo=0"

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
@ -14,24 +14,24 @@ concurrency:
 jobs:
  meta:
    timeout-minutes: 5
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - id: build
-        uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            .github/workflows/pr.yml
            justfile
            Dockerfile
      - id: actions
-        uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            .github/workflows/**
            .devcontainer/*
      - id: cargo
-        uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files_ignore: "Cargo.toml"
          files: |
@ -40,7 +40,7 @@ jobs:
        if: steps.cargo.outputs.any_changed == 'true'
        run: ./.github/list-crates.sh ${{ steps.cargo.outputs.all_changed_files }}
      - id: rust
-        uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            **/*.rs
@ -57,7 +57,7 @@ jobs:
  info:
    timeout-minutes: 3
    needs: meta
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
      - name: Info
        run: |
@ -74,30 +74,27 @@ jobs:
  actions:
    needs: meta
    if: needs.meta.outputs.actions_changed == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - uses: linkerd/dev/actions/setup-tools@v43
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: just action-lint
      - run: just action-dev-check

  rust:
    needs: meta
    if: needs.meta.outputs.cargo_changed == 'true' || needs.meta.outputs.rust_changed == 'true'
-    runs-on: ubuntu-latest
-    container: ghcr.io/linkerd/dev:v43-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
    permissions:
      contents: read
    timeout-minutes: 20
    steps:
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
      - run: just fetch
-      - name: Run cargo deny check bans licenses sources
-        uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868
-        with:
-          command: check bans licenses sources
+      - run: cargo deny --all-features check bans licenses sources
      - run: just check-fmt
      - run: just clippy
      - run: just doc
@ -110,15 +107,15 @@ jobs:
    needs: meta
    if: needs.meta.outputs.cargo_changed == 'true'
    timeout-minutes: 20
-    runs-on: ubuntu-latest
-    container: ghcr.io/linkerd/dev:v43-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
    strategy:
      matrix:
        crate: ${{ fromJson(needs.meta.outputs.cargo_crates) }}
    steps:
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
      - run: just fetch
      - run: just check-crate ${{ matrix.crate }}

@ -126,9 +123,11 @@ jobs:
    needs: meta
    if: needs.meta.outputs.cargo_changed == 'true' || needs.meta.outputs.rust_changed == 'true'
    timeout-minutes: 20
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    env:
+      WAIT_TIMEOUT: 2m
    steps:
-      - uses: linkerd/dev/actions/setup-tools@v43
+      - uses: linkerd/dev/actions/setup-tools@v47
      - name: scurl https://run.linkerd.io/install-edge | sh
        run: |
          scurl https://run.linkerd.io/install-edge | sh
@ -137,12 +136,12 @@ jobs:
          tag=$(linkerd version --client --short)
          echo "linkerd $tag"
          echo "LINKERD_TAG=$tag" >> "$GITHUB_ENV"
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: just docker
-      - run: just-k3d create
+      - run: just k3d-create
      - run: just k3d-load-linkerd
      - run: just linkerd-install
-      - run: just linkerd-check-contol-plane-proxy
+      - run: just linkerd-check-control-plane-proxy
        env:
          TMPDIR: ${{ runner.temp }}

@ -150,7 +149,7 @@ jobs:
    timeout-minutes: 3
    needs: [meta, actions, rust, rust-crates, linkerd-install]
    if: always()
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}

    permissions:
      contents: write
@ -169,7 +168,7 @@ jobs:
        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
        run: exit 1

-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        if: needs.meta.outputs.is_dependabot == 'true' && needs.meta.outputs.any_changed == 'true'
      - name: "Merge dependabot changes"
        if: needs.meta.outputs.is_dependabot == 'true' && needs.meta.outputs.any_changed == 'true'
--- a/.github/workflows/release-weekly.yml
+++ b/.github/workflows/release-weekly.yml
@ -13,7 +13,7 @@ concurrency:
 jobs:
  last-release:
    if: github.repository == 'linkerd/linkerd2-proxy' # Don't run this in forks.
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 5
    env:
      GH_REPO: ${{ github.repository }}
@ -41,10 +41,10 @@ jobs:

  last-commit:
    needs: last-release
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 5
    steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Check if the most recent commit is after the last release
        id: recency
        env:
@ -62,7 +62,7 @@ jobs:
  trigger-release:
    needs: [last-release, last-commit]
    if: needs.last-release.outputs.recent == 'false' && needs.last-commit.outputs.after-release == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 5
    permissions:
      actions: write
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -46,9 +46,10 @@ on:
        default: true

 env:
+  CARGO: "cargo auditable"
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
-  RUSTFLAGS: "-D warnings -A deprecated"
+  RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable"
  RUSTUP_MAX_RETRIES: 10

 concurrency:
@ -58,9 +59,25 @@ concurrency:
 jobs:
  meta:
    timeout-minutes: 5
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - id: meta
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        if: github.event_name == 'pull_request'
+      - id: workflow
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            .github/workflows/release.yml
+      - id: build
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            justfile
+            Cargo.toml
+
+      - id: version
        env:
          VERSION: ${{ inputs.version }}
        shell: bash
@ -68,44 +85,45 @@ jobs:
          set -euo pipefail
          shopt -s extglob
          if [[ "$GITHUB_EVENT_NAME" == pull_request ]]; then
-            echo version="0.0.0-test.${GITHUB_SHA:0:7}"
-            echo archs='["amd64"]'
+            echo version="0.0.0-test.${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
            exit 0
-          fi >> "$GITHUB_OUTPUT"
+          fi
          if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+)?(\+[0-9A-Za-z-]+)?$ ]]; then
            echo "Invalid version: $VERSION" >&2
            exit 1
          fi
-          ( echo version="${VERSION#v}"
-            echo archs='["amd64", "arm64", "arm"]'
+          echo version="${VERSION#v}" >> "$GITHUB_OUTPUT"
+
+      - id: platform
+        shell: bash
+        env:
+          WORKFLOW_CHANGED: ${{ steps.workflow.outputs.any_changed }}
+        run: |
+          if [[ "$GITHUB_EVENT_NAME" == pull_request && "$WORKFLOW_CHANGED" != 'true' ]]; then
+            ( echo archs='["amd64"]'
+              echo oses='["linux"]' ) >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          ( echo archs='["amd64", "arm64"]'
+            echo oses='["linux", "windows"]'
          ) >> "$GITHUB_OUTPUT"

-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
-        if: github.event_name == 'pull_request'
-      - id: changed
-        if: github.event_name == 'pull_request'
-        uses: tj-actions/changed-files@a29e8b565651ce417abb5db7164b4a2ad8b6155c
-        with:
-          files: |
-            .github/workflows/release.yml
-            justfile
-            Cargo.toml
-
    outputs:
-      archs: ${{ steps.meta.outputs.archs }}
-      version: ${{ steps.meta.outputs.version }}
-      package: ${{ github.event_name == 'workflow_dispatch' || steps.changed.outputs.any_changed == 'true' }}
+      archs: ${{ steps.platform.outputs.archs }}
+      oses: ${{ steps.platform.outputs.oses }}
+      version: ${{ steps.version.outputs.version }}
+      package: ${{ github.event_name == 'workflow_dispatch' || steps.build.outputs.any_changed == 'true' || steps.workflow.outputs.any_changed == 'true' }}
      profile: ${{ inputs.profile || 'release' }}
      publish: ${{ inputs.publish }}
      ref: ${{ inputs.ref || github.sha }}
-      tag: "${{ inputs.tag-prefix || 'release/' }}v${{ steps.meta.outputs.version }}"
+      tag: "${{ inputs.tag-prefix || 'release/' }}v${{ steps.version.outputs.version }}"
      prerelease: ${{ inputs.prerelease }}
      draft: ${{ inputs.draft }}
      latest: ${{ inputs.latest }}

  info:
    needs: meta
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 3
    steps:
      - name: Inputs
@ -126,38 +144,50 @@ jobs:
    strategy:
      matrix:
        arch: ${{ fromJson(needs.meta.outputs.archs) }}
+        os: ${{ fromJson(needs.meta.outputs.oses) }}
        libc: [gnu] # musl
+        exclude:
+          - os: windows
+            arch: arm64

    # If we're not actually building on a release tag, don't short-circuit on
    # errors. This helps us know whether a failure is platform-specific.
    continue-on-error: ${{ needs.meta.outputs.publish != 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 40
-    container: docker://ghcr.io/linkerd/dev:v43-rust-musl
+    container: docker://ghcr.io/linkerd/dev:v47-rust-musl
    env:
      LINKERD2_PROXY_VENDOR: ${{ github.repository_owner }}
      LINKERD2_PROXY_VERSION: ${{ needs.meta.outputs.version }}
    steps:
+      # TODO: add to dev image
+      - name: Install MiniGW
+        if: matrix.os == 'windows'
+        run: apt-get update && apt-get install -y mingw-w64
+      - name: Install cross compilation toolchain
+        if: matrix.arch == 'arm64'
+        run: apt-get update && apt-get install -y binutils-aarch64-linux-gnu
+
      - name: Configure git
        run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          ref: ${{ needs.meta.outputs.ref }}
-      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
        with:
-          key: ${{ matrix.arch }}
+          key: ${{ matrix.os }}-${{ matrix.arch }}
      - run: just fetch
-      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} rustup
-      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} profile=${{ needs.meta.outputs.profile }} build
-      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} profile=${{ needs.meta.outputs.profile }} package
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} rustup
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} profile=${{ needs.meta.outputs.profile }} build
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} profile=${{ needs.meta.outputs.profile }} package
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
-          name: ${{ matrix.arch }}-artifacts
+          name: ${{ matrix.arch }}-${{ matrix.os }}-artifacts
          path: target/package/*

  publish:
    needs: [meta, package]
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    timeout-minutes: 5
    permissions:
      actions: write
@ -174,13 +204,13 @@ jobs:
          git config --global user.name "$GITHUB_USERNAME"
          git config --global user.email "$GITHUB_USERNAME"@users.noreply.github.com
      # Tag the release.
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          token: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}
          ref: ${{ needs.meta.outputs.ref }}
      - run: git tag -a -m "$VERSION" "$TAG"
      # Fetch the artifacts.
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
        with:
          path: artifacts
      - run: du -h artifacts/**/*
@ -188,7 +218,7 @@ jobs:
      - if: needs.meta.outputs.publish == 'true'
        run: git push origin "$TAG"
      - if: needs.meta.outputs.publish == 'true'
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8
        with:
          name: ${{ env.VERSION }}
          tag_name: ${{ env.TAG }}
@ -212,7 +242,7 @@ jobs:
    needs: publish
    if: always()
    timeout-minutes: 3
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
      - name: Results
        run: |
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -13,8 +13,8 @@ on:
 jobs:
  sh-lint:
    timeout-minutes: 5
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - uses: linkerd/dev/actions/setup-tools@v43
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: just sh-lint
--- a/.github/workflows/toolchain.yml
+++ b/.github/workflows/toolchain.yml
@ -13,10 +13,10 @@ permissions:

 jobs:
  devcontainer:
-    runs-on: ubuntu-latest
-    container: ghcr.io/linkerd/dev:v43-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
    steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
      - run: |
          VERSION_REGEX='channel = "([0-9]+\.[0-9]+\.[0-9]+)"'
@ -35,10 +35,10 @@ jobs:


  workflows:
-    runs-on: ubuntu-latest
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
    steps:
-      - uses: linkerd/dev/actions/setup-tools@v43
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - shell: bash
        run: |
          VERSION_REGEX='channel = "([0-9]+\.[0-9]+\.[0-9]+)"'
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,5 @@
+.cargo
+**/.cargo
 target
 **/target
 **/corpus
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -16,7 +16,6 @@ members = [
    "linkerd/app",
    "linkerd/conditional",
    "linkerd/distribute",
-    "linkerd/detect",
    "linkerd/dns/name",
    "linkerd/dns",
    "linkerd/duplex",
@ -27,19 +26,28 @@ members = [
    "linkerd/http/access-log",
    "linkerd/http/box",
    "linkerd/http/classify",
+    "linkerd/http/detect",
    "linkerd/http/h2",
+    "linkerd/http/insert",
    "linkerd/http/metrics",
+    "linkerd/http/override-authority",
+    "linkerd/http/prom",
+    "linkerd/http/retain",
    "linkerd/http/retry",
    "linkerd/http/route",
+    "linkerd/http/stream-timeouts",
+    "linkerd/http/upgrade",
+    "linkerd/http/variant",
    "linkerd/identity",
    "linkerd/idle-cache",
    "linkerd/io",
    "linkerd/meshtls",
-    "linkerd/meshtls/boring",
-    "linkerd/meshtls/rustls",
    "linkerd/meshtls/verifier",
    "linkerd/metrics",
+    "linkerd/mock/http-body",
+    "linkerd/opaq-route",
    "linkerd/opencensus",
+    "linkerd/opentelemetry",
    "linkerd/pool",
    "linkerd/pool/mock",
    "linkerd/pool/p2c",
@ -61,21 +69,24 @@ members = [
    "linkerd/reconnect",
    "linkerd/retry",
    "linkerd/router",
+    "linkerd/rustls",
    "linkerd/service-profiles",
    "linkerd/signal",
    "linkerd/stack",
    "linkerd/stack/metrics",
    "linkerd/stack/tracing",
-    "linkerd/system",
    "linkerd/tonic-stream",
    "linkerd/tonic-watch",
    "linkerd/tls",
+    "linkerd/tls/route",
    "linkerd/tls/test-util",
    "linkerd/tracing",
    "linkerd/transport-header",
    "linkerd/transport-metrics",
+    "linkerd/workers",
    "linkerd2-proxy",
    "opencensus-proto",
+    "opentelemetry-proto",
    "spiffe-proto",
    "tools",
 ]
@ -83,3 +94,44 @@ members = [
 [profile.release]
 debug = 1
 lto = true
+
+[workspace.package]
+version = "0.1.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+license = "Apache-2.0"
+edition = "2021"
+publish = false
+
+[workspace.dependencies]
+bytes = { version = "1" }
+drain = { version = "0.2", default-features = false }
+h2 = { version = "0.4" }
+http = { version = "1" }
+http-body = { version = "1" }
+hyper = { version = "1", default-features = false }
+prometheus-client = { version = "0.23" }
+prost = { version = "0.13" }
+prost-build = { version = "0.13", default-features = false }
+prost-types = { version = "0.13" }
+tokio-rustls = { version = "0.26", default-features = false, features = [
+    "logging",
+] }
+tonic = { version = "0.13", default-features = false }
+tonic-build = { version = "0.13", default-features = false }
+tower = { version = "0.5", default-features = false }
+tower-service = { version = "0.3" }
+tower-test = { version = "0.4" }
+tracing = { version = "0.1" }
+
+[workspace.dependencies.http-body-util]
+version = "0.1.3"
+default-features = false
+features = ["channel"]
+
+[workspace.dependencies.hyper-util]
+version = "0.1"
+default-features = false
+features = ["tokio", "tracing"]
+
+[workspace.dependencies.linkerd2-proxy-api]
+version = "0.17.0"
--- a/10
+++ b/10
@ -3,7 +3,7 @@
 # This is intended **DEVELOPMENT ONLY**, i.e. so that proxy developers can
 # easily test the proxy in the context of the larger `linkerd2` project.

-ARG RUST_IMAGE=ghcr.io/linkerd/dev:v43-rust
+ARG RUST_IMAGE=ghcr.io/linkerd/dev:v47-rust

 # Use an arbitrary ~recent edge release image to get the proxy
 # identity-initializing and linkerd-await wrappers.
@ -14,11 +14,16 @@ FROM $LINKERD2_IMAGE as linkerd2
 FROM --platform=$BUILDPLATFORM $RUST_IMAGE as fetch

 ARG PROXY_FEATURES=""
+ARG TARGETARCH="amd64"
 RUN apt-get update && \
    apt-get install -y time && \
    if [[ "$PROXY_FEATURES" =~ .*meshtls-boring.* ]] ; then \
      apt-get install -y golang ; \
    fi && \
+    case "$TARGETARCH" in \
+        amd64) true ;; \
+        arm64) apt-get install --no-install-recommends -y binutils-aarch64-linux-gnu ;; \
+    esac && \
    rm -rf /var/lib/apt/lists/*

 ENV CARGO_NET_RETRY=10
@ -32,8 +37,7 @@ RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
 # Build the proxy.
 FROM fetch as build
 ENV CARGO_INCREMENTAL=0
-ENV RUSTFLAGS="-D warnings -A deprecated"
-ARG TARGETARCH="amd64"
+ENV RUSTFLAGS="-D warnings -A deprecated --cfg tokio_unstable"
 ARG PROFILE="release"
 ARG LINKERD2_PROXY_VERSION=""
 ARG LINKERD2_PROXY_VENDOR=""
--- a/README.md
+++ b/README.md
@ -86,8 +86,9 @@ minutes to review our [code of conduct][coc].
 We test our code by way of fuzzing and this is described in [FUZZING.md](/docs/FUZZING.md).

 A third party security audit focused on fuzzing Linkerd2-proxy was performed by
-Ada Logics in 2021. The full report is available
-[here](/docs/reports/linkerd2-proxy-fuzzing-report.pdf).
+Ada Logics in 2021. The
+[full report](/docs/reports/linkerd2-proxy-fuzzing-report.pdf) can be found in
+the `docs/reports/` directory.

 ## License

--- a/deny.toml
+++ b/deny.toml
@ -1,58 +1,36 @@
+[graph]
 targets = [
    { triple = "x86_64-unknown-linux-gnu" },
    { triple = "aarch64-unknown-linux-gnu" },
-    { triple = "armv7-unknown-linux-gnu" },
 ]

 [advisories]
 db-path = "~/.cargo/advisory-db"
 db-urls = ["https://github.com/rustsec/advisory-db"]
-vulnerability = "deny"
-unmaintained = "warn"
-yanked = "deny"
-notice = "warn"
 ignore = []

 [licenses]
-unlicensed = "deny"
 allow = [
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "MIT",
+    "Unicode-3.0",
+    "Zlib",
 ]
-deny = []
-copyleft = "deny"
-allow-osi-fsf-free = "neither"
-default = "deny"
 # Ignore local workspace license values for unpublished crates.
 private = { ignore = true }
 confidence-threshold = 0.8
 exceptions = [
    { allow = [
-        "Zlib",
-    ], name = "adler32", version = "*" },
+        "ISC",
+        "OpenSSL",
+    ], name = "aws-lc-sys", version = "*" },
    { allow = [
        "ISC",
-        "MIT",
        "OpenSSL",
-    ], name = "ring", version = "*" },
-    # The Unicode-DFS-2016 license is necessary for unicode-ident because they
-    # use data from the unicode tables to generate the tables which are
-    # included in the application. We do not distribute those data files so
-    # this is not a problem for us. See https://github.com/dtolnay/unicode-ident/pull/9/files
-    { allow = [
-        "Unicode-DFS-2016",
-    ], name = "unicode-ident", version = "*" },
-]
-
-[[licenses.clarify]]
-name = "ring"
-version = "*"
-expression = "MIT AND ISC AND OpenSSL"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 },
+    ], name = "aws-lc-fips-sys", version = "*" },
 ]

 [bans]
@ -64,41 +42,35 @@ deny = [
    { name = "rustls", wrappers = ["tokio-rustls"] },
    # rustls-webpki should be used instead.
    { name = "webpki" },
+    # aws-lc-rs should be used instead.
+    { name = "ring" }
 ]
 skip = [
-    # The proc-macro ecosystem is in the middle of a migration from `syn` v1 to
-    # `syn` v2. Allow both versions to coexist peacefully for now.
-    #
-    # Since `syn` is used by proc-macros (executed at compile time), duplicate
-    # versions won't have an impact on the final binary size.
-    { name = "syn" },
-    # `tonic` v0.6 depends on `bitflags` v1.x, while `boring-sys` depends on
-    # `bitflags` v2.x. Allow both versions to coexist peacefully for now.
-    { name = "bitflags", version = "1" },
    # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64`
    # v0.13.1 while `rcgen` depends on v0.21.5
    { name = "base64" },
-    # https://github.com/hawkw/matchers/pull/4
-    { name = "regex-automata", version = "0.1" },
-    { name = "regex-syntax", version = "0.6" },
-    # `trust-dns-proto`, depends on `idna` v0.2.3 while `url` depends on v0.5.0
-    { name = "idna" },
-    # Some dependencies still use indexmap v1.
-    { name = "indexmap", version = "1" },
-    { name = "hashbrown", version = "0.12" },
+    # tonic/axum depend on a newer `tower`, which we are still catching up to.
+    # see #3744.
+    { name = "tower", version = "0.5" },
 ]
 skip-tree = [
-    # right now we have a mix of versions of this crate in the ecosystem
-    # procfs uses 0.36.14, tempfile uses 0.37.4
-    { name = "rustix" },
-    # Hyper v0.14 depends on an older socket2 version.
-    { name = "socket2" },
+    # thiserror v2 is still propagating through the ecosystem
+    { name = "thiserror", version = "1" },
+    # rand v0.9 is still propagating through the ecosystem
+    { name = "rand", version = "0.8" },
+    # rust v1.0 is still propagating through the ecosystem
+    { name = "rustix", version = "0.38" },
+    # `pprof` uses a number of old dependencies. for now, we skip its subtree.
+    { name = "pprof" },
+    # aws-lc-rs uses a slightly outdated version of bindgen
+    { name = "bindgen", version = "0.69.5" },
+    # socket v0.6 is still propagating through the ecosystem
+    { name = "socket2", version = "0.5" },
 ]

 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
-allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-
-[sources.allow-org]
-github = ["linkerd"]
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index",
+]
--- a/docs/FUZZING.md
+++ b/docs/FUZZING.md
@ -12,9 +12,12 @@ engine.
 We place the fuzz tests into folders within the individual crates that the fuzz
 tests target. For example, we have a fuzz test that that target the crate
 `/linkerd/addr` and the code in `/linkerd/addr/src` and thus the fuzz test that
-targets this crate is put in `/linkerd/addr/fuzz`. The folder set up we use for
-each of the fuzz tests is automatically generated by `cargo fuzz init`
-(described [here](https://github.com/rust-fuzz/cargo-fuzz#cargo-fuzz-init)).
+targets this crate is put in `/linkerd/addr/fuzz`.
+
+The folder structure for each of the fuzz tests is automatically generated by
+`cargo fuzz init`. See cargo fuzz's
+[`README.md`](https://github.com/rust-fuzz/cargo-fuzz#cargo-fuzz-init) for more
+information.

 ### Fuzz targets

@ -96,6 +99,5 @@ unit-test-like fuzzers, but are essentially just more substantial in nature. The
 idea behind these fuzzers is to test end-to-end concepts more so than individual
 components of the proxy.

-The inbound fuzzer
-[here](/linkerd/app/inbound/fuzz/fuzz_targets/fuzz_target_1.rs) is an example of
-this.
+The [inbound fuzzer](/linkerd/app/inbound/fuzz/fuzz_targets/fuzz_target_1.rs)
+is an example of this.
--- a/hyper-balance/Cargo.toml
+++ b/hyper-balance/Cargo.toml
@ -1,17 +1,18 @@
 [package]
 name = "hyper-balance"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }

 [dependencies]
 futures = { version = "0.3", default-features = false }
-http = "0.2"
-hyper = "0.14"
+http = { workspace = true }
+http-body = { workspace = true }
+hyper = { workspace = true }
 pin-project = "1"
-tower = { version = "0.4", default-features = false, features = ["load"] }
+tower = { workspace = true, default-features = false, features = ["load"] }
 tokio = { version = "1", features = ["macros"] }

 [dev-dependencies]
--- a/hyper-balance/src/lib.rs
+++ b/hyper-balance/src/lib.rs
@ -1,7 +1,7 @@
 #![deny(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
 #![forbid(unsafe_code)]

-use hyper::body::HttpBody;
+use http_body::Body;
 use pin_project::pin_project;
 use std::pin::Pin;
 use std::task::{Context, Poll};
@ -38,7 +38,7 @@ pub struct PendingUntilEosBody<T, B> {

 impl<T, B> TrackCompletion<T, http::Response<B>> for PendingUntilFirstData
 where
-    B: HttpBody,
+    B: Body,
 {
    type Output = http::Response<PendingUntilFirstDataBody<T, B>>;

@ -59,7 +59,7 @@ where

 impl<T, B> TrackCompletion<T, http::Response<B>> for PendingUntilEos
 where
-    B: HttpBody,
+    B: Body,
 {
    type Output = http::Response<PendingUntilEosBody<T, B>>;

@ -80,7 +80,7 @@ where

 impl<T, B> Default for PendingUntilFirstDataBody<T, B>
 where
-    B: HttpBody + Default,
+    B: Body + Default,
 {
    fn default() -> Self {
        Self {
@ -90,9 +90,9 @@ where
    }
 }

-impl<T, B> HttpBody for PendingUntilFirstDataBody<T, B>
+impl<T, B> Body for PendingUntilFirstDataBody<T, B>
 where
-    B: HttpBody,
+    B: Body,
    T: Send + 'static,
 {
    type Data = B::Data;
@ -102,32 +102,20 @@ where
        self.body.is_end_stream()
    }

-    fn poll_data(
+    fn poll_frame(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
        let this = self.project();
-        let ret = futures::ready!(this.body.poll_data(cx));
+        let ret = futures::ready!(this.body.poll_frame(cx));

-        // Once a data frame is received, the handle is dropped. On subsequent calls, this
+        // Once a frame is received, the handle is dropped. On subsequent calls, this
        // is a noop.
        drop(this.handle.take());

        Poll::Ready(ret)
    }

-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let this = self.project();
-        // If this is being called, the handle definitely should have been dropped
-        // already.
-        drop(this.handle.take());
-
-        this.body.poll_trailers(cx)
-    }
-
    #[inline]
    fn size_hint(&self) -> hyper::body::SizeHint {
        self.body.size_hint()
@ -138,7 +126,7 @@ where

 impl<T, B> Default for PendingUntilEosBody<T, B>
 where
-    B: HttpBody + Default,
+    B: Body + Default,
 {
    fn default() -> Self {
        Self {
@ -148,7 +136,7 @@ where
    }
 }

-impl<T: Send + 'static, B: HttpBody> HttpBody for PendingUntilEosBody<T, B> {
+impl<T: Send + 'static, B: Body> Body for PendingUntilEosBody<T, B> {
    type Data = B::Data;
    type Error = B::Error;

@ -157,35 +145,21 @@ impl<T: Send + 'static, B: HttpBody> HttpBody for PendingUntilEosBody<T, B> {
        self.body.is_end_stream()
    }

-    fn poll_data(
+    fn poll_frame(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
        let mut this = self.project();
        let body = &mut this.body;
        tokio::pin!(body);
-        let ret = futures::ready!(body.poll_data(cx));
+        let frame = futures::ready!(body.poll_frame(cx));

        // If this was the last frame, then drop the handle immediately.
        if this.body.is_end_stream() {
            drop(this.handle.take());
        }

-        Poll::Ready(ret)
-    }
-
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let this = self.project();
-        let ret = futures::ready!(this.body.poll_trailers(cx));
-
-        // Once trailers are received, the handle is dropped immediately (in case the body
-        // is retained longer for some reason).
-        drop(this.handle.take());
-
-        Poll::Ready(ret)
+        Poll::Ready(frame)
    }

    #[inline]
@ -198,7 +172,7 @@ impl<T: Send + 'static, B: HttpBody> HttpBody for PendingUntilEosBody<T, B> {
 mod tests {
    use super::{PendingUntilEos, PendingUntilFirstData};
    use futures::future::poll_fn;
-    use hyper::body::HttpBody;
+    use http_body::{Body, Frame};
    use std::collections::VecDeque;
    use std::io::Cursor;
    use std::pin::Pin;
@ -225,11 +199,13 @@ mod tests {
        assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok")
+        .into_data()
+        .expect("frame is data");
        assert!(wk.upgrade().is_none());
    }

@ -282,10 +258,10 @@ mod tests {
        let res = assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll());
-        assert!(res.expect("data is some").is_err());
+        assert!(res.expect("frame is some").is_err());
        assert!(wk.upgrade().is_none());
    }

@ -308,21 +284,21 @@ mod tests {
        assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
        assert!(wk.upgrade().is_some());

        assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
        assert!(wk.upgrade().is_none());
    }

@ -355,40 +331,42 @@ mod tests {
        assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll())
-        .expect("data")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
        assert!(wk.upgrade().is_some());

        assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll())
-        .expect("data")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
        assert!(wk.upgrade().is_some());

+        assert_ready!(task::spawn(poll_fn(|cx| {
+            let body = &mut body;
+            tokio::pin!(body);
+            body.poll_frame(cx)
+        }))
+        .poll())
+        .expect("frame is some")
+        .expect("frame is ok")
+        .into_trailers()
+        .expect("is trailers");
+        assert!(wk.upgrade().is_none());
+
        let poll = assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll());
        assert!(poll.is_none());
-        assert!(wk.upgrade().is_some());
-
-        assert_ready!(task::spawn(poll_fn(|cx| {
-            let body = &mut body;
-            tokio::pin!(body);
-            body.poll_trailers(cx)
-        }))
-        .poll())
-        .expect("trailers ok")
-        .expect("trailers");
        assert!(wk.upgrade().is_none());
    }

@ -411,7 +389,7 @@ mod tests {
        let poll = assert_ready!(task::spawn(poll_fn(|cx| {
            let body = &mut body;
            tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
        }))
        .poll());
        assert!(poll.expect("some").is_err());
@ -429,7 +407,7 @@ mod tests {

    #[derive(Default)]
    struct TestBody(VecDeque<&'static str>, Option<http::HeaderMap>);
-    impl HttpBody for TestBody {
+    impl Body for TestBody {
        type Data = Cursor<&'static str>;
        type Error = &'static str;

@ -437,26 +415,27 @@ mod tests {
            self.0.is_empty() & self.1.is_none()
        }

-        fn poll_data(
+        fn poll_frame(
            mut self: Pin<&mut Self>,
            _: &mut Context<'_>,
-        ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-            Poll::Ready(self.as_mut().0.pop_front().map(Cursor::new).map(Ok))
-        }
-
-        fn poll_trailers(
-            mut self: Pin<&mut Self>,
-            _: &mut Context<'_>,
-        ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
+        ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
            let mut this = self.as_mut();
-            assert!(this.0.is_empty());
-            Poll::Ready(Ok(this.1.take()))
+
+            // Return the next data frame from the sequence of chunks.
+            if let Some(chunk) = this.0.pop_front() {
+                let frame = Some(Ok(Frame::data(Cursor::new(chunk))));
+                return Poll::Ready(frame);
+            }
+
+            // Yield the trailers once all data frames have been yielded.
+            let trailers = this.1.take().map(Frame::<Self::Data>::trailers).map(Ok);
+            Poll::Ready(trailers)
        }
    }

    #[derive(Default)]
    struct ErrBody(Option<&'static str>);
-    impl HttpBody for ErrBody {
+    impl Body for ErrBody {
        type Data = Cursor<&'static str>;
        type Error = &'static str;

@ -464,18 +443,13 @@ mod tests {
            self.0.is_none()
        }

-        fn poll_data(
+        fn poll_frame(
            mut self: Pin<&mut Self>,
            _: &mut Context<'_>,
-        ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-            Poll::Ready(Some(Err(self.as_mut().0.take().expect("err"))))
-        }
+        ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
+            let err = self.as_mut().0.take().expect("err");

-        fn poll_trailers(
-            mut self: Pin<&mut Self>,
-            _: &mut Context<'_>,
-        ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-            Poll::Ready(Err(self.as_mut().0.take().expect("err")))
+            Poll::Ready(Some(Err(err)))
        }
    }
 }
--- a/55
+++ b/55
@ -15,9 +15,13 @@ toolchain := ""

 features := ""

-export LINKERD2_PROXY_VERSION := env_var_or_default("LINKERD2_PROXY_VERSION", "0.0.0-dev." + `git rev-parse --short HEAD`)
+export LINKERD2_PROXY_VERSION := env_var_or_default("LINKERD2_PROXY_VERSION", "0.0.0-dev" + `git rev-parse --short HEAD`)
 export LINKERD2_PROXY_VENDOR := env_var_or_default("LINKERD2_PROXY_VENDOR", `whoami` + "@" + `hostname`)

+# TODO: these variables will be included in dev v48
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+
 # The version name to use for packages.
 package_version := "v" + LINKERD2_PROXY_VERSION

@ -26,28 +30,30 @@ docker-repo := "localhost/linkerd/proxy"
 docker-tag := `git rev-parse --abbrev-ref HEAD | sed 's|/|.|g'` + "." + `git rev-parse --short HEAD`
 docker-image := docker-repo + ":" + docker-tag

-# The architecture name to use for packages. Either 'amd64', 'arm64', or 'arm'.
+# The architecture name to use for packages. Either 'amd64' or 'arm64'.
 arch := "amd64"
+# The OS name to use for packages. Either 'linux' or 'windows'.
+os := "linux"

 libc := 'gnu'

 # If a `arch` is specified, then we change the default cargo `--target`
 # to support cross-compilation. Otherwise, we use `rustup` to find the default.
-_target := if arch == 'amd64' {
+_target := if os + '-' + arch == "linux-amd64" {
        "x86_64-unknown-linux-" + libc
-    } else if arch == "arm64" {
+    } else if os + '-' + arch == "linux-arm64" {
        "aarch64-unknown-linux-" + libc
-    } else if arch == "arm" {
-        "armv7-unknown-linux-" + libc + "eabihf"
+    } else if os + '-' + arch == "windows-amd64" {
+        "x86_64-pc-windows-" + libc
    } else {
-        error("unsupported arch=" + arch)
+        error("unsupported: os=" + os + " arch=" + arch + " libc=" + libc)
    }

 _cargo := 'just-cargo profile=' + profile + ' target=' + _target + ' toolchain=' + toolchain

 _target_dir := "target" / _target / profile
-_target_bin := _target_dir / "linkerd2-proxy"
-_package_name := "linkerd2-proxy-" + package_version + "-" + arch + if libc == 'musl' { '-static' } else { '' }
+_target_bin := _target_dir / "linkerd2-proxy" + if os == 'windows' { '.exe' } else { '' }
+_package_name := "linkerd2-proxy-" + package_version + "-" + os + "-" + arch + if libc == 'musl' { '-static' } else { '' }
 _package_dir := "target/package" / _package_name
 shasum := "shasum -a 256"

@ -57,7 +63,9 @@ _features := if features == "all" {
        "--no-default-features --features=" + features
    } else { "" }

-export CXX := 'clang++-14'
+wait-timeout := env_var_or_default("WAIT_TIMEOUT", "1m")
+
+export CXX := 'clang++-19'

 #
 # Recipes
@ -133,7 +141,7 @@ _strip:

 _package_bin := _package_dir / "bin" / "linkerd2-proxy"

-# XXX {aarch64,arm}-musl builds do not enable PIE, so we use target-specific
+# XXX aarch64-musl builds do not enable PIE, so we use target-specific
 # files to document those differences.
 _expected_checksec := '.checksec' / arch + '-' + libc + '.json'

@ -237,7 +245,7 @@ linkerd-tag := env_var_or_default('LINKERD_TAG', '')
 _controller-image := 'ghcr.io/linkerd/controller'
 _policy-image := 'ghcr.io/linkerd/policy-controller'
 _init-image := 'ghcr.io/linkerd/proxy-init'
-_init-tag := 'v2.2.0'
+_init-tag := 'v2.4.0'

 _kubectl := 'just-k3d kubectl'
 _linkerd := 'linkerd --context=k3d-$(just-k3d --evaluate K3D_CLUSTER_NAME)'
@ -252,6 +260,12 @@ _tag-set:
 _k3d-ready:
    @just-k3d ready

+export K3D_CLUSTER_NAME := "l5d-proxy"
+export K3D_CREATE_FLAGS := "--no-lb"
+export K3S_DISABLE := "local-storage,traefik,servicelb,metrics-server@server:*"
+k3d-create: && _k3d-ready
+    @just-k3d create
+
 k3d-load-linkerd: _tag-set _k3d-ready
    for i in \
        '{{ _controller-image }}:{{ linkerd-tag }}' \
@ -268,11 +282,12 @@ k3d-load-linkerd: _tag-set _k3d-ready

 # Install crds on the test cluster.
 _linkerd-crds-install: _k3d-ready
+    {{ _kubectl }} apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
    {{ _linkerd }} install --crds \
        | {{ _kubectl }} apply -f -
    {{ _kubectl }} wait crd --for condition=established \
        --selector='linkerd.io/control-plane-ns' \
-        --timeout=1m
+        --timeout={{ wait-timeout }}

 # Install linkerd on the test cluster using test images.
 linkerd-install *args='': _tag-set k3d-load-linkerd _linkerd-crds-install && _linkerd-ready
@ -294,7 +309,7 @@ linkerd-uninstall:
    {{ _linkerd }} uninstall \
        | {{ _kubectl }} delete -f -

-linkerd-check-contol-plane-proxy:
+linkerd-check-control-plane-proxy:
    #!/usr/bin/env bash
    set -euo pipefail
    check=$(mktemp --tmpdir check-XXXX.json)
@ -313,4 +328,14 @@ linkerd-check-contol-plane-proxy:
 _linkerd-ready:
    {{ _kubectl }} wait pod --for=condition=ready \
        --namespace=linkerd --selector='linkerd.io/control-plane-component' \
-        --timeout=1m
+        --timeout={{ wait-timeout }}
+
+#
+# Dev Container
+#
+
+devcontainer-up:
+    devcontainer.js up --workspace-folder=.
+
+devcontainer-exec container-id *args:
+    devcontainer.js exec --container-id={{ container-id }} {{ args }}
--- a/linkerd/addr/Cargo.toml
+++ b/linkerd/addr/Cargo.toml
@ -1,13 +1,16 @@
 [package]
 name = "linkerd-addr"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }

 [dependencies]
-http = "0.2"
-ipnet = "2.7"
+http = { workspace = true }
+ipnet = "2.11"
 linkerd-dns-name = { path = "../dns/name" }
-thiserror = "1"
+thiserror = "2"
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
--- a/linkerd/addr/fuzz/Cargo.toml
+++ b/linkerd/addr/fuzz/Cargo.toml
@ -1,9 +1,10 @@
 [package]
 name = "linkerd-addr-fuzz"
-version = "0.0.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-publish = false
-edition = "2021"
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }

 [package.metadata]
 cargo-fuzz = true
@ -12,7 +13,7 @@ cargo-fuzz = true
 libfuzzer-sys = "0.4"
 linkerd-addr = { path = ".." }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
-tracing = "0.1"
+tracing = { workspace = true }

 # Prevent this from interfering with workspaces
 [workspace]
--- a/linkerd/addr/src/lib.rs
+++ b/linkerd/addr/src/lib.rs
@ -100,15 +100,11 @@ impl Addr {
                    // them ourselves.
                    format!("[{}]", a.ip())
                };
-                http::uri::Authority::from_str(&ip).unwrap_or_else(|err| {
-                    panic!("SocketAddr ({}) must be valid authority: {}", a, err)
-                })
-            }
-            Addr::Socket(a) => {
-                http::uri::Authority::from_str(&a.to_string()).unwrap_or_else(|err| {
-                    panic!("SocketAddr ({}) must be valid authority: {}", a, err)
-                })
+                http::uri::Authority::from_str(&ip)
+                    .unwrap_or_else(|err| panic!("SocketAddr ({a}) must be valid authority: {err}"))
            }
+            Addr::Socket(a) => http::uri::Authority::from_str(&a.to_string())
+                .unwrap_or_else(|err| panic!("SocketAddr ({a}) must be valid authority: {err}")),
        }
    }

@ -265,14 +261,14 @@ mod tests {
        ];
        for (host, expected_result) in cases {
            let a = Addr::from_str(host).unwrap();
-            assert_eq!(a.is_loopback(), *expected_result, "{:?}", host)
+            assert_eq!(a.is_loopback(), *expected_result, "{host:?}")
        }
    }

    fn test_to_http_authority(cases: &[&str]) {
        let width = cases.iter().map(|s| s.len()).max().unwrap_or(0);
        for host in cases {
-            print!("trying {:1$} ... ", host, width);
+            print!("trying {host:width$} ... ");
            Addr::from_str(host).unwrap().to_http_authority();
            println!("ok");
        }
--- a/linkerd/app/Cargo.toml
+++ b/linkerd/app/Cargo.toml
@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Configures and executes the proxy

@ -18,6 +18,7 @@ pprof = ["linkerd-app-admin/pprof"]

 [dependencies]
 futures = { version = "0.3", default-features = false }
+hyper-util = { workspace = true }
 linkerd-app-admin = { path = "./admin" }
 linkerd-app-core = { path = "./core" }
 linkerd-app-gateway = { path = "./gateway" }
@ -25,12 +26,14 @@ linkerd-app-inbound = { path = "./inbound" }
 linkerd-app-outbound = { path = "./outbound" }
 linkerd-error = { path = "../error" }
 linkerd-opencensus = { path = "../opencensus" }
+linkerd-opentelemetry = { path = "../opentelemetry" }
 linkerd-tonic-stream = { path = "../tonic-stream" }
+linkerd-workers = { path = "../workers" }
 rangemap = "1"
 regex = "1"
-thiserror = "1"
+thiserror = "2"
 tokio = { version = "1", features = ["rt"] }
 tokio-stream = { version = "0.1", features = ["time", "sync"] }
-tonic = { version = "0.10", default-features = false, features = ["prost"] }
-tower = "0.4"
-tracing = "0.1"
+tonic = { workspace = true, default-features = false, features = ["prost"] }
+tower = { workspace = true }
+tracing = { workspace = true }
--- a/linkerd/app/admin/Cargo.toml
+++ b/linkerd/app/admin/Cargo.toml
@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-admin"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 The linkerd proxy's admin server.
 """
@ -15,23 +15,26 @@ pprof = ["deflate", "dep:pprof"]
 log-streaming = ["linkerd-tracing/stream"]

 [dependencies]
+bytes = { workspace = true }
 deflate = { version = "1", optional = true, features = ["gzip"] }
-http = "0.2"
-hyper = { version = "0.14", features = ["http1", "http2"] }
+http = { workspace = true }
+http-body = { workspace = true }
+http-body-util = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
 futures = { version = "0.3", default-features = false }
-pprof = { version = "0.13", optional = true, features = ["prost-codec"] }
+pprof = { version = "0.15", optional = true, features = ["prost-codec"] }
 serde = "1"
 serde_json = "1"
-thiserror = "1"
+thiserror = "2"
 tokio = { version = "1", features = ["macros", "sync", "parking_lot"] }
-tracing = "0.1"
+tracing = { workspace = true }

 linkerd-app-core = { path = "../core" }
 linkerd-app-inbound = { path = "../inbound" }
 linkerd-tracing = { path = "../../tracing" }

 [dependencies.tower]
-version = "0.4"
+workspace = true
 default-features = false
 features = [
    "buffer",
--- a/linkerd/app/admin/src/server.rs
+++ b/linkerd/app/admin/src/server.rs
@ -12,13 +12,9 @@

 use futures::future::{self, TryFutureExt};
 use http::StatusCode;
-use hyper::{
-    body::{Body, HttpBody},
-    Request, Response,
-};
 use linkerd_app_core::{
-    metrics::{self as metrics, FmtMetrics},
-    proxy::http::ClientHandle,
+    metrics::{self as metrics, legacy::FmtMetrics},
+    proxy::http::{Body, BoxBody, ClientHandle, Request, Response},
    trace, Error, Result,
 };
 use std::{
@ -36,27 +32,30 @@ pub use self::readiness::{Latch, Readiness};

 #[derive(Clone)]
 pub struct Admin<M> {
-    metrics: metrics::Serve<M>,
+    metrics: metrics::legacy::Serve<M>,
    tracing: trace::Handle,
    ready: Readiness,
    shutdown_tx: mpsc::UnboundedSender<()>,
+    enable_shutdown: bool,
    #[cfg(feature = "pprof")]
    pprof: Option<crate::pprof::Pprof>,
 }

-pub type ResponseFuture = Pin<Box<dyn Future<Output = Result<Response<Body>>> + Send + 'static>>;
+pub type ResponseFuture = Pin<Box<dyn Future<Output = Result<Response<BoxBody>>> + Send + 'static>>;

 impl<M> Admin<M> {
    pub fn new(
        metrics: M,
        ready: Readiness,
        shutdown_tx: mpsc::UnboundedSender<()>,
+        enable_shutdown: bool,
        tracing: trace::Handle,
    ) -> Self {
        Self {
-            metrics: metrics::Serve::new(metrics),
+            metrics: metrics::legacy::Serve::new(metrics),
            ready,
            shutdown_tx,
+            enable_shutdown,
            tracing,

            #[cfg(feature = "pprof")]
@ -70,30 +69,30 @@ impl<M> Admin<M> {
        self
    }

-    fn ready_rsp(&self) -> Response<Body> {
+    fn ready_rsp(&self) -> Response<BoxBody> {
        if self.ready.is_ready() {
            Response::builder()
                .status(StatusCode::OK)
                .header(http::header::CONTENT_TYPE, "text/plain")
-                .body("ready\n".into())
+                .body(BoxBody::from_static("ready\n"))
                .expect("builder with known status code must not fail")
        } else {
            Response::builder()
                .status(StatusCode::SERVICE_UNAVAILABLE)
-                .body("not ready\n".into())
+                .body(BoxBody::from_static("not ready\n"))
                .expect("builder with known status code must not fail")
        }
    }

-    fn live_rsp() -> Response<Body> {
+    fn live_rsp() -> Response<BoxBody> {
        Response::builder()
            .status(StatusCode::OK)
            .header(http::header::CONTENT_TYPE, "text/plain")
-            .body("live\n".into())
+            .body(BoxBody::from_static("live\n"))
            .expect("builder with known status code must not fail")
    }

-    fn env_rsp<B>(req: Request<B>) -> Response<Body> {
+    fn env_rsp<B>(req: Request<B>) -> Response<BoxBody> {
        use std::{collections::HashMap, env, ffi::OsString};

        if req.method() != http::Method::GET {
@ -139,56 +138,74 @@ impl<M> Admin<M> {
        json::json_rsp(&env)
    }

-    fn shutdown(&self) -> Response<Body> {
+    fn shutdown(&self) -> Response<BoxBody> {
+        if !self.enable_shutdown {
+            return Response::builder()
+                .status(StatusCode::NOT_FOUND)
+                .header(http::header::CONTENT_TYPE, "text/plain")
+                .body(BoxBody::from_static("shutdown endpoint is not enabled\n"))
+                .expect("builder with known status code must not fail");
+        }
        if self.shutdown_tx.send(()).is_ok() {
            Response::builder()
                .status(StatusCode::OK)
                .header(http::header::CONTENT_TYPE, "text/plain")
-                .body("shutdown\n".into())
+                .body(BoxBody::from_static("shutdown\n"))
                .expect("builder with known status code must not fail")
        } else {
            Response::builder()
                .status(StatusCode::INTERNAL_SERVER_ERROR)
                .header(http::header::CONTENT_TYPE, "text/plain")
-                .body("shutdown listener dropped\n".into())
+                .body(BoxBody::from_static("shutdown listener dropped\n"))
                .expect("builder with known status code must not fail")
        }
    }

-    fn internal_error_rsp(error: impl ToString) -> http::Response<Body> {
+    fn internal_error_rsp(error: impl ToString) -> http::Response<BoxBody> {
        http::Response::builder()
            .status(http::StatusCode::INTERNAL_SERVER_ERROR)
            .header(http::header::CONTENT_TYPE, "text/plain")
-            .body(error.to_string().into())
+            .body(BoxBody::new(error.to_string()))
            .expect("builder with known status code should not fail")
    }

-    fn not_found() -> Response<Body> {
+    fn not_found() -> Response<BoxBody> {
        Response::builder()
            .status(http::StatusCode::NOT_FOUND)
-            .body(Body::empty())
+            .body(BoxBody::empty())
            .expect("builder with known status code must not fail")
    }

-    fn method_not_allowed() -> Response<Body> {
+    fn method_not_allowed() -> Response<BoxBody> {
        Response::builder()
            .status(http::StatusCode::METHOD_NOT_ALLOWED)
-            .body(Body::empty())
+            .body(BoxBody::empty())
            .expect("builder with known status code must not fail")
    }

-    fn forbidden_not_localhost() -> Response<Body> {
+    fn forbidden_not_localhost() -> Response<BoxBody> {
        Response::builder()
            .status(http::StatusCode::FORBIDDEN)
            .header(http::header::CONTENT_TYPE, "text/plain")
-            .body("Requests are only permitted from localhost.".into())
+            .body(BoxBody::new::<String>(
+                "Requests are only permitted from localhost.".into(),
+            ))
            .expect("builder with known status code must not fail")
    }

    fn client_is_localhost<B>(req: &Request<B>) -> bool {
        req.extensions()
            .get::<ClientHandle>()
-            .map(|a| a.addr.ip().is_loopback())
+            .map(|a| match a.addr.ip() {
+                std::net::IpAddr::V4(v4) => v4.is_loopback(),
+                std::net::IpAddr::V6(v6) => {
+                    if let Some(v4) = v6.to_ipv4_mapped() {
+                        v4.is_loopback()
+                    } else {
+                        v6.is_loopback()
+                    }
+                }
+            })
            .unwrap_or(false)
    }
 }
@ -196,11 +213,11 @@ impl<M> Admin<M> {
 impl<M, B> tower::Service<http::Request<B>> for Admin<M>
 where
    M: FmtMetrics,
-    B: HttpBody + Send + 'static,
+    B: Body + Send + 'static,
    B::Error: Into<Error>,
    B::Data: Send,
 {
-    type Response = http::Response<Body>;
+    type Response = http::Response<BoxBody>;
    type Error = Error;
    type Future = ResponseFuture;

@ -306,13 +323,13 @@ mod tests {

        let (_, t) = trace::Settings::default().build();
        let (s, _) = mpsc::unbounded_channel();
-        let admin = Admin::new((), r, s, t);
+        let admin = Admin::new((), r, s, true, t);
        macro_rules! call {
            () => {{
                let r = Request::builder()
                    .method(Method::GET)
                    .uri("http://0.0.0.0/ready")
-                    .body(Body::empty())
+                    .body(BoxBody::empty())
                    .unwrap();
                let f = admin.clone().oneshot(r);
                timeout(TIMEOUT, f).await.expect("timeout").expect("call")
--- a/linkerd/app/admin/src/server/json.rs
+++ b/linkerd/app/admin/src/server/json.rs
@ -1,14 +1,17 @@
 static JSON_MIME: &str = "application/json";
 pub(in crate::server) static JSON_HEADER_VAL: HeaderValue = HeaderValue::from_static(JSON_MIME);

+use bytes::Bytes;
 use hyper::{
    header::{self, HeaderValue},
-    Body, StatusCode,
+    StatusCode,
 };
+use linkerd_app_core::proxy::http::BoxBody;
+
 pub(crate) fn json_error_rsp(
    error: impl ToString,
    status: http::StatusCode,
-) -> http::Response<Body> {
+) -> http::Response<BoxBody> {
    mk_rsp(
        status,
        &serde_json::json!({
@ -18,11 +21,12 @@ pub(crate) fn json_error_rsp(
    )
 }

-pub(crate) fn json_rsp(val: &impl serde::Serialize) -> http::Response<Body> {
+pub(crate) fn json_rsp(val: &impl serde::Serialize) -> http::Response<BoxBody> {
    mk_rsp(StatusCode::OK, val)
 }

-pub(crate) fn accepts_json<B>(req: &http::Request<B>) -> Result<(), http::Response<Body>> {
+#[allow(clippy::result_large_err)]
+pub(crate) fn accepts_json<B>(req: &http::Request<B>) -> Result<(), http::Response<BoxBody>> {
    if let Some(accept) = req.headers().get(header::ACCEPT) {
        let accept = match std::str::from_utf8(accept.as_bytes()) {
            Ok(accept) => accept,
@ -41,7 +45,7 @@ pub(crate) fn accepts_json<B>(req: &http::Request<B>) -> Result<(), http::Respon
            tracing::warn!(?accept, "Accept header will not accept 'application/json'");
            return Err(http::Response::builder()
                .status(StatusCode::NOT_ACCEPTABLE)
-                .body(JSON_MIME.into())
+                .body(BoxBody::from_static(JSON_MIME))
                .expect("builder with known status code must not fail"));
        }
    }
@ -49,18 +53,26 @@ pub(crate) fn accepts_json<B>(req: &http::Request<B>) -> Result<(), http::Respon
    Ok(())
 }

-fn mk_rsp(status: StatusCode, val: &impl serde::Serialize) -> http::Response<Body> {
-    match serde_json::to_vec(val) {
-        Ok(json) => http::Response::builder()
+fn mk_rsp(status: StatusCode, val: &impl serde::Serialize) -> http::Response<BoxBody> {
+    // Serialize the value into JSON, and then place the bytes in a boxed response body.
+    let json = serde_json::to_vec(val)
+        .map(Bytes::from)
+        .map(http_body_util::Full::new)
+        .map(BoxBody::new);
+
+    match json {
+        Ok(body) => http::Response::builder()
            .status(status)
            .header(header::CONTENT_TYPE, JSON_HEADER_VAL.clone())
-            .body(json.into())
+            .body(body)
            .expect("builder with known status code must not fail"),
        Err(error) => {
            tracing::warn!(?error, "failed to serialize JSON value");
            http::Response::builder()
                .status(StatusCode::INTERNAL_SERVER_ERROR)
-                .body(format!("failed to serialize JSON value: {error}").into())
+                .body(BoxBody::new(format!(
+                    "failed to serialize JSON value: {error}"
+                )))
                .expect("builder with known status code must not fail")
        }
    }
--- a/linkerd/app/admin/src/server/log/level.rs
+++ b/linkerd/app/admin/src/server/log/level.rs
@ -1,17 +1,18 @@
+use bytes::Buf;
 use http::{header, StatusCode};
-use hyper::{
-    body::{Buf, HttpBody},
-    Body,
+use linkerd_app_core::{
+    proxy::http::{Body, BoxBody},
+    trace::level,
+    Error,
 };
-use linkerd_app_core::{trace::level, Error};
 use std::io;

 pub async fn serve<B>(
    level: level::Handle,
    req: http::Request<B>,
-) -> Result<http::Response<Body>, Error>
+) -> Result<http::Response<BoxBody>, Error>
 where
-    B: HttpBody,
+    B: Body,
    B::Error: Into<Error>,
 {
    Ok(match *req.method() {
@ -21,11 +22,15 @@ where
        }

        http::Method::PUT => {
-            let body = hyper::body::aggregate(req.into_body())
+            use http_body_util::BodyExt;
+            let body = req
+                .into_body()
+                .collect()
                .await
-                .map_err(|e| io::Error::new(io::ErrorKind::Other, e))?;
+                .map_err(io::Error::other)?
+                .aggregate();
            match level.set_from(body.chunk()) {
-                Ok(_) => mk_rsp(StatusCode::NO_CONTENT, Body::empty()),
+                Ok(_) => mk_rsp(StatusCode::NO_CONTENT, BoxBody::empty()),
                Err(error) => {
                    tracing::warn!(%error, "Setting log level failed");
                    mk_rsp(StatusCode::BAD_REQUEST, error)
@ -37,14 +42,19 @@ where
            .status(StatusCode::METHOD_NOT_ALLOWED)
            .header(header::ALLOW, "GET")
            .header(header::ALLOW, "PUT")
-            .body(Body::empty())
+            .body(BoxBody::empty())
            .expect("builder with known status code must not fail"),
    })
 }

-fn mk_rsp(status: StatusCode, body: impl Into<Body>) -> http::Response<Body> {
+fn mk_rsp<B>(status: StatusCode, body: B) -> http::Response<BoxBody>
+where
+    B: Body + Send + 'static,
+    B::Data: Send + 'static,
+    B::Error: Into<Error>,
+{
    http::Response::builder()
        .status(status)
-        .body(body.into())
+        .body(BoxBody::new(body))
        .expect("builder with known status code must not fail")
 }
--- a/linkerd/app/admin/src/server/log/stream.rs
+++ b/linkerd/app/admin/src/server/log/stream.rs
@ -1,10 +1,9 @@
 use crate::server::json;
+use bytes::{Buf, Bytes};
 use futures::FutureExt;
-use hyper::{
-    body::{Buf, Bytes},
-    header, Body, StatusCode,
-};
+use hyper::{header, StatusCode};
 use linkerd_app_core::{
+    proxy::http::{Body, BoxBody},
    trace::{self},
    Error,
 };
@ -27,9 +26,9 @@ macro_rules! recover {
 pub async fn serve<B>(
    handle: trace::Handle,
    req: http::Request<B>,
-) -> Result<http::Response<Body>, Error>
+) -> Result<http::Response<BoxBody>, Error>
 where
-    B: hyper::body::HttpBody,
+    B: Body,
    B::Error: Into<Error>,
 {
    let handle = handle.into_stream();
@ -52,10 +51,13 @@ where
        // If the request is a QUERY, use the request body
        method if method.as_str() == "QUERY" => {
            // TODO(eliza): validate that the request has a content-length...
+            use http_body_util::BodyExt;
            let body = recover!(
-                hyper::body::aggregate(req.into_body())
+                req.into_body()
+                    .collect()
                    .await
-                    .map_err(Into::into),
+                    .map_err(Into::into)
+                    .map(http_body_util::Collected::aggregate),
                "Reading log stream request body",
                StatusCode::BAD_REQUEST
            );
@ -74,7 +76,7 @@ where
                .status(StatusCode::METHOD_NOT_ALLOWED)
                .header(header::ALLOW, "GET")
                .header(header::ALLOW, "QUERY")
-                .body(Body::empty())
+                .body(BoxBody::empty())
                .expect("builder with known status code must not fail"));
        }
    };
@ -99,7 +101,7 @@ where
    // https://github.com/hawkw/thingbuf/issues/62 would allow us to avoid the
    // copy by passing the channel's pooled buffer directly to hyper, and
    // returning it to the channel to be reused when hyper is done with it.
-    let (mut tx, body) = Body::channel();
+    let (mut tx, body) = http_body_util::channel::Channel::<Bytes, Error>::new(1024);
    tokio::spawn(
        async move {
            // TODO(eliza): we could definitely implement some batching here.
@ -124,7 +126,7 @@ where
        }),
    );

-    Ok(mk_rsp(StatusCode::OK, body))
+    Ok(mk_rsp(StatusCode::OK, BoxBody::new(body)))
 }

 fn parse_filter(filter_str: &str) -> Result<EnvFilter, impl std::error::Error> {
@ -133,10 +135,10 @@ fn parse_filter(filter_str: &str) -> Result<EnvFilter, impl std::error::Error> {
    filter
 }

-fn mk_rsp(status: StatusCode, body: impl Into<Body>) -> http::Response<Body> {
+fn mk_rsp<B>(status: StatusCode, body: B) -> http::Response<B> {
    http::Response::builder()
        .status(status)
        .header(header::CONTENT_TYPE, json::JSON_HEADER_VAL.clone())
-        .body(body.into())
+        .body(body)
        .expect("builder with known status code must not fail")
 }
--- a/linkerd/app/admin/src/stack.rs
+++ b/linkerd/app/admin/src/stack.rs
@ -1,8 +1,8 @@
 use linkerd_app_core::{
    classify,
    config::ServerConfig,
-    detect, drain, errors, identity,
-    metrics::{self, FmtMetrics},
+    drain, errors, identity,
+    metrics::{self, legacy::FmtMetrics},
    proxy::http,
    serve,
    svc::{self, ExtractParam, InsertParam, Param},
@ -24,6 +24,7 @@ pub struct Config {
    pub metrics_retain_idle: Duration,
    #[cfg(feature = "pprof")]
    pub enable_profiling: bool,
+    pub enable_shutdown: bool,
 }

 pub struct Task {
@ -51,7 +52,7 @@ struct Tcp {
 #[derive(Clone, Debug)]
 struct Http {
    tcp: Tcp,
-    version: http::Version,
+    version: http::Variant,
 }

 #[derive(Clone, Debug)]
@ -100,7 +101,7 @@ impl Config {
        let (ready, latch) = crate::server::Readiness::new();

        #[cfg_attr(not(feature = "pprof"), allow(unused_mut))]
-        let admin = crate::server::Admin::new(report, ready, shutdown, trace);
+        let admin = crate::server::Admin::new(report, ready, shutdown, self.enable_shutdown, trace);

        #[cfg(feature = "pprof")]
        let admin = admin.with_profiling(self.enable_profiling);
@ -121,6 +122,7 @@ impl Config {
            .push_on_service(http::BoxResponse::layer())
            .arc_new_clone_http();

+        let inbound::DetectMetrics(detect_metrics) = metrics.detect.clone();
        let tcp = http
            .unlift_new()
            .push(http::NewServeHttp::layer({
@ -135,11 +137,11 @@ impl Config {
            }))
            .push_filter(
                |(http, tcp): (
-                    Result<Option<http::Version>, detect::DetectTimeoutError<_>>,
+                    http::Detection,
                    Tcp,
                )| {
                    match http {
-                        Ok(Some(version)) => Ok(Http { version, tcp }),
+                        http::Detection::Http(version) => Ok(Http { version, tcp }),
                        // If detection timed out, we can make an educated guess at the proper
                        // behavior:
                        // - If the connection was meshed, it was most likely transported over
@ -147,12 +149,12 @@ impl Config {
                        // - If the connection was unmeshed, it was mostly likely HTTP/1.
                        // - If we received some unexpected SNI, the client is mostly likely
                        //   confused/stale.
-                        Err(_timeout) => {
+                        http::Detection::ReadTimeout(_timeout) => {
                            let version = match tcp.tls {
-                                tls::ConditionalServerTls::None(_) => http::Version::Http1,
+                                tls::ConditionalServerTls::None(_) => http::Variant::Http1,
                                tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                                    ..
-                                }) => http::Version::H2,
+                                }) => http::Variant::H2,
                                tls::ConditionalServerTls::Some(tls::ServerTls::Passthru {
                                    sni,
                                }) => {
@ -165,7 +167,7 @@ impl Config {
                        }
                        // If the connection failed HTTP detection, check if we detected TLS for
                        // another target. This might indicate that the client is confused/stale.
-                        Ok(None) => match tcp.tls {
+                        http::Detection::NotHttp => match tcp.tls {
                            tls::ConditionalServerTls::Some(tls::ServerTls::Passthru { sni }) => {
                                Err(UnexpectedSni(sni, tcp.client).into())
                            }
@ -176,9 +178,12 @@ impl Config {
            )
            .arc_new_tcp()
            .lift_new_with_target()
-            .push(detect::NewDetectService::layer(svc::stack::CloneParam::from(
-                detect::Config::<http::DetectHttp>::from_timeout(DETECT_TIMEOUT),
-            )))
+            .push(http::NewDetect::layer(move |tcp: &Tcp| {
+                http::DetectParams {
+                    read_timeout: DETECT_TIMEOUT,
+                    metrics: detect_metrics.metrics(tcp.policy.server_label())
+                }
+            }))
            .push(transport::metrics::NewServer::layer(metrics.proxy.transport))
            .push_map_target(move |(tls, addrs): (tls::ConditionalServerTls, B::Addrs)| {
                Tcp {
@ -209,7 +214,7 @@ impl Config {
 impl Param<transport::labels::Key> for Tcp {
    fn param(&self) -> transport::labels::Key {
        transport::labels::Key::inbound_server(
-            self.tls.clone(),
+            self.tls.as_ref().map(|t| t.labels()),
            self.addr.into(),
            self.policy.server_label(),
        )
@ -218,8 +223,8 @@ impl Param<transport::labels::Key> for Tcp {

 // === impl Http ===

-impl Param<http::Version> for Http {
-    fn param(&self) -> http::Version {
+impl Param<http::Variant> for Http {
+    fn param(&self) -> http::Variant {
        self.version
    }
 }
@ -267,7 +272,7 @@ impl Param<metrics::ServerLabel> for Http {
 impl Param<metrics::EndpointLabels> for Permitted {
    fn param(&self) -> metrics::EndpointLabels {
        metrics::InboundEndpointLabels {
-            tls: self.http.tcp.tls.clone(),
+            tls: self.http.tcp.tls.as_ref().map(|t| t.labels()),
            authority: None,
            target_addr: self.http.tcp.addr.into(),
            policy: self.permit.labels.clone(),
--- a/linkerd/app/core/Cargo.toml
+++ b/linkerd/app/core/Cargo.toml
@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-core"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Core infrastructure for the proxy application

@ -13,30 +13,23 @@ independently of the inbound and outbound proxy logic.
 """

 [dependencies]
-bytes = "1"
-drain = { version = "0.1", features = ["retain"] }
-http = "0.2"
-http-body = "0.4"
-hyper = { version = "0.14", features = ["http1", "http2"] }
+drain = { workspace = true, features = ["retain"] }
+http = { workspace = true }
+http-body = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
 futures = { version = "0.3", default-features = false }
-ipnet = "2.7"
-prometheus-client = "0.22"
-regex = "1"
-serde_json = "1"
-thiserror = "1"
+ipnet = "2.11"
+prometheus-client = { workspace = true }
+thiserror = "2"
 tokio = { version = "1", features = ["macros", "sync", "parking_lot"] }
 tokio-stream = { version = "0.1", features = ["time"] }
-tonic = { version = "0.10", default-features = false, features = ["prost"] }
-tracing = "0.1"
-parking_lot = "0.12"
+tonic = { workspace = true, default-features = false, features = ["prost"] }
+tracing = { workspace = true }
 pin-project = "1"

 linkerd-addr = { path = "../../addr" }
 linkerd-conditional = { path = "../../conditional" }
 linkerd-dns = { path = "../../dns" }
-linkerd-detect = { path = "../../detect" }
-linkerd-duplex = { path = "../../duplex" }
-linkerd-errno = { path = "../../errno" }
 linkerd-error = { path = "../../error" }
 linkerd-error-respond = { path = "../../error-respond" }
 linkerd-exp-backoff = { path = "../../exp-backoff" }
@ -47,6 +40,7 @@ linkerd-io = { path = "../../io" }
 linkerd-meshtls = { path = "../../meshtls", default-features = false }
 linkerd-metrics = { path = "../../metrics", features = ["process", "stack"] }
 linkerd-opencensus = { path = "../../opencensus" }
+linkerd-opentelemetry = { path = "../../opentelemetry" }
 linkerd-proxy-api-resolve = { path = "../../proxy/api-resolve" }
 linkerd-proxy-balance = { path = "../../proxy/balance" }
 linkerd-proxy-core = { path = "../../proxy/core" }
@ -62,6 +56,7 @@ linkerd-proxy-tcp = { path = "../../proxy/tcp" }
 linkerd-proxy-transport = { path = "../../proxy/transport" }
 linkerd-reconnect = { path = "../../reconnect" }
 linkerd-router = { path = "../../router" }
+linkerd-rustls = { path = "../../rustls" }
 linkerd-service-profiles = { path = "../../service-profiles" }
 linkerd-stack = { path = "../../stack" }
 linkerd-stack-metrics = { path = "../../stack/metrics" }
@ -73,15 +68,14 @@ linkerd-tls = { path = "../../tls" }
 linkerd-trace-context = { path = "../../trace-context" }

 [dependencies.tower]
-version = "0.4"
+workspace = true
 default-features = false
 features = ["make", "spawn-ready", "timeout", "util", "limit"]

-[target.'cfg(target_os = "linux")'.dependencies]
-linkerd-system = { path = "../../system" }
-
 [build-dependencies]
 semver = "1"

 [dev-dependencies]
-quickcheck = { version = "1", default-features = false }
+bytes = { workspace = true }
+http-body-util = { workspace = true }
+linkerd-mock-http-body = { path = "../../mock/http-body" }
--- a/linkerd/app/core/build.rs
+++ b/linkerd/app/core/build.rs
@ -4,18 +4,18 @@ fn set_env(name: &str, cmd: &mut Command) {
    let value = match cmd.output() {
        Ok(output) => String::from_utf8(output.stdout).unwrap(),
        Err(err) => {
-            println!("cargo:warning={}", err);
+            println!("cargo:warning={err}");
            "".to_string()
        }
    };
-    println!("cargo:rustc-env={}={}", name, value);
+    println!("cargo:rustc-env={name}={value}");
 }

 fn version() -> String {
    if let Ok(v) = std::env::var("LINKERD2_PROXY_VERSION") {
        if !v.is_empty() {
-            if semver::Version::parse(&v).is_err() {
-                panic!("LINKERD2_PROXY_VERSION must be semver");
+            if let Err(err) = semver::Version::parse(&v) {
+                panic!("LINKERD2_PROXY_VERSION must be semver: version='{v}' error='{err}'");
            }
            return v;
        }
--- a/linkerd/app/core/src/classify.rs
+++ b/linkerd/app/core/src/classify.rs
@ -1,5 +1,4 @@
 use crate::profiles;
-pub use classify::gate;
 use linkerd_error::Error;
 use linkerd_proxy_client_policy as client_policy;
 use linkerd_proxy_http::{classify, HasH2Reason, ResponseTimeoutError};
@ -214,7 +213,7 @@ fn h2_error(err: &Error) -> String {
    if let Some(reason) = err.h2_reason() {
        // This should output the error code in the same format as the spec,
        // for example: PROTOCOL_ERROR
-        format!("h2({:?})", reason)
+        format!("h2({reason:?})")
    } else {
        trace!("classifying found non-h2 error: {:?}", err);
        String::from("unclassified")
--- a/linkerd/app/core/src/config.rs
+++ b/linkerd/app/core/src/config.rs
@ -1,8 +1,8 @@
 pub use crate::exp_backoff::ExponentialBackoff;
 use crate::{
-    proxy::http::{self, h1, h2},
-    svc::{queue, CloneParam, ExtractParam, Param},
-    transport::{DualListenAddr, Keepalive, ListenAddr},
+    proxy::http::{h1, h2},
+    svc::{queue, ExtractParam, Param},
+    transport::{DualListenAddr, Keepalive, ListenAddr, UserTimeout},
 };
 use std::time::Duration;

@ -10,6 +10,7 @@ use std::time::Duration;
 pub struct ServerConfig {
    pub addr: DualListenAddr,
    pub keepalive: Keepalive,
+    pub user_timeout: UserTimeout,
    pub http2: h2::ServerParams,
 }

@ -18,6 +19,7 @@ pub struct ConnectConfig {
    pub backoff: ExponentialBackoff,
    pub timeout: Duration,
    pub keepalive: Keepalive,
+    pub user_timeout: UserTimeout,
    pub http1: h1::PoolSettings,
    pub http2: h2::ClientParams,
 }
@ -57,14 +59,6 @@ impl<T> ExtractParam<queue::Timeout, T> for QueueConfig {
    }
 }

-// === impl ProxyConfig ===
-
-impl ProxyConfig {
-    pub fn detect_http(&self) -> CloneParam<linkerd_detect::Config<http::DetectHttp>> {
-        linkerd_detect::Config::from_timeout(self.detect_protocol_timeout).into()
-    }
-}
-
 // === impl ServerConfig ===

 impl Param<DualListenAddr> for ServerConfig {
@ -84,3 +78,9 @@ impl Param<Keepalive> for ServerConfig {
        self.keepalive
    }
 }
+
+impl Param<UserTimeout> for ServerConfig {
+    fn param(&self) -> UserTimeout {
+        self.user_timeout
+    }
+}
--- a/linkerd/app/core/src/control.rs
+++ b/linkerd/app/core/src/control.rs
@ -69,8 +69,10 @@ impl fmt::Display for ControlAddr {
    }
 }

-pub type RspBody =
-    linkerd_http_metrics::requests::ResponseBody<http::balance::Body<hyper::Body>, classify::Eos>;
+pub type RspBody = linkerd_http_metrics::requests::ResponseBody<
+    http::balance::Body<hyper::body::Incoming>,
+    classify::Eos,
+>;

 #[derive(Clone, Debug, Default)]
 pub struct Metrics {
@ -99,7 +101,7 @@ impl Config {
        identity: identity::NewClient,
    ) -> svc::ArcNewService<
        (),
-        svc::BoxCloneSyncService<http::Request<tonic::body::BoxBody>, http::Response<RspBody>>,
+        svc::BoxCloneSyncService<http::Request<tonic::body::Body>, http::Response<RspBody>>,
    > {
        let addr = self.addr;
        tracing::trace!(%addr, "Building");
@ -112,7 +114,7 @@ impl Config {
                warn!(error, "Failed to resolve control-plane component");
                if let Some(e) = crate::errors::cause_ref::<dns::ResolveError>(&*error) {
                    if let Some(ttl) = e.negative_ttl() {
-                        return Ok(Either::Left(
+                        return Ok::<_, Error>(Either::Left(
                            IntervalStream::new(time::interval(ttl)).map(|_| ()),
                        ));
                    }
@ -124,13 +126,16 @@ impl Config {
            }
        };

-        let client = svc::stack(ConnectTcp::new(self.connect.keepalive))
-            .push(tls::Client::layer(identity))
-            .push_connect_timeout(self.connect.timeout)
-            .push_map_target(|(_version, target)| target)
-            .push(self::client::layer(self.connect.http2))
-            .push_on_service(svc::MapErr::layer_boxed())
-            .into_new_service();
+        let client = svc::stack(ConnectTcp::new(
+            self.connect.keepalive,
+            self.connect.user_timeout,
+        ))
+        .push(tls::Client::layer(identity))
+        .push_connect_timeout(self.connect.timeout) // Client<NewClient, ConnectTcp>
+        .push_map_target(|(_version, target)| target)
+        .push(self::client::layer::<_, _>(self.connect.http2))
+        .push_on_service(svc::MapErr::layer_boxed())
+        .into_new_service();

        let endpoint = client
            // Ensure that connection is driven independently of the load
--- a/linkerd/app/core/src/dns.rs
+++ b/linkerd/app/core/src/dns.rs
@ -1,30 +1,55 @@
-pub use linkerd_dns::*;
-use std::path::PathBuf;
+use self::metrics::Labels;
+use linkerd_metrics::prom::{Counter, Family, Registry};
 use std::time::Duration;

+pub use linkerd_dns::*;
+
+mod metrics;
+
 #[derive(Clone, Debug)]
 pub struct Config {
    pub min_ttl: Option<Duration>,
    pub max_ttl: Option<Duration>,
-    pub resolv_conf_path: PathBuf,
 }

 pub struct Dns {
-    pub resolver: Resolver,
+    resolver: Resolver,
+    resolutions: Family<Labels, Counter>,
+}
+
+// === impl Dns ===
+
+impl Dns {
+    /// Returns a new [`Resolver`].
+    pub fn resolver(&self, client: &'static str) -> Resolver {
+        let metrics = self.metrics(client);
+
+        self.resolver.clone().with_metrics(metrics)
+    }
 }

 // === impl Config ===

 impl Config {
-    pub fn build(self) -> Dns {
+    pub fn build(self, registry: &mut Registry) -> Dns {
+        let resolutions = Family::default();
+        registry.register(
+            "resolutions",
+            "Counts the number of DNS records that have been resolved.",
+            resolutions.clone(),
+        );
+
        let resolver =
            Resolver::from_system_config_with(&self).expect("system DNS config must be valid");
-        Dns { resolver }
+        Dns {
+            resolver,
+            resolutions,
+        }
    }
 }

 impl ConfigureResolver for Config {
-    /// Modify a `trust-dns-resolver::config::ResolverOpts` to reflect
+    /// Modify a `hickory-resolver::config::ResolverOpts` to reflect
    /// the configured minimum and maximum DNS TTL values.
    fn configure_resolver(&self, opts: &mut ResolverOpts) {
        opts.positive_min_ttl = self.min_ttl;
--- a/linkerd/app/core/src/dns/metrics.rs
+++ b/linkerd/app/core/src/dns/metrics.rs
@ -0,0 +1,115 @@
+use super::{Dns, Metrics};
+use linkerd_metrics::prom::encoding::{
+    EncodeLabel, EncodeLabelSet, EncodeLabelValue, LabelSetEncoder, LabelValueEncoder,
+};
+use std::fmt::{Display, Write};
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+pub(super) struct Labels {
+    client: &'static str,
+    record_type: RecordType,
+    result: Outcome,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+enum RecordType {
+    A,
+    Srv,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+enum Outcome {
+    Ok,
+    NotFound,
+}
+
+// === impl Dns ===
+
+impl Dns {
+    pub(super) fn metrics(&self, client: &'static str) -> Metrics {
+        let family = &self.resolutions;
+
+        let a_records_resolved = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::A,
+            result: Outcome::Ok,
+        }))
+        .clone();
+        let a_records_not_found = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::A,
+            result: Outcome::NotFound,
+        }))
+        .clone();
+        let srv_records_resolved = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::Srv,
+            result: Outcome::Ok,
+        }))
+        .clone();
+        let srv_records_not_found = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::Srv,
+            result: Outcome::NotFound,
+        }))
+        .clone();
+
+        Metrics {
+            a_records_resolved,
+            a_records_not_found,
+            srv_records_resolved,
+            srv_records_not_found,
+        }
+    }
+}
+// === impl Labels ===
+
+impl EncodeLabelSet for Labels {
+    fn encode(&self, mut encoder: LabelSetEncoder<'_>) -> Result<(), std::fmt::Error> {
+        let Self {
+            client,
+            record_type,
+            result,
+        } = self;
+
+        ("client", *client).encode(encoder.encode_label())?;
+        ("record_type", record_type).encode(encoder.encode_label())?;
+        ("result", result).encode(encoder.encode_label())?;
+
+        Ok(())
+    }
+}
+
+// === impl Outcome ===
+
+impl EncodeLabelValue for &Outcome {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), std::fmt::Error> {
+        encoder.write_str(self.to_string().as_str())
+    }
+}
+
+impl Display for Outcome {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(match self {
+            Self::Ok => "ok",
+            Self::NotFound => "not_found",
+        })
+    }
+}
+
+// === impl RecordType ===
+
+impl EncodeLabelValue for &RecordType {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), std::fmt::Error> {
+        encoder.write_str(self.to_string().as_str())
+    }
+}
+
+impl Display for RecordType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(match self {
+            Self::A => "A/AAAA",
+            Self::Srv => "SRV",
+        })
+    }
+}
--- a/linkerd/app/core/src/errors.rs
+++ b/linkerd/app/core/src/errors.rs
@ -1,3 +1,4 @@
+pub mod body;
 pub mod respond;

 pub use self::respond::{HttpRescue, NewRespond, NewRespondService, SyntheticHttpResponse};
@ -6,6 +7,16 @@ pub use linkerd_proxy_http::h2::H2Error;
 pub use linkerd_stack::{FailFastError, LoadShedError};
 pub use tonic::Code as Grpc;

+/// Header names and values related to error responses.
+pub mod header {
+    use http::header::{HeaderName, HeaderValue};
+    pub const L5D_PROXY_CONNECTION: HeaderName = HeaderName::from_static("l5d-proxy-connection");
+    pub const L5D_PROXY_ERROR: HeaderName = HeaderName::from_static("l5d-proxy-error");
+    pub(super) const GRPC_CONTENT_TYPE: HeaderValue = HeaderValue::from_static("application/grpc");
+    pub(super) const GRPC_MESSAGE: HeaderName = HeaderName::from_static("grpc-message");
+    pub(super) const GRPC_STATUS: HeaderName = HeaderName::from_static("grpc-status");
+}
+
 #[derive(Debug, thiserror::Error)]
 #[error("connect timed out after {0:?}")]
 pub struct ConnectTimeout(pub(crate) std::time::Duration);
@ -18,3 +29,27 @@ pub fn has_grpc_status(error: &crate::Error, code: tonic::Code) -> bool {
        .map(|s| s.code() == code)
        .unwrap_or(false)
 }
+
+// Copied from tonic, where it's private.
+fn code_header(code: tonic::Code) -> http::HeaderValue {
+    use {http::HeaderValue, tonic::Code};
+    match code {
+        Code::Ok => HeaderValue::from_static("0"),
+        Code::Cancelled => HeaderValue::from_static("1"),
+        Code::Unknown => HeaderValue::from_static("2"),
+        Code::InvalidArgument => HeaderValue::from_static("3"),
+        Code::DeadlineExceeded => HeaderValue::from_static("4"),
+        Code::NotFound => HeaderValue::from_static("5"),
+        Code::AlreadyExists => HeaderValue::from_static("6"),
+        Code::PermissionDenied => HeaderValue::from_static("7"),
+        Code::ResourceExhausted => HeaderValue::from_static("8"),
+        Code::FailedPrecondition => HeaderValue::from_static("9"),
+        Code::Aborted => HeaderValue::from_static("10"),
+        Code::OutOfRange => HeaderValue::from_static("11"),
+        Code::Unimplemented => HeaderValue::from_static("12"),
+        Code::Internal => HeaderValue::from_static("13"),
+        Code::Unavailable => HeaderValue::from_static("14"),
+        Code::DataLoss => HeaderValue::from_static("15"),
+        Code::Unauthenticated => HeaderValue::from_static("16"),
+    }
+}
--- a/linkerd/app/core/src/errors/body.rs
+++ b/linkerd/app/core/src/errors/body.rs
@ -0,0 +1,314 @@
+use super::{
+    header::{GRPC_MESSAGE, GRPC_STATUS},
+    respond::{HttpRescue, SyntheticHttpResponse},
+};
+use http::header::HeaderValue;
+use http_body::Frame;
+use linkerd_error::{Error, Result};
+use pin_project::pin_project;
+use std::{
+    pin::Pin,
+    task::{Context, Poll},
+};
+use tracing::{debug, warn};
+
+/// Returns a "gRPC rescue" body.
+///
+/// This returns a body that, should the inner `B`-typed body return an error when polling for
+/// DATA frames, will "rescue" the stream and return a TRAILERS frame that describes the error.
+#[pin_project(project = ResponseBodyProj)]
+pub struct ResponseBody<R, B>(#[pin] Inner<R, B>);
+
+#[pin_project(project = InnerProj)]
+enum Inner<R, B> {
+    /// An inert body that delegates directly down to the underlying body `B`.
+    Passthru(#[pin] B),
+    /// A body that will be rescued if it yields an error.
+    GrpcRescue {
+        #[pin]
+        inner: B,
+        /// An error response [strategy][HttpRescue].
+        rescue: R,
+        emit_headers: bool,
+    },
+    /// The underlying body `B` yielded an error and was "rescued".
+    Rescued,
+}
+
+// === impl ResponseBody ===
+
+impl<R, B> ResponseBody<R, B> {
+    /// Returns a body in "passthru" mode.
+    pub fn passthru(inner: B) -> Self {
+        Self(Inner::Passthru(inner))
+    }
+
+    /// Returns a "gRPC rescue" body.
+    pub fn grpc_rescue(inner: B, rescue: R, emit_headers: bool) -> Self {
+        Self(Inner::GrpcRescue {
+            inner,
+            rescue,
+            emit_headers,
+        })
+    }
+}
+
+impl<R, B: Default + linkerd_proxy_http::Body> Default for ResponseBody<R, B> {
+    fn default() -> Self {
+        Self(Inner::Passthru(B::default()))
+    }
+}
+
+impl<R, B> linkerd_proxy_http::Body for ResponseBody<R, B>
+where
+    B: linkerd_proxy_http::Body<Error = Error>,
+    R: HttpRescue<B::Error>,
+{
+    type Data = B::Data;
+    type Error = B::Error;
+
+    fn poll_frame(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+    ) -> Poll<Option<std::result::Result<http_body::Frame<Self::Data>, Self::Error>>> {
+        let ResponseBodyProj(inner) = self.as_mut().project();
+        match inner.project() {
+            InnerProj::Passthru(inner) => inner.poll_frame(cx),
+            InnerProj::GrpcRescue {
+                inner,
+                rescue,
+                emit_headers,
+            } => match inner.poll_frame(cx) {
+                Poll::Ready(Some(Err(error))) => {
+                    // The inner body has yielded an error, which we will try to rescue. If so,
+                    // yield synthetic trailers reporting the error.
+                    let trailers = Self::rescue(error, rescue, *emit_headers)?;
+                    self.set(Self(Inner::Rescued));
+                    Poll::Ready(Some(Ok(Frame::trailers(trailers))))
+                }
+                poll => poll,
+            },
+            InnerProj::Rescued => Poll::Ready(None),
+        }
+    }
+
+    #[inline]
+    fn is_end_stream(&self) -> bool {
+        let Self(inner) = self;
+        match inner {
+            Inner::Passthru(inner) => inner.is_end_stream(),
+            Inner::GrpcRescue { inner, .. } => inner.is_end_stream(),
+            Inner::Rescued => true,
+        }
+    }
+
+    #[inline]
+    fn size_hint(&self) -> http_body::SizeHint {
+        let Self(inner) = self;
+        match inner {
+            Inner::Passthru(inner) => inner.size_hint(),
+            Inner::GrpcRescue { inner, .. } => inner.size_hint(),
+            Inner::Rescued => http_body::SizeHint::with_exact(0),
+        }
+    }
+}
+
+impl<R, B> ResponseBody<R, B>
+where
+    B: http_body::Body,
+    R: HttpRescue<B::Error>,
+{
+    /// Maps an error yielded by the inner body to a collection of gRPC trailers.
+    ///
+    /// This function returns `Ok(trailers)` if the given [`HttpRescue<E>`] strategy could identify
+    /// a cause for an error yielded by the inner `B`-typed body.
+    fn rescue(
+        error: B::Error,
+        rescue: &R,
+        emit_headers: bool,
+    ) -> Result<http::HeaderMap, B::Error> {
+        let SyntheticHttpResponse {
+            grpc_status,
+            message,
+            ..
+        } = rescue.rescue(error)?;
+
+        debug!(grpc.status = ?grpc_status, "Synthesizing gRPC trailers");
+        let mut t = http::HeaderMap::new();
+        t.insert(GRPC_STATUS, super::code_header(grpc_status));
+        if emit_headers {
+            // A gRPC message trailer is only included if instructed to emit additional headers.
+            t.insert(
+                GRPC_MESSAGE,
+                HeaderValue::from_str(&message).unwrap_or_else(|error| {
+                    warn!(%error, "Failed to encode error header");
+                    HeaderValue::from_static("Unexpected error")
+                }),
+            );
+        }
+
+        Ok(t)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::errors::header::{GRPC_MESSAGE, GRPC_STATUS};
+    use http::HeaderMap;
+    use linkerd_mock_http_body::MockBody;
+
+    struct MockRescue;
+    impl<E> HttpRescue<E> for MockRescue {
+        /// Attempts to synthesize a response from the given error.
+        fn rescue(&self, _: E) -> Result<SyntheticHttpResponse, E> {
+            let synthetic = SyntheticHttpResponse::internal_error("MockRescue::rescue");
+            Ok(synthetic)
+        }
+    }
+
+    #[tokio::test]
+    async fn rescue_body_recovers_from_error_without_grpc_message() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let trailers = {
+            let mut trls = HeaderMap::with_capacity(1);
+            let value = HeaderValue::from_static("caboose");
+            trls.insert("trailer", value);
+            trls
+        };
+        let rescue = {
+            let inner = MockBody::default()
+                .then_yield_data(Poll::Ready(Some(Ok("inter".into()))))
+                .then_yield_data(Poll::Ready(Some(Err("an error midstream".into()))))
+                .then_yield_data(Poll::Ready(Some(Ok("rupted".into()))))
+                .then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, Some(trailers)) = body_to_string(rescue).await else {
+            panic!("trailers should exist");
+        };
+        assert_eq!(data, "inter");
+        assert_eq!(
+            trailers[GRPC_STATUS],
+            i32::from(tonic::Code::Internal).to_string()
+        );
+        assert_eq!(trailers.get(GRPC_MESSAGE), None);
+    }
+
+    #[tokio::test]
+    async fn rescue_body_recovers_from_error_emitting_message() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let trailers = {
+            let mut trls = HeaderMap::with_capacity(1);
+            let value = HeaderValue::from_static("caboose");
+            trls.insert("trailer", value);
+            trls
+        };
+        let rescue = {
+            let inner = MockBody::default()
+                .then_yield_data(Poll::Ready(Some(Ok("inter".into()))))
+                .then_yield_data(Poll::Ready(Some(Err("an error midstream".into()))))
+                .then_yield_data(Poll::Ready(Some(Ok("rupted".into()))))
+                .then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
+            let rescue = MockRescue;
+            let emit_headers = true;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, Some(trailers)) = body_to_string(rescue).await else {
+            panic!("trailers should exist");
+        };
+        assert_eq!(data, "inter");
+        assert_eq!(
+            trailers[GRPC_STATUS],
+            i32::from(tonic::Code::Internal).to_string()
+        );
+        assert_eq!(trailers[GRPC_MESSAGE], "MockRescue::rescue");
+    }
+
+    #[tokio::test]
+    async fn rescue_body_works_for_empty() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let rescue = {
+            let inner = MockBody::default();
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, trailers) = body_to_string(rescue).await;
+        assert_eq!(data, "");
+        assert_eq!(trailers, None);
+    }
+
+    #[tokio::test]
+    async fn rescue_body_works_for_body_with_data() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let rescue = {
+            let inner = MockBody::default().then_yield_data(Poll::Ready(Some(Ok("unary".into()))));
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, trailers) = body_to_string(rescue).await;
+        assert_eq!(data, "unary");
+        assert_eq!(trailers, None);
+    }
+
+    #[tokio::test]
+    async fn rescue_body_works_for_body_with_trailers() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let trailers = {
+            let mut trls = HeaderMap::with_capacity(1);
+            let value = HeaderValue::from_static("caboose");
+            trls.insert("trailer", value);
+            trls
+        };
+        let rescue = {
+            let inner = MockBody::default().then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, trailers) = body_to_string(rescue).await;
+        assert_eq!(data, "");
+        assert_eq!(trailers.expect("has trailers")["trailer"], "caboose");
+    }
+
+    async fn body_to_string<B>(mut body: B) -> (String, Option<HeaderMap>)
+    where
+        B: http_body::Body + Unpin,
+        B::Error: std::fmt::Debug,
+    {
+        use http_body_util::BodyExt;
+
+        let mut data = String::new();
+        let mut trailers = None;
+
+        // Continue reading frames from the body until it is finished.
+        while let Some(frame) = body
+            .frame()
+            .await
+            .transpose()
+            .expect("reading a frame succeeds")
+        {
+            match frame.into_data().map(|mut buf| {
+                use bytes::Buf;
+                let bytes = buf.copy_to_bytes(buf.remaining());
+                String::from_utf8(bytes.to_vec()).unwrap()
+            }) {
+                Ok(ref s) => data.push_str(s),
+                Err(frame) => {
+                    let trls = frame
+                        .into_trailers()
+                        .map_err(drop)
+                        .expect("test frame is either data or trailers");
+                    trailers = Some(trls);
+                }
+            }
+        }
+
+        tracing::info!(?data, ?trailers, "finished reading body");
+        (data, trailers)
+    }
+}
--- a/linkerd/app/core/src/errors/respond.rs
+++ b/linkerd/app/core/src/errors/respond.rs
@ -1,21 +1,16 @@
+use super::{
+    body::ResponseBody,
+    header::{GRPC_CONTENT_TYPE, GRPC_MESSAGE, GRPC_STATUS, L5D_PROXY_CONNECTION, L5D_PROXY_ERROR},
+};
 use crate::svc;
 use http::header::{HeaderValue, LOCATION};
 use linkerd_error::{Error, Result};
 use linkerd_error_respond as respond;
-use linkerd_proxy_http::orig_proto;
-pub use linkerd_proxy_http::{ClientHandle, HasH2Reason};
+use linkerd_proxy_http::{orig_proto, ClientHandle};
 use linkerd_stack::ExtractParam;
-use pin_project::pin_project;
-use std::{
-    borrow::Cow,
-    pin::Pin,
-    task::{Context, Poll},
-};
+use std::borrow::Cow;
 use tracing::{debug, info_span, warn};

-pub const L5D_PROXY_CONNECTION: &str = "l5d-proxy-connection";
-pub const L5D_PROXY_ERROR: &str = "l5d-proxy-error";
-
 pub fn layer<R, P: Clone, N>(
    params: P,
 ) -> impl svc::layer::Layer<N, Service = NewRespondService<R, P, N>> + Clone {
@ -33,10 +28,10 @@ pub trait HttpRescue<E> {

 #[derive(Clone, Debug)]
 pub struct SyntheticHttpResponse {
-    grpc_status: tonic::Code,
+    pub grpc_status: tonic::Code,
    http_status: http::StatusCode,
    close_connection: bool,
-    message: Cow<'static, str>,
+    pub message: Cow<'static, str>,
    location: Option<HeaderValue>,
 }

@ -62,22 +57,6 @@ pub struct Respond<R> {
    emit_headers: bool,
 }

-#[pin_project(project = ResponseBodyProj)]
-pub enum ResponseBody<R, B> {
-    Passthru(#[pin] B),
-    GrpcRescue {
-        #[pin]
-        inner: B,
-        trailers: Option<http::HeaderMap>,
-        rescue: R,
-        emit_headers: bool,
-    },
-}
-
-const GRPC_CONTENT_TYPE: &str = "application/grpc";
-const GRPC_STATUS: &str = "grpc-status";
-const GRPC_MESSAGE: &str = "grpc-message";
-
 // === impl HttpRescue ===

 impl<E, F> HttpRescue<E> for F
@ -120,7 +99,17 @@ impl SyntheticHttpResponse {
        Self {
            close_connection: true,
            http_status: http::StatusCode::GATEWAY_TIMEOUT,
-            grpc_status: tonic::Code::Unavailable,
+            grpc_status: tonic::Code::DeadlineExceeded,
+            message: Cow::Owned(msg.to_string()),
+            location: None,
+        }
+    }
+
+    pub fn gateway_timeout_nonfatal(msg: impl ToString) -> Self {
+        Self {
+            close_connection: false,
+            http_status: http::StatusCode::GATEWAY_TIMEOUT,
+            grpc_status: tonic::Code::DeadlineExceeded,
            message: Cow::Owned(msg.to_string()),
            location: None,
        }
@ -156,6 +145,16 @@ impl SyntheticHttpResponse {
        }
    }

+    pub fn rate_limited(msg: impl ToString) -> Self {
+        Self {
+            http_status: http::StatusCode::TOO_MANY_REQUESTS,
+            grpc_status: tonic::Code::ResourceExhausted,
+            close_connection: false,
+            message: Cow::Owned(msg.to_string()),
+            location: None,
+        }
+    }
+
    pub fn loop_detected(msg: impl ToString) -> Self {
        Self {
            http_status: http::StatusCode::LOOP_DETECTED,
@ -227,7 +226,7 @@ impl SyntheticHttpResponse {
            .version(http::Version::HTTP_2)
            .header(http::header::CONTENT_LENGTH, "0")
            .header(http::header::CONTENT_TYPE, GRPC_CONTENT_TYPE)
-            .header(GRPC_STATUS, code_header(self.grpc_status));
+            .header(GRPC_STATUS, super::code_header(self.grpc_status));

        if emit_headers {
            rsp = rsp
@ -326,7 +325,15 @@ where
                let is_grpc = req
                    .headers()
                    .get(http::header::CONTENT_TYPE)
-                    .and_then(|v| v.to_str().ok().map(|s| s.starts_with(GRPC_CONTENT_TYPE)))
+                    .and_then(|v| {
+                        v.to_str().ok().map(|s| {
+                            s.starts_with(
+                                GRPC_CONTENT_TYPE
+                                    .to_str()
+                                    .expect("GRPC_CONTENT_TYPE only contains visible ASCII"),
+                            )
+                        })
+                    })
                    .unwrap_or(false);
                Respond {
                    client,
@ -368,7 +375,7 @@ impl<R> Respond<R> {

 impl<B, R> respond::Respond<http::Response<B>, Error> for Respond<R>
 where
-    B: Default + hyper::body::HttpBody,
+    B: Default + linkerd_proxy_http::Body,
    R: HttpRescue<Error> + Clone,
 {
    type Response = http::Response<ResponseBody<R, B>>;
@ -376,19 +383,14 @@ where
    fn respond(&self, res: Result<http::Response<B>>) -> Result<Self::Response> {
        let error = match res {
            Ok(rsp) => {
-                return Ok(rsp.map(|b| match self {
+                return Ok(rsp.map(|inner| match self {
                    Respond {
                        is_grpc: true,
                        rescue,
                        emit_headers,
                        ..
-                    } => ResponseBody::GrpcRescue {
-                        inner: b,
-                        trailers: None,
-                        rescue: rescue.clone(),
-                        emit_headers: *emit_headers,
-                    },
-                    _ => ResponseBody::Passthru(b),
+                    } => ResponseBody::grpc_rescue(inner, rescue.clone(), *emit_headers),
+                    _ => ResponseBody::passthru(inner),
                }));
            }
            Err(error) => error,
@ -421,127 +423,3 @@ where
        Ok(rsp)
    }
 }
-
-// === impl ResponseBody ===
-
-impl<R, B: Default + hyper::body::HttpBody> Default for ResponseBody<R, B> {
-    fn default() -> Self {
-        ResponseBody::Passthru(B::default())
-    }
-}
-
-impl<R, B> hyper::body::HttpBody for ResponseBody<R, B>
-where
-    B: hyper::body::HttpBody<Error = Error>,
-    R: HttpRescue<B::Error>,
-{
-    type Data = B::Data;
-    type Error = B::Error;
-
-    fn poll_data(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-        match self.project() {
-            ResponseBodyProj::Passthru(inner) => inner.poll_data(cx),
-            ResponseBodyProj::GrpcRescue {
-                inner,
-                trailers,
-                rescue,
-                emit_headers,
-            } => {
-                // should not be calling poll_data if we have set trailers derived from an error
-                assert!(trailers.is_none());
-                match inner.poll_data(cx) {
-                    Poll::Ready(Some(Err(error))) => {
-                        let SyntheticHttpResponse {
-                            grpc_status,
-                            message,
-                            ..
-                        } = rescue.rescue(error)?;
-                        let t = Self::grpc_trailers(grpc_status, &message, *emit_headers);
-                        *trailers = Some(t);
-                        Poll::Ready(None)
-                    }
-                    data => data,
-                }
-            }
-        }
-    }
-
-    #[inline]
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        match self.project() {
-            ResponseBodyProj::Passthru(inner) => inner.poll_trailers(cx),
-            ResponseBodyProj::GrpcRescue {
-                inner, trailers, ..
-            } => match trailers.take() {
-                Some(t) => Poll::Ready(Ok(Some(t))),
-                None => inner.poll_trailers(cx),
-            },
-        }
-    }
-
-    #[inline]
-    fn is_end_stream(&self) -> bool {
-        match self {
-            Self::Passthru(inner) => inner.is_end_stream(),
-            Self::GrpcRescue {
-                inner, trailers, ..
-            } => trailers.is_none() && inner.is_end_stream(),
-        }
-    }
-
-    #[inline]
-    fn size_hint(&self) -> http_body::SizeHint {
-        match self {
-            Self::Passthru(inner) => inner.size_hint(),
-            Self::GrpcRescue { inner, .. } => inner.size_hint(),
-        }
-    }
-}
-
-impl<R, B> ResponseBody<R, B> {
-    fn grpc_trailers(code: tonic::Code, message: &str, emit_headers: bool) -> http::HeaderMap {
-        debug!(grpc.status = ?code, "Synthesizing gRPC trailers");
-        let mut t = http::HeaderMap::new();
-        t.insert(GRPC_STATUS, code_header(code));
-        if emit_headers {
-            t.insert(
-                GRPC_MESSAGE,
-                HeaderValue::from_str(message).unwrap_or_else(|error| {
-                    warn!(%error, "Failed to encode error header");
-                    HeaderValue::from_static("Unexpected error")
-                }),
-            );
-        }
-        t
-    }
-}
-
-// Copied from tonic, where it's private.
-fn code_header(code: tonic::Code) -> HeaderValue {
-    use tonic::Code;
-    match code {
-        Code::Ok => HeaderValue::from_static("0"),
-        Code::Cancelled => HeaderValue::from_static("1"),
-        Code::Unknown => HeaderValue::from_static("2"),
-        Code::InvalidArgument => HeaderValue::from_static("3"),
-        Code::DeadlineExceeded => HeaderValue::from_static("4"),
-        Code::NotFound => HeaderValue::from_static("5"),
-        Code::AlreadyExists => HeaderValue::from_static("6"),
-        Code::PermissionDenied => HeaderValue::from_static("7"),
-        Code::ResourceExhausted => HeaderValue::from_static("8"),
-        Code::FailedPrecondition => HeaderValue::from_static("9"),
-        Code::Aborted => HeaderValue::from_static("10"),
-        Code::OutOfRange => HeaderValue::from_static("11"),
-        Code::Unimplemented => HeaderValue::from_static("12"),
-        Code::Internal => HeaderValue::from_static("13"),
-        Code::Unavailable => HeaderValue::from_static("14"),
-        Code::DataLoss => HeaderValue::from_static("15"),
-        Code::Unauthenticated => HeaderValue::from_static("16"),
-    }
-}
--- a/linkerd/app/core/src/http_tracing.rs
+++ b/linkerd/app/core/src/http_tracing.rs
@ -1,139 +1,76 @@
 use linkerd_error::Error;
-use linkerd_opencensus::proto::trace::v1 as oc;
 use linkerd_stack::layer;
-use linkerd_trace_context::{self as trace_context, TraceContext};
-use std::{collections::HashMap, sync::Arc};
-use thiserror::Error;
+use linkerd_trace_context::{
+    self as trace_context,
+    export::{ExportSpan, SpanKind, SpanLabels},
+    Span, TraceContext,
+};
+use std::{str::FromStr, sync::Arc};
 use tokio::sync::mpsc;

-pub type OpenCensusSink = Option<mpsc::Sender<oc::Span>>;
-pub type Labels = Arc<HashMap<String, String>>;
-
-/// SpanConverter converts trace_context::Span objects into OpenCensus agent
-/// protobuf span objects. SpanConverter receives trace_context::Span objects by
-/// implmenting the SpanSink trait. For each span that it receives, it converts
-/// it to an OpenCensus span and then sends it on the provided mpsc::Sender.
-#[derive(Clone)]
-pub struct SpanConverter {
-    kind: Kind,
-    sink: mpsc::Sender<oc::Span>,
-    labels: Labels,
+#[derive(Debug, Copy, Clone, Default)]
+pub enum CollectorProtocol {
+    #[default]
+    OpenCensus,
+    OpenTelemetry,
 }

-#[derive(Debug, Error)]
-#[error("ID '{:?} should have {} bytes, but it has {}", self.id, self.expected_size, self.actual_size)]
-pub struct IdLengthError {
-    id: Vec<u8>,
-    expected_size: usize,
-    actual_size: usize,
+impl FromStr for CollectorProtocol {
+    type Err = ();
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        if s.eq_ignore_ascii_case("opencensus") {
+            Ok(Self::OpenCensus)
+        } else if s.eq_ignore_ascii_case("opentelemetry") {
+            Ok(Self::OpenTelemetry)
+        } else {
+            Err(())
+        }
+    }
 }

+pub type SpanSink = mpsc::Sender<ExportSpan>;
+
 pub fn server<S>(
-    sink: OpenCensusSink,
-    labels: impl Into<Labels>,
+    sink: Option<SpanSink>,
+    labels: impl Into<SpanLabels>,
 ) -> impl layer::Layer<S, Service = TraceContext<Option<SpanConverter>, S>> + Clone {
-    SpanConverter::layer(Kind::Server, sink, labels)
+    TraceContext::layer(sink.map(move |sink| SpanConverter {
+        kind: SpanKind::Server,
+        sink,
+        labels: labels.into(),
+    }))
 }

 pub fn client<S>(
-    sink: OpenCensusSink,
-    labels: impl Into<Labels>,
+    sink: Option<SpanSink>,
+    labels: impl Into<SpanLabels>,
 ) -> impl layer::Layer<S, Service = TraceContext<Option<SpanConverter>, S>> + Clone {
-    SpanConverter::layer(Kind::Client, sink, labels)
+    TraceContext::layer(sink.map(move |sink| SpanConverter {
+        kind: SpanKind::Client,
+        sink,
+        labels: labels.into(),
+    }))
 }

-#[derive(Copy, Clone, Debug, PartialEq)]
-enum Kind {
-    Server = 1,
-    Client = 2,
-}
-
-impl SpanConverter {
-    fn layer<S>(
-        kind: Kind,
-        sink: OpenCensusSink,
-        labels: impl Into<Labels>,
-    ) -> impl layer::Layer<S, Service = TraceContext<Option<Self>, S>> + Clone {
-        TraceContext::layer(sink.map(move |sink| Self {
-            kind,
-            sink,
-            labels: labels.into(),
-        }))
-    }
-
-    fn mk_span(&self, mut span: trace_context::Span) -> Result<oc::Span, IdLengthError> {
-        let mut attributes = HashMap::<String, oc::AttributeValue>::new();
-        for (k, v) in self.labels.iter() {
-            attributes.insert(
-                k.clone(),
-                oc::AttributeValue {
-                    value: Some(oc::attribute_value::Value::StringValue(truncatable(
-                        v.clone(),
-                    ))),
-                },
-            );
-        }
-        for (k, v) in span.labels.drain() {
-            attributes.insert(
-                k.to_string(),
-                oc::AttributeValue {
-                    value: Some(oc::attribute_value::Value::StringValue(truncatable(v))),
-                },
-            );
-        }
-        Ok(oc::Span {
-            trace_id: into_bytes(span.trace_id, 16)?,
-            span_id: into_bytes(span.span_id, 8)?,
-            tracestate: None,
-            parent_span_id: into_bytes(span.parent_id, 8)?,
-            name: Some(truncatable(span.span_name)),
-            kind: self.kind as i32,
-            start_time: Some(span.start.into()),
-            end_time: Some(span.end.into()),
-            attributes: Some(oc::span::Attributes {
-                attribute_map: attributes,
-                dropped_attributes_count: 0,
-            }),
-            stack_trace: None,
-            time_events: None,
-            links: None,
-            status: None, // TODO: this is gRPC status; we must read response trailers to populate this
-            resource: None,
-            same_process_as_parent_span: Some(self.kind == Kind::Client),
-            child_span_count: None,
-        })
-    }
+#[derive(Clone)]
+pub struct SpanConverter {
+    kind: SpanKind,
+    sink: SpanSink,
+    labels: SpanLabels,
 }

 impl trace_context::SpanSink for SpanConverter {
-    #[inline]
    fn is_enabled(&self) -> bool {
        true
    }

-    fn try_send(&mut self, span: trace_context::Span) -> Result<(), Error> {
-        let span = self.mk_span(span)?;
-        self.sink.try_send(span).map_err(Into::into)
-    }
-}
-
-fn into_bytes(id: trace_context::Id, size: usize) -> Result<Vec<u8>, IdLengthError> {
-    let bytes: Vec<u8> = id.into();
-    if bytes.len() == size {
-        Ok(bytes)
-    } else {
-        let actual_size = bytes.len();
-        Err(IdLengthError {
-            id: bytes,
-            expected_size: size,
-            actual_size,
-        })
-    }
-}
-
-fn truncatable(value: String) -> oc::TruncatableString {
-    oc::TruncatableString {
-        value,
-        truncated_byte_count: 0,
+    fn try_send(&mut self, span: Span) -> Result<(), Error> {
+        self.sink.try_send(ExportSpan {
+            span,
+            kind: self.kind,
+            labels: Arc::clone(&self.labels),
+        })?;
+        Ok(())
    }
 }
--- a/linkerd/app/core/src/lib.rs
+++ b/linkerd/app/core/src/lib.rs
@ -25,6 +25,7 @@ pub mod metrics;
 pub mod proxy;
 pub mod serve;
 pub mod svc;
+pub mod tls_info;
 pub mod transport;

 pub use self::build_info::{BuildInfo, BUILD_INFO};
@ -32,7 +33,6 @@ pub use drain;
 pub use ipnet::{IpNet, Ipv4Net, Ipv6Net};
 pub use linkerd_addr::{self as addr, Addr, AddrMatch, IpMatch, NameAddr, NameMatch};
 pub use linkerd_conditional::Conditional;
-pub use linkerd_detect as detect;
 pub use linkerd_dns;
 pub use linkerd_error::{cause_ref, is_caused_by, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;
@ -40,6 +40,7 @@ pub use linkerd_http_metrics as http_metrics;
 pub use linkerd_idle_cache as idle_cache;
 pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
+pub use linkerd_opentelemetry as opentelemetry;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;
@ -65,7 +66,7 @@ pub struct ProxyRuntime {
    pub identity: identity::creds::Receiver,
    pub metrics: metrics::Proxy,
    pub tap: proxy::tap::Registry,
-    pub span_sink: http_tracing::OpenCensusSink,
+    pub span_sink: Option<http_tracing::SpanSink>,
    pub drain: drain::Watch,
 }

--- a/linkerd/app/core/src/metrics.rs
+++ b/linkerd/app/core/src/metrics.rs
@ -9,14 +9,13 @@
 pub use crate::transport::labels::{TargetAddr, TlsAccept};
 use crate::{
    classify::Class,
-    control, http_metrics, opencensus, profiles, stack_metrics,
-    svc::Param,
-    tls,
+    control, http_metrics, opencensus, opentelemetry, profiles, proxy, stack_metrics, svc, tls,
    transport::{self, labels::TlsConnect},
 };
 use linkerd_addr::Addr;
 pub use linkerd_metrics::*;
 use linkerd_proxy_server_policy as policy;
+use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue};
 use std::{
    fmt::{self, Write},
    net::SocketAddr,
@ -39,6 +38,7 @@ pub struct Metrics {
    pub proxy: Proxy,
    pub control: ControlHttp,
    pub opencensus: opencensus::metrics::Registry,
+    pub opentelemetry: opentelemetry::metrics::Registry,
 }

 #[derive(Clone, Debug)]
@ -54,7 +54,7 @@ pub struct Proxy {
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct ControlLabels {
    addr: Addr,
-    server_id: tls::ConditionalClientTls,
+    server_id: tls::ConditionalClientTlsLabels,
 }

 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
@ -65,7 +65,7 @@ pub enum EndpointLabels {

 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct InboundEndpointLabels {
-    pub tls: tls::ConditionalServerTls,
+    pub tls: tls::ConditionalServerTlsLabels,
    pub authority: Option<http::uri::Authority>,
    pub target_addr: SocketAddr,
    pub policy: RouteAuthzLabels,
@ -73,7 +73,7 @@ pub struct InboundEndpointLabels {

 /// A label referencing an inbound `Server` (i.e. for policy).
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct ServerLabel(pub Arc<policy::Meta>);
+pub struct ServerLabel(pub Arc<policy::Meta>, pub u16);

 /// Labels referencing an inbound server and authorization.
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
@ -98,12 +98,35 @@ pub struct RouteAuthzLabels {

 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct OutboundEndpointLabels {
-    pub server_id: tls::ConditionalClientTls,
+    pub server_id: tls::ConditionalClientTlsLabels,
    pub authority: Option<http::uri::Authority>,
    pub labels: Option<String>,
+    pub zone_locality: OutboundZoneLocality,
    pub target_addr: SocketAddr,
 }

+#[derive(Debug, Copy, Clone, Default, Hash, Eq, PartialEq, EncodeLabelValue)]
+pub enum OutboundZoneLocality {
+    #[default]
+    Unknown,
+    Local,
+    Remote,
+}
+
+impl OutboundZoneLocality {
+    pub fn new(metadata: &proxy::api_resolve::Metadata) -> Self {
+        if let Some(is_zone_local) = metadata.is_zone_local() {
+            if is_zone_local {
+                OutboundZoneLocality::Local
+            } else {
+                OutboundZoneLocality::Remote
+            }
+        } else {
+            OutboundZoneLocality::Unknown
+        }
+    }
+}
+
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct StackLabels {
    pub direction: Direction,
@ -132,10 +155,10 @@ where
    I: Iterator<Item = (&'i String, &'i String)>,
 {
    let (k0, v0) = labels_iter.next()?;
-    let mut out = format!("{}_{}=\"{}\"", prefix, k0, v0);
+    let mut out = format!("{prefix}_{k0}=\"{v0}\"");

    for (k, v) in labels_iter {
-        write!(out, ",{}_{}=\"{}\"", prefix, k, v).expect("label concat must succeed");
+        write!(out, ",{prefix}_{k}=\"{v}\"").expect("label concat must succeed");
    }
    Some(out)
 }
@ -143,7 +166,7 @@ where
 // === impl Metrics ===

 impl Metrics {
-    pub fn new(retain_idle: Duration) -> (Self, impl FmtMetrics + Clone + Send + 'static) {
+    pub fn new(retain_idle: Duration) -> (Self, impl legacy::FmtMetrics + Clone + Send + 'static) {
        let (control, control_report) = {
            let m = http_metrics::Requests::<ControlLabels, Class>::default();
            let r = m.clone().into_report(retain_idle).with_prefix("control");
@ -191,13 +214,16 @@ impl Metrics {
        };

        let (opencensus, opencensus_report) = opencensus::metrics::new();
+        let (opentelemetry, opentelemetry_report) = opentelemetry::metrics::new();

        let metrics = Metrics {
            proxy,
            control,
            opencensus,
+            opentelemetry,
        };

+        use legacy::FmtMetrics as _;
        let report = endpoint_report
            .and_report(profile_route_report)
            .and_report(retry_report)
@ -205,6 +231,7 @@ impl Metrics {
            .and_report(control_report)
            .and_report(transport_report)
            .and_report(opencensus_report)
+            .and_report(opentelemetry_report)
            .and_report(stack);

        (metrics, report)
@ -213,19 +240,21 @@ impl Metrics {

 // === impl CtlLabels ===

-impl Param<ControlLabels> for control::ControlAddr {
+impl svc::Param<ControlLabels> for control::ControlAddr {
    fn param(&self) -> ControlLabels {
        ControlLabels {
            addr: self.addr.clone(),
-            server_id: self.identity.clone(),
+            server_id: self.identity.as_ref().map(tls::ClientTls::labels),
        }
    }
 }

-impl FmtLabels for ControlLabels {
+impl legacy::FmtLabels for ControlLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "addr=\"{}\",", self.addr)?;
-        TlsConnect::from(&self.server_id).fmt_labels(f)?;
+        let Self { addr, server_id } = self;
+
+        write!(f, "addr=\"{addr}\",")?;
+        TlsConnect::from(server_id).fmt_labels(f)?;

        Ok(())
    }
@ -253,13 +282,19 @@ impl ProfileRouteLabels {
    }
 }

-impl FmtLabels for ProfileRouteLabels {
+impl legacy::FmtLabels for ProfileRouteLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
-        write!(f, ",dst=\"{}\"", self.addr)?;
+        let Self {
+            direction,
+            addr,
+            labels,
+        } = self;

-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
+        direction.fmt_labels(f)?;
+        write!(f, ",dst=\"{addr}\"")?;
+
+        if let Some(labels) = labels.as_ref() {
+            write!(f, ",{labels}")?;
        }

        Ok(())
@ -280,7 +315,7 @@ impl From<OutboundEndpointLabels> for EndpointLabels {
    }
 }

-impl FmtLabels for EndpointLabels {
+impl legacy::FmtLabels for EndpointLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::Inbound(i) => (Direction::In, i).fmt_labels(f),
@ -289,87 +324,130 @@ impl FmtLabels for EndpointLabels {
    }
 }

-impl FmtLabels for InboundEndpointLabels {
+impl legacy::FmtLabels for InboundEndpointLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(a) = self.authority.as_ref() {
+        let Self {
+            tls,
+            authority,
+            target_addr,
+            policy,
+        } = self;
+
+        if let Some(a) = authority.as_ref() {
            Authority(a).fmt_labels(f)?;
            write!(f, ",")?;
        }

-        (
-            (TargetAddr(self.target_addr), TlsAccept::from(&self.tls)),
-            &self.policy,
-        )
-            .fmt_labels(f)?;
+        ((TargetAddr(*target_addr), TlsAccept::from(tls)), policy).fmt_labels(f)?;

        Ok(())
    }
 }

-impl FmtLabels for ServerLabel {
+impl legacy::FmtLabels for ServerLabel {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(meta, port) = self;
        write!(
            f,
-            "srv_group=\"{}\",srv_kind=\"{}\",srv_name=\"{}\"",
-            self.0.group(),
-            self.0.kind(),
-            self.0.name()
+            "srv_group=\"{}\",srv_kind=\"{}\",srv_name=\"{}\",srv_port=\"{}\"",
+            meta.group(),
+            meta.kind(),
+            meta.name(),
+            port
        )
    }
 }

-impl FmtLabels for ServerAuthzLabels {
+impl EncodeLabelSet for ServerLabel {
+    fn encode(&self, mut enc: prometheus_client::encoding::LabelSetEncoder<'_>) -> fmt::Result {
+        prom::EncodeLabelSetMut::encode_label_set(self, &mut enc)
+    }
+}
+
+impl prom::EncodeLabelSetMut for ServerLabel {
+    fn encode_label_set(&self, enc: &mut prom::encoding::LabelSetEncoder<'_>) -> fmt::Result {
+        use prometheus_client::encoding::EncodeLabel;
+        ("srv_group", self.0.group()).encode(enc.encode_label())?;
+        ("srv_kind", self.0.kind()).encode(enc.encode_label())?;
+        ("srv_name", self.0.name()).encode(enc.encode_label())?;
+        ("srv_port", self.1).encode(enc.encode_label())?;
+        Ok(())
+    }
+}
+
+impl legacy::FmtLabels for ServerAuthzLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.server.fmt_labels(f)?;
+        let Self { server, authz } = self;
+
+        server.fmt_labels(f)?;
        write!(
            f,
            ",authz_group=\"{}\",authz_kind=\"{}\",authz_name=\"{}\"",
-            self.authz.group(),
-            self.authz.kind(),
-            self.authz.name()
+            authz.group(),
+            authz.kind(),
+            authz.name()
        )
    }
 }

-impl FmtLabels for RouteLabels {
+impl legacy::FmtLabels for RouteLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.server.fmt_labels(f)?;
+        let Self { server, route } = self;
+
+        server.fmt_labels(f)?;
        write!(
            f,
            ",route_group=\"{}\",route_kind=\"{}\",route_name=\"{}\"",
-            self.route.group(),
-            self.route.kind(),
-            self.route.name(),
+            route.group(),
+            route.kind(),
+            route.name(),
        )
    }
 }

-impl FmtLabels for RouteAuthzLabels {
+impl legacy::FmtLabels for RouteAuthzLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.route.fmt_labels(f)?;
+        let Self { route, authz } = self;
+
+        route.fmt_labels(f)?;
        write!(
            f,
            ",authz_group=\"{}\",authz_kind=\"{}\",authz_name=\"{}\"",
-            self.authz.group(),
-            self.authz.kind(),
-            self.authz.name(),
+            authz.group(),
+            authz.kind(),
+            authz.name(),
        )
    }
 }

-impl FmtLabels for OutboundEndpointLabels {
+impl svc::Param<OutboundZoneLocality> for OutboundEndpointLabels {
+    fn param(&self) -> OutboundZoneLocality {
+        self.zone_locality
+    }
+}
+
+impl legacy::FmtLabels for OutboundEndpointLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(a) = self.authority.as_ref() {
+        let Self {
+            server_id,
+            authority,
+            labels,
+            // TODO(kate): this label is not currently emitted.
+            zone_locality: _,
+            target_addr,
+        } = self;
+
+        if let Some(a) = authority.as_ref() {
            Authority(a).fmt_labels(f)?;
            write!(f, ",")?;
        }

-        let ta = TargetAddr(self.target_addr);
-        let tls = TlsConnect::from(&self.server_id);
+        let ta = TargetAddr(*target_addr);
+        let tls = TlsConnect::from(server_id);
        (ta, tls).fmt_labels(f)?;

-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
+        if let Some(labels) = labels.as_ref() {
+            write!(f, ",{labels}")?;
        }

        Ok(())
@ -385,19 +463,20 @@ impl fmt::Display for Direction {
    }
 }

-impl FmtLabels for Direction {
+impl legacy::FmtLabels for Direction {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "direction=\"{}\"", self)
+        write!(f, "direction=\"{self}\"")
    }
 }

-impl<'a> FmtLabels for Authority<'a> {
+impl legacy::FmtLabels for Authority<'_> {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "authority=\"{}\"", self.0)
+        let Self(authority) = self;
+        write!(f, "authority=\"{authority}\"")
    }
 }

-impl FmtLabels for Class {
+impl legacy::FmtLabels for Class {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let class = |ok: bool| if ok { "success" } else { "failure" };

@ -419,8 +498,7 @@ impl FmtLabels for Class {

            Class::Error(msg) => write!(
                f,
-                "classification=\"failure\",grpc_status=\"\",error=\"{}\"",
-                msg
+                "classification=\"failure\",grpc_status=\"\",error=\"{msg}\""
            ),
        }
    }
@ -446,9 +524,15 @@ impl StackLabels {
    }
 }

-impl FmtLabels for StackLabels {
+impl legacy::FmtLabels for StackLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
-        write!(f, ",protocol=\"{}\",name=\"{}\"", self.protocol, self.name)
+        let Self {
+            direction,
+            protocol,
+            name,
+        } = self;
+
+        direction.fmt_labels(f)?;
+        write!(f, ",protocol=\"{protocol}\",name=\"{name}\"")
    }
 }
--- a/linkerd/app/core/src/tls_info.rs
+++ b/linkerd/app/core/src/tls_info.rs
@ -0,0 +1,70 @@
+use linkerd_metrics::prom;
+use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue, LabelValueEncoder};
+use std::{
+    fmt::{Error, Write},
+    sync::{Arc, OnceLock},
+};
+
+static TLS_INFO: OnceLock<Arc<TlsInfo>> = OnceLock::new();
+
+#[derive(Clone, Debug, Default, Hash, PartialEq, Eq, EncodeLabelSet)]
+pub struct TlsInfo {
+    tls_suites: MetricValueList,
+    tls_kx_groups: MetricValueList,
+    tls_rand: String,
+    tls_key_provider: String,
+    tls_fips: bool,
+}
+
+#[derive(Clone, Debug, Default, Hash, PartialEq, Eq)]
+struct MetricValueList {
+    values: Vec<&'static str>,
+}
+
+impl FromIterator<&'static str> for MetricValueList {
+    fn from_iter<T: IntoIterator<Item = &'static str>>(iter: T) -> Self {
+        MetricValueList {
+            values: iter.into_iter().collect(),
+        }
+    }
+}
+
+impl EncodeLabelValue for MetricValueList {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), Error> {
+        for value in &self.values {
+            value.encode(encoder)?;
+            encoder.write_char(',')?;
+        }
+        Ok(())
+    }
+}
+
+pub fn metric() -> prom::Family<TlsInfo, prom::ConstGauge> {
+    let fam = prom::Family::<TlsInfo, prom::ConstGauge>::new_with_constructor(|| {
+        prom::ConstGauge::new(1)
+    });
+
+    let tls_info = TLS_INFO.get_or_init(|| {
+        let provider = linkerd_rustls::get_default_provider();
+
+        let tls_suites = provider
+            .cipher_suites
+            .iter()
+            .flat_map(|cipher_suite| cipher_suite.suite().as_str())
+            .collect::<MetricValueList>();
+        let tls_kx_groups = provider
+            .kx_groups
+            .iter()
+            .flat_map(|suite| suite.name().as_str())
+            .collect::<MetricValueList>();
+        Arc::new(TlsInfo {
+            tls_suites,
+            tls_kx_groups,
+            tls_rand: format!("{:?}", provider.secure_random),
+            tls_key_provider: format!("{:?}", provider.key_provider),
+            tls_fips: provider.fips(),
+        })
+    });
+    let _ = fam.get_or_create(tls_info);
+    fam
+}
--- a/linkerd/app/core/src/transport/labels.rs
+++ b/linkerd/app/core/src/transport/labels.rs
@ -1,7 +1,7 @@
 use crate::metrics::ServerLabel as PolicyServerLabel;
 pub use crate::metrics::{Direction, OutboundEndpointLabels};
 use linkerd_conditional::Conditional;
-use linkerd_metrics::FmtLabels;
+use linkerd_metrics::legacy::FmtLabels;
 use linkerd_tls as tls;
 use std::{fmt, net::SocketAddr};

@ -20,16 +20,16 @@ pub enum Key {
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
 pub struct ServerLabels {
    direction: Direction,
-    tls: tls::ConditionalServerTls,
+    tls: tls::ConditionalServerTlsLabels,
    target_addr: SocketAddr,
    policy: Option<PolicyServerLabel>,
 }

 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct TlsAccept<'t>(pub &'t tls::ConditionalServerTls);
+pub struct TlsAccept<'t>(pub &'t tls::ConditionalServerTlsLabels);

 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub(crate) struct TlsConnect<'t>(&'t tls::ConditionalClientTls);
+pub(crate) struct TlsConnect<'t>(pub &'t tls::ConditionalClientTlsLabels);

 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
 pub struct TargetAddr(pub SocketAddr);
@ -38,7 +38,7 @@ pub struct TargetAddr(pub SocketAddr);

 impl Key {
    pub fn inbound_server(
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
        target_addr: SocketAddr,
        server: PolicyServerLabel,
    ) -> Self {
@ -62,7 +62,7 @@ impl FmtLabels for Key {
            }

            Self::InboundClient => {
-                const NO_TLS: tls::client::ConditionalClientTls =
+                const NO_TLS: tls::client::ConditionalClientTlsLabels =
                    Conditional::None(tls::NoClientTls::Loopback);

                Direction::In.fmt_labels(f)?;
@ -75,7 +75,7 @@ impl FmtLabels for Key {

 impl ServerLabels {
    fn inbound(
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
        target_addr: SocketAddr,
        policy: PolicyServerLabel,
    ) -> Self {
@ -90,7 +90,7 @@ impl ServerLabels {
    fn outbound(target_addr: SocketAddr) -> Self {
        ServerLabels {
            direction: Direction::Out,
-            tls: tls::ConditionalServerTls::None(tls::NoServerTls::Loopback),
+            tls: tls::ConditionalServerTlsLabels::None(tls::NoServerTls::Loopback),
            target_addr,
            policy: None,
        }
@ -99,14 +99,17 @@ impl ServerLabels {

 impl FmtLabels for ServerLabels {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
+        let Self {
+            direction,
+            tls,
+            target_addr,
+            policy,
+        } = self;
+
+        direction.fmt_labels(f)?;
        f.write_str(",peer=\"src\",")?;

-        (
-            (TargetAddr(self.target_addr), TlsAccept(&self.tls)),
-            self.policy.as_ref(),
-        )
-            .fmt_labels(f)?;
+        ((TargetAddr(*target_addr), TlsAccept(tls)), policy.as_ref()).fmt_labels(f)?;

        Ok(())
    }
@ -114,27 +117,28 @@ impl FmtLabels for ServerLabels {

 // === impl TlsAccept ===

-impl<'t> From<&'t tls::ConditionalServerTls> for TlsAccept<'t> {
-    fn from(c: &'t tls::ConditionalServerTls) -> Self {
+impl<'t> From<&'t tls::ConditionalServerTlsLabels> for TlsAccept<'t> {
+    fn from(c: &'t tls::ConditionalServerTlsLabels) -> Self {
        TlsAccept(c)
    }
 }

-impl<'t> FmtLabels for TlsAccept<'t> {
+impl FmtLabels for TlsAccept<'_> {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.0 {
+        let Self(tls) = self;
+        match tls {
            Conditional::None(tls::NoServerTls::Disabled) => {
                write!(f, "tls=\"disabled\"")
            }
            Conditional::None(why) => {
-                write!(f, "tls=\"no_identity\",no_tls_reason=\"{}\"", why)
+                write!(f, "tls=\"no_identity\",no_tls_reason=\"{why}\"")
            }
-            Conditional::Some(tls::ServerTls::Established { client_id, .. }) => match client_id {
-                Some(id) => write!(f, "tls=\"true\",client_id=\"{}\"", id),
+            Conditional::Some(tls::ServerTlsLabels::Established { client_id }) => match client_id {
+                Some(id) => write!(f, "tls=\"true\",client_id=\"{id}\""),
                None => write!(f, "tls=\"true\",client_id=\"\""),
            },
-            Conditional::Some(tls::ServerTls::Passthru { sni }) => {
-                write!(f, "tls=\"opaque\",sni=\"{}\"", sni)
+            Conditional::Some(tls::ServerTlsLabels::Passthru { sni }) => {
+                write!(f, "tls=\"opaque\",sni=\"{sni}\"")
            }
        }
    }
@ -142,23 +146,25 @@ impl<'t> FmtLabels for TlsAccept<'t> {

 // === impl TlsConnect ===

-impl<'t> From<&'t tls::ConditionalClientTls> for TlsConnect<'t> {
-    fn from(s: &'t tls::ConditionalClientTls) -> Self {
+impl<'t> From<&'t tls::ConditionalClientTlsLabels> for TlsConnect<'t> {
+    fn from(s: &'t tls::ConditionalClientTlsLabels) -> Self {
        TlsConnect(s)
    }
 }

-impl<'t> FmtLabels for TlsConnect<'t> {
+impl FmtLabels for TlsConnect<'_> {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.0 {
+        let Self(tls) = self;
+
+        match tls {
            Conditional::None(tls::NoClientTls::Disabled) => {
                write!(f, "tls=\"disabled\"")
            }
            Conditional::None(why) => {
-                write!(f, "tls=\"no_identity\",no_tls_reason=\"{}\"", why)
+                write!(f, "tls=\"no_identity\",no_tls_reason=\"{why}\"")
            }
-            Conditional::Some(tls::ClientTls { server_id, .. }) => {
-                write!(f, "tls=\"true\",server_id=\"{}\"", server_id)
+            Conditional::Some(tls::ClientTlsLabels { server_id }) => {
+                write!(f, "tls=\"true\",server_id=\"{server_id}\"")
            }
        }
    }
@ -168,12 +174,13 @@ impl<'t> FmtLabels for TlsConnect<'t> {

 impl FmtLabels for TargetAddr {
    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(target_addr) = self;
        write!(
            f,
            "target_addr=\"{}\",target_ip=\"{}\",target_port=\"{}\"",
-            self.0,
-            self.0.ip(),
-            self.0.port()
+            target_addr,
+            target_addr.ip(),
+            target_addr.port()
        )
    }
 }
@ -194,23 +201,25 @@ mod tests {
        use std::sync::Arc;

        let labels = ServerLabels::inbound(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                client_id: Some("foo.id.example.com".parse().unwrap()),
-                negotiated_protocol: None,
            }),
            ([192, 0, 2, 4], 40000).into(),
-            PolicyServerLabel(Arc::new(Meta::Resource {
-                group: "policy.linkerd.io".into(),
-                kind: "server".into(),
-                name: "testserver".into(),
-            })),
+            PolicyServerLabel(
+                Arc::new(Meta::Resource {
+                    group: "policy.linkerd.io".into(),
+                    kind: "server".into(),
+                    name: "testserver".into(),
+                }),
+                40000,
+            ),
        );
        assert_eq!(
            labels.to_string(),
            "direction=\"inbound\",peer=\"src\",\
            target_addr=\"192.0.2.4:40000\",target_ip=\"192.0.2.4\",target_port=\"40000\",\
            tls=\"true\",client_id=\"foo.id.example.com\",\
-            srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testserver\""
+            srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testserver\",srv_port=\"40000\""
        );
    }
 }
--- a/linkerd/app/gateway/Cargo.toml
+++ b/linkerd/app/gateway/Cargo.toml
@ -1,24 +1,24 @@
 [package]
 name = "linkerd-app-gateway"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }

 [dependencies]
-http = "0.2"
+http = { workspace = true }
 futures = { version = "0.3", default-features = false }
 linkerd-app-core = { path = "../core" }
 linkerd-app-inbound = { path = "../inbound" }
 linkerd-app-outbound = { path = "../outbound" }
 linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
 once_cell = "1"
-thiserror = "1"
+thiserror = "2"
 tokio = { version = "1", features = ["sync"] }
-tonic = { version = "0.10", default-features = false }
-tower = { version = "0.4", default-features = false }
-tracing = "0.1"
+tonic = { workspace = true, default-features = false }
+tower = { workspace = true, default-features = false }
+tracing = { workspace = true }

 [dev-dependencies]
 linkerd-app-inbound = { path = "../inbound", features = ["test-util"] }
@ -26,6 +26,6 @@ linkerd-app-outbound = { path = "../outbound", features = ["test-util"] }
 linkerd-proxy-server-policy = { path = "../../proxy/server-policy" }
 tokio = { version = "1", features = ["rt", "macros"] }
 tokio-test = "0.4"
-tower = { version = "0.4", default-features = false, features = ["util"] }
-tower-test = "0.4"
+tower = { workspace = true, default-features = false, features = ["util"] }
+tower-test = { workspace = true }
 linkerd-app-test = { path = "../test" }
--- a/linkerd/app/gateway/src/discover.rs
+++ b/linkerd/app/gateway/src/discover.rs
@ -90,7 +90,7 @@ impl Gateway {
                                detect_timeout,
                                queue,
                                addr,
-                                meta,
+                                meta.into(),
                            ),
                            None => {
                                tracing::debug!(
--- a/linkerd/app/gateway/src/http.rs
+++ b/linkerd/app/gateway/src/http.rs
@ -28,7 +28,7 @@ pub(crate) use self::gateway::NewHttpGateway;
 pub struct Target<T = ()> {
    addr: GatewayAddr,
    routes: watch::Receiver<outbound::http::Routes>,
-    version: http::Version,
+    version: http::Variant,
    parent: T,
 }

@ -74,7 +74,7 @@ impl Gateway {
        T: svc::Param<tls::ClientId>,
        T: svc::Param<inbound::policy::AllowPolicy>,
        T: svc::Param<Option<watch::Receiver<profiles::Profile>>>,
-        T: svc::Param<http::Version>,
+        T: svc::Param<http::Variant>,
        T: svc::Param<http::normalize_uri::DefaultAuthority>,
        T: Clone + Send + Sync + Unpin + 'static,
        // Endpoint resolution.
@ -153,7 +153,7 @@ fn mk_routes(profile: &profiles::Profile) -> Option<outbound::http::Routes> {
    if let Some((addr, metadata)) = profile.endpoint.clone() {
        return Some(outbound::http::Routes::Endpoint(
            Remote(ServerAddr(addr)),
-            metadata,
+            metadata.into(),
        ));
    }

@ -164,7 +164,7 @@ fn mk_routes(profile: &profiles::Profile) -> Option<outbound::http::Routes> {

 impl<B, T: Clone> svc::router::SelectRoute<http::Request<B>> for ByRequestVersion<T> {
    type Key = Target<T>;
-    type Error = http::version::Unsupported;
+    type Error = http::UnsupportedVariant;

    fn select(&self, req: &http::Request<B>) -> Result<Self::Key, Self::Error> {
        let mut t = self.0.clone();
@ -192,8 +192,8 @@ impl<T> svc::Param<GatewayAddr> for Target<T> {
    }
 }

-impl<T> svc::Param<http::Version> for Target<T> {
-    fn param(&self) -> http::Version {
+impl<T> svc::Param<http::Variant> for Target<T> {
+    fn param(&self) -> http::Variant {
        self.version
    }
 }
--- a/linkerd/app/gateway/src/http/gateway.rs
+++ b/linkerd/app/gateway/src/http/gateway.rs
@ -66,7 +66,7 @@ where

 impl<B, S> tower::Service<http::Request<B>> for HttpGateway<S>
 where
-    B: http::HttpBody + 'static,
+    B: http::Body + 'static,
    S: tower::Service<http::Request<B>, Response = http::Response<http::BoxBody>>,
    S::Error: Into<Error> + 'static,
    S::Future: Send + 'static,
--- a/linkerd/app/gateway/src/http/tests.rs
+++ b/linkerd/app/gateway/src/http/tests.rs
@ -62,7 +62,7 @@ async fn upgraded_request_remains_relative_form() {

    impl svc::Param<ServerLabel> for Target {
        fn param(&self) -> ServerLabel {
-            ServerLabel(policy::Meta::new_default("test"))
+            ServerLabel(policy::Meta::new_default("test"), 4143)
        }
    }

@ -98,9 +98,9 @@ async fn upgraded_request_remains_relative_form() {
        }
    }

-    impl svc::Param<http::Version> for Target {
-        fn param(&self) -> http::Version {
-            http::Version::H2
+    impl svc::Param<http::Variant> for Target {
+        fn param(&self) -> http::Variant {
+            http::Variant::H2
        }
    }

@ -129,6 +129,7 @@ async fn upgraded_request_remains_relative_form() {
                        }),
                    }]))]),
                },
+                local_rate_limit: Arc::new(Default::default()),
            };
            let (policy, tx) = inbound::policy::AllowPolicy::for_test(self.param(), policy);
            tokio::spawn(async move {
--- a/linkerd/app/gateway/src/opaq.rs
+++ b/linkerd/app/gateway/src/opaq.rs
@ -1,10 +1,15 @@
 use super::{server::Opaq, Gateway};
 use inbound::{GatewayAddr, GatewayDomainInvalid};
-use linkerd_app_core::{io, profiles, svc, tls, transport::addrs::*, Error};
+use linkerd_app_core::{io, svc, tls, transport::addrs::*, Error};
 use linkerd_app_inbound as inbound;
 use linkerd_app_outbound as outbound;
+use tokio::sync::watch;

-pub type Target = outbound::opaq::Logical;
+#[derive(Clone, Debug)]
+pub struct Target {
+    addr: GatewayAddr,
+    routes: watch::Receiver<outbound::opaq::Routes>,
+}

 impl Gateway {
    /// Wrap the provided outbound opaque stack with inbound authorization and
@ -33,18 +38,7 @@ impl Gateway {
            .push_filter(
                |(_, opaq): (_, Opaq<T>)| -> Result<_, GatewayDomainInvalid> {
                    // Fail connections were not resolved.
-                    let profile = svc::Param::<Option<profiles::Receiver>>::param(&*opaq)
-                        .ok_or(GatewayDomainInvalid)?;
-                    if let Some(profiles::LogicalAddr(addr)) = profile.logical_addr() {
-                        Ok(outbound::opaq::Logical::Route(addr, profile))
-                    } else if let Some((addr, metadata)) = profile.endpoint() {
-                        Ok(outbound::opaq::Logical::Forward(
-                            Remote(ServerAddr(addr)),
-                            metadata,
-                        ))
-                    } else {
-                        Err(GatewayDomainInvalid)
-                    }
+                    Target::try_from(opaq)
                },
            )
            // Authorize connections to the gateway.
@ -52,3 +46,47 @@ impl Gateway {
            .arc_new_tcp()
    }
 }
+
+impl<T> TryFrom<Opaq<T>> for Target
+where
+    T: svc::Param<GatewayAddr>,
+{
+    type Error = GatewayDomainInvalid;
+
+    fn try_from(opaq: Opaq<T>) -> Result<Self, Self::Error> {
+        use svc::Param;
+
+        let addr: GatewayAddr = (**opaq).param();
+        let Some(profile) = (*opaq).param() else {
+            // The gateway address must be resolvable via the profile API.
+            return Err(GatewayDomainInvalid);
+        };
+        let routes = outbound::opaq::routes_from_discovery(
+            addr.0.clone().into(),
+            Some(profile),
+            (*opaq).param(),
+        );
+
+        Ok(Target { addr, routes })
+    }
+}
+
+impl svc::Param<watch::Receiver<outbound::opaq::Routes>> for Target {
+    fn param(&self) -> watch::Receiver<outbound::opaq::Routes> {
+        self.routes.clone()
+    }
+}
+
+impl PartialEq for Target {
+    fn eq(&self, other: &Self) -> bool {
+        self.addr == other.addr
+    }
+}
+
+impl Eq for Target {}
+
+impl std::hash::Hash for Target {
+    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+        self.addr.hash(state);
+    }
+}
--- a/linkerd/app/gateway/src/server.rs
+++ b/linkerd/app/gateway/src/server.rs
@ -11,7 +11,7 @@ use tokio::sync::watch;
 /// Target for HTTP stacks.
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Http<T> {
-    version: http::Version,
+    version: http::Variant,
    parent: outbound::Discovery<T>,
 }

@ -61,13 +61,13 @@ impl Gateway {
                |parent: outbound::Discovery<T>| -> Result<_, GatewayDomainInvalid> {
                    if let Some(proto) = (*parent).param() {
                        let version = match proto {
-                            SessionProtocol::Http1 => http::Version::Http1,
-                            SessionProtocol::Http2 => http::Version::H2,
+                            SessionProtocol::Http1 => http::Variant::Http1,
+                            SessionProtocol::Http2 => http::Variant::H2,
                        };
-                        return Ok(svc::Either::A(Http { parent, version }));
+                        return Ok(svc::Either::Left(Http { parent, version }));
                    }

-                    Ok(svc::Either::B(Opaq(parent)))
+                    Ok(svc::Either::Right(Opaq(parent)))
                },
                opaq,
            )
@ -154,8 +154,8 @@ impl<T> std::ops::Deref for Http<T> {
    }
 }

-impl<T> svc::Param<http::Version> for Http<T> {
-    fn param(&self) -> http::Version {
+impl<T> svc::Param<http::Variant> for Http<T> {
+    fn param(&self) -> http::Variant {
        self.version
    }
 }
--- a/linkerd/app/inbound/Cargo.toml
+++ b/linkerd/app/inbound/Cargo.toml
@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-inbound"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Configures and runs the inbound proxy
 """
@ -13,53 +13,62 @@ Configures and runs the inbound proxy
 test-util = [
    "linkerd-app-test",
    "linkerd-idle-cache/test-util",
-    "linkerd-meshtls/rustls",
-    "linkerd-meshtls-rustls/test-util",
+    "linkerd-meshtls/test-util",
 ]

 [dependencies]
-bytes = "1"
-http = "0.2"
+bytes = { workspace = true }
+http = { workspace = true }
 futures = { version = "0.3", default-features = false }
 linkerd-app-core = { path = "../core" }
 linkerd-app-test = { path = "../test", optional = true }
 linkerd-http-access-log = { path = "../../http/access-log" }
 linkerd-idle-cache = { path = "../../idle-cache" }
-linkerd-meshtls = { path = "../../meshtls", optional = true }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", optional = true }
+linkerd-meshtls = { path = "../../meshtls", optional = true, default-features = false }
 linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
 linkerd-tonic-stream = { path = "../../tonic-stream" }
 linkerd-tonic-watch = { path = "../../tonic-watch" }
-linkerd2-proxy-api = { version = "0.13", features = ["inbound"] }
+linkerd2-proxy-api = { workspace = true, features = ["inbound"] }
 once_cell = "1"
 parking_lot = "0.12"
 rangemap = "1"
-thiserror = "1"
+thiserror = "2"
 tokio = { version = "1", features = ["sync"] }
-tonic = { version = "0.10", default-features = false }
-tower = { version = "0.4", features = ["util"] }
-tracing = "0.1"
+tonic = { workspace = true, default-features = false }
+tower = { workspace = true, features = ["util"] }
+tracing = { workspace = true }

 [dependencies.linkerd-proxy-server-policy]
 path = "../../proxy/server-policy"
 features = ["proto"]

 [target.'cfg(fuzzing)'.dependencies]
-hyper = { version = "0.14", features = ["http1", "http2"] }
+hyper = { workspace = true, features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 arbitrary = { version = "1", features = ["derive"] }
 libfuzzer-sys = { version = "0.4", features = ["arbitrary-derive"] }
+linkerd-meshtls = { path = "../../meshtls", features = [
+    "test-util",
+] }

 [dev-dependencies]
-hyper = { version = "0.14", features = ["http1", "http2"] }
+http-body-util = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
+hyper-util = { workspace = true }
 linkerd-app-test = { path = "../test" }
 linkerd-http-metrics = { path = "../../http/metrics", features = ["test-util"] }
+linkerd-http-box = { path = "../../http/box" }
 linkerd-idle-cache = { path = "../../idle-cache", features = ["test-util"] }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-meshtls = { path = "../../meshtls", features = ["rustls"] }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = [
+linkerd-meshtls = { path = "../../meshtls", features = [
+    "test-util",
+] }
+linkerd-proxy-server-policy = { path = "../../proxy/server-policy", features = [
    "test-util",
 ] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full", "macros"] }
 tokio-test = "0.4"
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
--- a/linkerd/app/inbound/fuzz/Cargo.toml
+++ b/linkerd/app/inbound/fuzz/Cargo.toml
@ -1,30 +1,29 @@
-
 [package]
 name = "linkerd-app-inbound-fuzz"
-version = "0.0.0"
+version = { workspace = true }
 authors = ["Automatically generated"]
-publish = false
-edition = "2021"
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }

 [package.metadata]
 cargo-fuzz = true

 [target.'cfg(fuzzing)'.dependencies]
 arbitrary = { version = "1", features = ["derive"] }
-hyper = { version = "0.14", features = ["http1", "http2"] }
-http = "0.2"
+hyper = { version = "0.14", features = ["deprecated", "http1", "http2"] }
+http = { workspace = true }
 libfuzzer-sys = { version = "0.4", features = ["arbitrary-derive"] }
 linkerd-app-core = { path = "../../core" }
 linkerd-app-inbound = { path = ".." }
 linkerd-app-test = { path = "../../test" }
 linkerd-idle-cache = { path = "../../../idle-cache", features = ["test-util"] }
-linkerd-meshtls = { path = "../../../meshtls", features = ["rustls"] }
-linkerd-meshtls-rustls = { path = "../../../meshtls/rustls", features = [
+linkerd-meshtls = { path = "../../../meshtls", features = [
    "test-util",
 ] }
 linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full"] }
-tracing = "0.1"
+tracing = { workspace = true }

 # Prevent this from interfering with workspaces
 [workspace]
--- a/linkerd/app/inbound/src/accept.rs
+++ b/linkerd/app/inbound/src/accept.rs
@ -53,12 +53,12 @@ impl<N> Inbound<N> {
                    move |t: T| -> Result<_, Error> {
                        let addr: OrigDstAddr = t.param();
                        if addr.port() == proxy_port {
-                            return Ok(svc::Either::B(t));
+                            return Ok(svc::Either::Right(t));
                        }

                        let policy = policies.get_policy(addr);
                        tracing::debug!(policy = ?&*policy.borrow(), "Accepted");
-                        Ok(svc::Either::A(Accept {
+                        Ok(svc::Either::Left(Accept {
                            client_addr: t.param(),
                            orig_dst_addr: addr,
                            policy,
@ -138,6 +138,7 @@ mod tests {
                    kind: "server".into(),
                    name: "testsrv".into(),
                }),
+                local_rate_limit: Default::default(),
            },
            None,
        );
@ -181,7 +182,11 @@ mod tests {
    }

    fn inbound() -> Inbound<()> {
-        Inbound::new(test_util::default_config(), test_util::runtime().0)
+        Inbound::new(
+            test_util::default_config(),
+            test_util::runtime().0,
+            &mut Default::default(),
+        )
    }

    fn new_panic<T>(msg: &'static str) -> svc::ArcNewTcp<T, io::DuplexStream> {
--- a/linkerd/app/inbound/src/detect.rs
+++ b/linkerd/app/inbound/src/detect.rs
@ -3,8 +3,8 @@ use crate::{
    Inbound,
 };
 use linkerd_app_core::{
-    detect, identity, io,
-    metrics::ServerLabel,
+    identity, io,
+    metrics::{prom, ServerLabel},
    proxy::http,
    svc, tls,
    transport::{
@ -20,6 +20,10 @@ use tracing::info;
 #[cfg(test)]
 mod tests;

+#[derive(Clone, Debug)]
+pub struct MetricsFamilies(pub HttpDetectMetrics);
+pub type HttpDetectMetrics = http::DetectMetricsFamilies<ServerLabel>;
+
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub(crate) struct Forward {
    client_addr: Remote<ClientAddr>,
@ -31,7 +35,7 @@ pub(crate) struct Forward {
 #[derive(Clone, Debug)]
 pub(crate) struct Http {
    tls: Tls,
-    http: http::Version,
+    http: http::Variant,
 }

 #[derive(Clone, Debug)]
@ -48,9 +52,6 @@ struct Detect {
    tls: Tls,
 }

-#[derive(Copy, Clone, Debug)]
-struct ConfigureHttpDetect;
-
 #[derive(Clone)]
 struct TlsParams {
    timeout: tls::server::Timeout,
@ -64,7 +65,11 @@ type TlsIo<I> = tls::server::Io<identity::ServerIo<tls::server::DetectIo<I>>, I>
 impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
    /// Builds a stack that terminates mesh TLS and detects whether the traffic is HTTP (as hinted
    /// by policy).
-    pub(crate) fn push_detect<T, I, F, FSvc>(self, forward: F) -> Inbound<svc::ArcNewTcp<T, I>>
+    pub(crate) fn push_detect<T, I, F, FSvc>(
+        self,
+        MetricsFamilies(metrics): MetricsFamilies,
+        forward: F,
+    ) -> Inbound<svc::ArcNewTcp<T, I>>
    where
        T: svc::Param<OrigDstAddr> + svc::Param<Remote<ClientAddr>> + svc::Param<AllowPolicy>,
        T: Clone + Send + 'static,
@ -75,14 +80,18 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
        FSvc::Error: Into<Error>,
        FSvc::Future: Send,
    {
-        self.push_detect_http(forward.clone())
+        self.push_detect_http(metrics, forward.clone())
            .push_detect_tls(forward)
    }

    /// Builds a stack that handles HTTP detection once TLS detection has been performed. If the
    /// connection is determined to be HTTP, the inner stack is used; otherwise the connection is
    /// passed to the provided 'forward' stack.
-    fn push_detect_http<I, F, FSvc>(self, forward: F) -> Inbound<svc::ArcNewTcp<Tls, I>>
+    fn push_detect_http<I, F, FSvc>(
+        self,
+        metrics: HttpDetectMetrics,
+        forward: F,
+    ) -> Inbound<svc::ArcNewTcp<Tls, I>>
    where
        I: io::AsyncRead + io::AsyncWrite + io::PeerAddr,
        I: Debug + Send + Sync + Unpin + 'static,
@ -111,42 +120,59 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                .push_switch(
                    |(detected, Detect { tls, .. })| -> Result<_, Infallible> {
                        match detected {
-                            Ok(Some(http)) => Ok(svc::Either::A(Http { http, tls })),
-                            Ok(None) => Ok(svc::Either::B(tls)),
+                            http::Detection::Http(http) => {
+                                Ok(svc::Either::Left(Http { http, tls }))
+                            }
+                            http::Detection::NotHttp => Ok(svc::Either::Right(tls)),
                            // When HTTP detection fails, forward the connection to the application as
                            // an opaque TCP stream.
-                            Err(timeout) => match tls.policy.protocol() {
-                                Protocol::Http1 { .. } => {
-                                    // If the protocol was hinted to be HTTP/1.1 but detection
-                                    // failed, we'll usually be handling HTTP/1, but we may actually
-                                    // be handling HTTP/2 via protocol upgrade. Our options are:
-                                    // handle the connection as HTTP/1, assuming it will be rare for
-                                    // a proxy to initiate TLS, etc and not send the 16B of
-                                    // connection header; or we can handle it as opaque--but there's
-                                    // no chance the server will be able to handle the H2 protocol
-                                    // upgrade. So, it seems best to assume it's HTTP/1 and let the
-                                    // proxy handle the protocol error if we're in an edge case.
-                                    info!(%timeout, "Handling connection as HTTP/1 due to policy");
-                                    Ok(svc::Either::A(Http {
-                                        http: http::Version::Http1,
-                                        tls,
-                                    }))
+                            http::Detection::ReadTimeout(timeout) => {
+                                match tls.policy.protocol() {
+                                    Protocol::Http1 { .. } => {
+                                        // If the protocol was hinted to be HTTP/1.1 but detection
+                                        // failed, we'll usually be handling HTTP/1, but we may actually
+                                        // be handling HTTP/2 via protocol upgrade. Our options are:
+                                        // handle the connection as HTTP/1, assuming it will be rare for
+                                        // a proxy to initiate TLS, etc and not send the 16B of
+                                        // connection header; or we can handle it as opaque--but there's
+                                        // no chance the server will be able to handle the H2 protocol
+                                        // upgrade. So, it seems best to assume it's HTTP/1 and let the
+                                        // proxy handle the protocol error if we're in an edge case.
+                                        info!(
+                                            ?timeout,
+                                            "Handling connection as HTTP/1 due to policy"
+                                        );
+                                        Ok(svc::Either::Left(Http {
+                                            http: http::Variant::Http1,
+                                            tls,
+                                        }))
+                                    }
+                                    // Otherwise, the protocol hint must have
+                                    // been `Detect` or the protocol was updated
+                                    // after detection was initiated, otherwise
+                                    // we would have avoided detection below.
+                                    // Continue handling the connection as if it
+                                    // were opaque.
+                                    _ => {
+                                        info!(
+                                            ?timeout,
+                                            "Handling connection as opaque due to policy"
+                                        );
+                                        Ok(svc::Either::Right(tls))
+                                    }
                                }
-                                // Otherwise, the protocol hint must have been `Detect` or the
-                                // protocol was updated after detection was initiated, otherwise we
-                                // would have avoided detection below. Continue handling the
-                                // connection as if it were opaque.
-                                _ => {
-                                    info!(%timeout, "Handling connection as opaque");
-                                    Ok(svc::Either::B(tls))
-                                }
-                            },
+                            }
                        }
                    },
                    forward.into_inner(),
                )
                .lift_new_with_target()
-                .push(detect::NewDetectService::layer(ConfigureHttpDetect))
+                .push(http::NewDetect::layer(
+                    move |Detect { timeout, tls }: &Detect| http::DetectParams {
+                        read_timeout: *timeout,
+                        metrics: metrics.metrics(tls.policy.server_label()),
+                    },
+                ))
                .arc_new_tcp();

            http.push_on_service(svc::MapTargetLayer::new(io::BoxedIo::new))
@ -159,7 +185,7 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                    move |tls: Tls| -> Result<_, Infallible> {
                        let http = match tls.policy.protocol() {
                            Protocol::Detect { timeout, .. } => {
-                                return Ok(svc::Either::B(Detect { timeout, tls }));
+                                return Ok(svc::Either::Right(Detect { timeout, tls }));
                            }
                            // Meshed HTTP/1 services may actually be transported over HTTP/2 connections
                            // between proxies, so we have to do detection.
@ -167,18 +193,18 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                            // TODO(ver) outbound clients should hint this with ALPN so we don't
                            // have to detect this situation.
                            Protocol::Http1 { .. } if tls.status.is_some() => {
-                                return Ok(svc::Either::B(Detect {
+                                return Ok(svc::Either::Right(Detect {
                                    timeout: detect_timeout,
                                    tls,
                                }));
                            }
                            // Unmeshed services don't use protocol upgrading, so we can use the
                            // hint without further detection.
-                            Protocol::Http1 { .. } => http::Version::Http1,
-                            Protocol::Http2 { .. } | Protocol::Grpc { .. } => http::Version::H2,
+                            Protocol::Http1 { .. } => http::Variant::Http1,
+                            Protocol::Http2 { .. } | Protocol::Grpc { .. } => http::Variant::H2,
                            _ => unreachable!("opaque protocols must not hit the HTTP stack"),
                        };
-                        Ok(svc::Either::A(Http { http, tls }))
+                        Ok(svc::Either::Left(Http { http, tls }))
                    },
                    detect.into_inner(),
                )
@ -232,10 +258,10 @@ impl<I> Inbound<svc::ArcNewTcp<Tls, TlsIo<I>>> {
                        // whether app TLS was employed, but we use this as a signal that we should
                        // not perform additional protocol detection.
                        if matches!(protocol, Protocol::Tls { .. }) {
-                            return Ok(svc::Either::B(tls));
+                            return Ok(svc::Either::Right(tls));
                        }

-                        Ok(svc::Either::A(tls))
+                        Ok(svc::Either::Left(tls))
                    },
                    forward
                        .clone()
@ -259,14 +285,14 @@ impl<I> Inbound<svc::ArcNewTcp<Tls, TlsIo<I>>> {
                        if matches!(policy.protocol(), Protocol::Opaque { .. }) {
                            const TLS_PORT_SKIPPED: tls::ConditionalServerTls =
                                tls::ConditionalServerTls::None(tls::NoServerTls::PortSkipped);
-                            return Ok(svc::Either::B(Tls {
+                            return Ok(svc::Either::Right(Tls {
                                client_addr: t.param(),
                                orig_dst_addr: t.param(),
                                status: TLS_PORT_SKIPPED,
                                policy,
                            }));
                        }
-                        Ok(svc::Either::A(t))
+                        Ok(svc::Either::Left(t))
                    },
                    forward
                        .push_on_service(svc::MapTargetLayer::new(io::BoxedIo::new))
@ -299,7 +325,7 @@ impl svc::Param<Remote<ServerAddr>> for Forward {
 impl svc::Param<transport::labels::Key> for Forward {
    fn param(&self) -> transport::labels::Key {
        transport::labels::Key::inbound_server(
-            self.tls.clone(),
+            self.tls.as_ref().map(|t| t.labels()),
            self.orig_dst_addr.into(),
            self.permit.labels.server.clone(),
        )
@ -332,18 +358,10 @@ impl svc::Param<tls::ConditionalServerTls> for Tls {
    }
 }

-// === impl ConfigureHttpDetect ===
-
-impl svc::ExtractParam<detect::Config<http::DetectHttp>, Detect> for ConfigureHttpDetect {
-    fn extract_param(&self, detect: &Detect) -> detect::Config<http::DetectHttp> {
-        detect::Config::from_timeout(detect.timeout)
-    }
-}
-
 // === impl Http ===

-impl svc::Param<http::Version> for Http {
-    fn param(&self) -> http::Version {
+impl svc::Param<http::Variant> for Http {
+    fn param(&self) -> http::Variant {
        self.http
    }
 }
@ -411,7 +429,7 @@ impl svc::Param<ServerLabel> for Http {
 impl svc::Param<transport::labels::Key> for Http {
    fn param(&self) -> transport::labels::Key {
        transport::labels::Key::inbound_server(
-            self.tls.status.clone(),
+            self.tls.status.as_ref().map(|t| t.labels()),
            self.tls.orig_dst_addr.into(),
            self.tls.policy.server_label(),
        )
@ -442,3 +460,13 @@ impl<T> svc::InsertParam<tls::ConditionalServerTls, T> for TlsParams {
        (tls, target)
    }
 }
+
+// === impl MetricsFamilies ===
+
+impl MetricsFamilies {
+    pub fn register(reg: &mut prom::Registry) -> Self {
+        Self(http::DetectMetricsFamilies::register(
+            reg.sub_registry_with_prefix("http"),
+        ))
+    }
+}
--- a/linkerd/app/inbound/src/detect/tests.rs
+++ b/linkerd/app/inbound/src/detect/tests.rs
@ -13,6 +13,12 @@ const HTTP1: &[u8] = b"GET / HTTP/1.1\r\nhost: example.com\r\n\r\n";
 const HTTP2: &[u8] = b"PRI * HTTP/2.0\r\n";
 const NOT_HTTP: &[u8] = b"foo\r\nbar\r\nblah\r\n";

+const RESULTS_NOT_HTTP: &str = "results_total{result=\"not_http\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_HTTP1: &str = "results_total{result=\"http/1\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_HTTP2: &str = "results_total{result=\"http/2\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_READ_TIMEOUT: &str = "results_total{result=\"read_timeout\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_ERROR: &str = "results_total{result=\"error\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+
 fn authzs() -> Arc<[Authorization]> {
    Arc::new([Authorization {
        authentication: Authentication::Unauthenticated,
@ -35,11 +41,41 @@ fn allow(protocol: Protocol) -> AllowPolicy {
                kind: "server".into(),
                name: "testsrv".into(),
            }),
+            local_rate_limit: Arc::new(Default::default()),
        },
    );
    allow
 }

+macro_rules! assert_contains_metric {
+    ($registry:expr, $metric:expr, $value:expr) => {{
+        let mut buf = String::new();
+        prom::encoding::text::encode_registry(&mut buf, $registry).expect("encode registry failed");
+        let lines = buf.split_terminator('\n').collect::<Vec<_>>();
+        assert_eq!(
+            lines.iter().find(|l| l.starts_with($metric)),
+            Some(&&*format!("{} {}", $metric, $value)),
+            "metric '{}' not found in:\n{:?}",
+            $metric,
+            buf
+        );
+    }};
+}
+
+macro_rules! assert_not_contains_metric {
+    ($registry:expr, $pattern:expr) => {{
+        let mut buf = String::new();
+        prom::encoding::text::encode_registry(&mut buf, $registry).expect("encode registry failed");
+        let lines = buf.split_terminator('\n').collect::<Vec<_>>();
+        assert!(
+            !lines.iter().any(|l| l.starts_with($pattern)),
+            "metric '{}' found in:\n{:?}",
+            $pattern,
+            buf
+        );
+    }};
+}
+
 #[tokio::test(flavor = "current_thread")]
 async fn detect_tls_opaque() {
    let _trace = trace::test::trace_init();
@ -76,14 +112,21 @@ async fn detect_http_non_http() {
    let (ior, mut iow) = io::duplex(100);
    iow.write_all(NOT_HTTP).await.unwrap();

+    let mut registry = prom::Registry::default();
    inbound()
        .with_stack(new_panic("http stack must not be used"))
-        .push_detect_http(new_ok())
+        .push_detect_http(super::HttpDetectMetrics::register(&mut registry), new_ok())
        .into_inner()
        .new_service(target)
        .oneshot(ior)
        .await
        .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 1);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 0);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }

 #[tokio::test(flavor = "current_thread")]
@ -107,14 +150,24 @@ async fn detect_http() {
    let (ior, mut iow) = io::duplex(100);
    iow.write_all(HTTP1).await.unwrap();

+    let mut registry = prom::Registry::default();
    inbound()
        .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
        .into_inner()
        .new_service(target)
        .oneshot(ior)
        .await
        .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 1);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 0);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }

 #[tokio::test(flavor = "current_thread")]
@ -133,14 +186,24 @@ async fn hinted_http1() {
    let (ior, mut iow) = io::duplex(100);
    iow.write_all(HTTP1).await.unwrap();

+    let mut registry = prom::Registry::default();
    inbound()
        .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
        .into_inner()
        .new_service(target)
        .oneshot(ior)
        .await
        .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 1);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 0);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }

 #[tokio::test(flavor = "current_thread")]
@ -159,14 +222,24 @@ async fn hinted_http1_supports_http2() {
    let (ior, mut iow) = io::duplex(100);
    iow.write_all(HTTP2).await.unwrap();

+    let mut registry = prom::Registry::default();
    inbound()
        .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
        .into_inner()
        .new_service(target)
        .oneshot(ior)
        .await
        .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 1);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }

 #[tokio::test(flavor = "current_thread")]
@ -184,14 +257,25 @@ async fn hinted_http2() {

    let (ior, _) = io::duplex(100);

+    let mut registry = prom::Registry::default();
    inbound()
        .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
        .into_inner()
        .new_service(target)
        .oneshot(ior)
        .await
        .expect("should succeed");
+
+    // No detection is performed when HTTP/2 is hinted, so no metrics are recorded.
+    assert_not_contains_metric!(&registry, RESULTS_NOT_HTTP);
+    assert_not_contains_metric!(&registry, RESULTS_HTTP1);
+    assert_not_contains_metric!(&registry, RESULTS_HTTP2);
+    assert_not_contains_metric!(&registry, RESULTS_READ_TIMEOUT);
+    assert_not_contains_metric!(&registry, RESULTS_ERROR);
 }

 fn client_id() -> tls::ClientId {
@ -209,7 +293,11 @@ fn orig_dst_addr() -> OrigDstAddr {
 }

 fn inbound() -> Inbound<()> {
-    Inbound::new(test_util::default_config(), test_util::runtime().0)
+    Inbound::new(
+        test_util::default_config(),
+        test_util::runtime().0,
+        &mut Default::default(),
+    )
 }

 fn new_panic<T, I: 'static>(msg: &'static str) -> svc::ArcNewTcp<T, I> {
--- a/linkerd/app/inbound/src/direct.rs
+++ b/linkerd/app/inbound/src/direct.rs
@ -15,6 +15,10 @@ use std::fmt::Debug;
 use thiserror::Error;
 use tracing::{debug_span, info_span};

+mod metrics;
+
+pub use self::metrics::MetricsFamilies;
+
 /// Creates I/O errors when a connection cannot be forwarded because no transport
 /// header was present.
 #[derive(Debug, Default)]
@ -25,8 +29,8 @@ struct RefusedNoHeader;
 pub struct RefusedNoIdentity(());

 #[derive(Debug, Error)]
-#[error("a named target must be provided on gateway connections")]
-struct RefusedNoTarget;
+#[error("direct connections require transport header negotiation")]
+struct TransportHeaderRequired(());

 #[derive(Debug, Clone)]
 pub(crate) struct LocalTcp {
@ -93,7 +97,7 @@ impl<N> Inbound<N> {
        self,
        policies: impl policy::GetPolicy + Clone + Send + Sync + 'static,
        gateway: svc::ArcNewTcp<GatewayTransportHeader, GatewayIo<I>>,
-        http: svc::ArcNewTcp<LocalHttp, io::PrefixedIo<TlsIo<I>>>,
+        http: svc::ArcNewTcp<LocalHttp, SensorIo<io::PrefixedIo<TlsIo<I>>>>,
    ) -> Inbound<svc::ArcNewTcp<T, I>>
    where
        T: Param<Remote<ClientAddr>> + Param<OrigDstAddr>,
@ -108,11 +112,12 @@ impl<N> Inbound<N> {
    {
        self.map_stack(|config, rt, inner| {
            let detect_timeout = config.proxy.detect_protocol_timeout;
+            let metrics = rt.metrics.direct.clone();

            let identity = rt
                .identity
                .server()
-                .with_alpn(vec![transport_header::PROTOCOL.into()])
+                .spawn_with_alpn(vec![transport_header::PROTOCOL.into()])
                .expect("TLS credential store must be held");

            inner
@ -135,7 +140,14 @@ impl<N> Inbound<N> {
                // forwarding, or we may be processing an HTTP gateway connection. HTTP gateway
                // connections that have a transport header must provide a target name as a part of
                // the header.
-                .push_switch(Ok::<Local, Infallible>, http)
+                .push_switch(
+                    Ok::<Local, Infallible>,
+                    svc::stack(http)
+                        .push(transport::metrics::NewServer::layer(
+                            rt.metrics.proxy.transport.clone(),
+                        ))
+                        .into_inner(),
+                )
                .push_switch(
                    {
                        let policies = policies.clone();
@ -145,14 +157,14 @@ impl<N> Inbound<N> {
                                    port,
                                    name: None,
                                    protocol,
-                                } => Ok(svc::Either::A({
+                                } => Ok(svc::Either::Left({
                                    // When the transport header targets an alternate port (but does
                                    // not identify an alternate target name), we check the new
                                    // target's policy (rather than the inbound proxy's address).
                                    let addr = (client.local_addr.ip(), port).into();
                                    let policy = policies.get_policy(OrigDstAddr(addr));
                                    match protocol {
-                                        None => svc::Either::A(LocalTcp {
+                                        None => svc::Either::Left(LocalTcp {
                                            server_addr: Remote(ServerAddr(addr)),
                                            client_addr: client.client_addr,
                                            client_id: client.client_id,
@ -162,7 +174,7 @@ impl<N> Inbound<N> {
                                            // When TransportHeader includes the protocol, but does not
                                            // include an alternate name we go through the Inbound HTTP
                                            // stack.
-                                            svc::Either::B(LocalHttp {
+                                            svc::Either::Right(LocalHttp {
                                                addr: Remote(ServerAddr(addr)),
                                                policy,
                                                protocol,
@ -176,7 +188,7 @@ impl<N> Inbound<N> {
                                    port,
                                    name: Some(name),
                                    protocol,
-                                } => Ok(svc::Either::B({
+                                } => Ok(svc::Either::Right({
                                    // When the transport header provides an alternate target, the
                                    // connection is a gateway connection. We check the _gateway
                                    // address's_ policy (rather than the target address).
@ -204,6 +216,7 @@ impl<N> Inbound<N> {
                )
                .check_new_service::<(TransportHeader, ClientInfo), _>()
                // Use ALPN to determine whether a transport header should be read.
+                .push(metrics::NewRecord::layer(metrics))
                .push(svc::ArcNewService::layer())
                .push(NewTransportHeaderServer::layer(detect_timeout))
                .check_new_service::<ClientInfo, _>()
@ -215,7 +228,7 @@ impl<N> Inbound<N> {
                    if client.header_negotiated() {
                        Ok(client)
                    } else {
-                        Err(RefusedNoTarget.into())
+                        Err(TransportHeaderRequired(()).into())
                    }
                })
                .push(svc::ArcNewService::layer())
@ -298,9 +311,8 @@ impl Param<Remote<ServerAddr>> for AuthorizedLocalTcp {
 impl Param<transport::labels::Key> for AuthorizedLocalTcp {
    fn param(&self) -> transport::labels::Key {
        transport::labels::Key::inbound_server(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                client_id: Some(self.client_id.clone()),
-                negotiated_protocol: None,
            }),
            self.addr.into(),
            self.permit.labels.server.clone(),
@ -331,9 +343,8 @@ impl Param<Remote<ClientAddr>> for LocalHttp {
 impl Param<transport::labels::Key> for LocalHttp {
    fn param(&self) -> transport::labels::Key {
        transport::labels::Key::inbound_server(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                client_id: Some(self.client.client_id.clone()),
-                negotiated_protocol: None,
            }),
            self.addr.into(),
            self.policy.server_label(),
@ -347,11 +358,11 @@ impl svc::Param<policy::AllowPolicy> for LocalHttp {
    }
 }

-impl svc::Param<http::Version> for LocalHttp {
-    fn param(&self) -> http::Version {
+impl svc::Param<http::Variant> for LocalHttp {
+    fn param(&self) -> http::Variant {
        match self.protocol {
-            SessionProtocol::Http1 => http::Version::Http1,
-            SessionProtocol::Http2 => http::Version::H2,
+            SessionProtocol::Http1 => http::Variant::Http1,
+            SessionProtocol::Http2 => http::Variant::H2,
        }
    }
 }
@ -422,6 +433,14 @@ impl Param<tls::ConditionalServerTls> for GatewayTransportHeader {
    }
 }

+impl Param<tls::ConditionalServerTlsLabels> for GatewayTransportHeader {
+    fn param(&self) -> tls::ConditionalServerTlsLabels {
+        tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
+            client_id: Some(self.client.client_id.clone()),
+        })
+    }
+}
+
 impl Param<tls::ClientId> for GatewayTransportHeader {
    fn param(&self) -> tls::ClientId {
        self.client.client_id.clone()
--- a/linkerd/app/inbound/src/direct/metrics.rs
+++ b/linkerd/app/inbound/src/direct/metrics.rs
@ -0,0 +1,91 @@
+use super::ClientInfo;
+use linkerd_app_core::{
+    metrics::prom::{self, EncodeLabelSetMut},
+    svc, tls,
+    transport_header::{SessionProtocol, TransportHeader},
+};
+
+#[cfg(test)]
+mod tests;
+
+#[derive(Clone, Debug)]
+pub struct NewRecord<N> {
+    inner: N,
+    metrics: MetricsFamilies,
+}
+
+#[derive(Clone, Debug, Default)]
+pub struct MetricsFamilies {
+    connections: prom::Family<Labels, prom::Counter>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+struct Labels {
+    header: TransportHeader,
+    client_id: tls::ClientId,
+}
+
+impl MetricsFamilies {
+    pub fn register(reg: &mut prom::Registry) -> Self {
+        let connections = prom::Family::default();
+        reg.register(
+            "connections",
+            "TCP connections with transport headers",
+            connections.clone(),
+        );
+
+        Self { connections }
+    }
+}
+
+impl<N> NewRecord<N> {
+    pub fn layer(metrics: MetricsFamilies) -> impl svc::layer::Layer<N, Service = Self> + Clone {
+        svc::layer::mk(move |inner| Self {
+            inner,
+            metrics: metrics.clone(),
+        })
+    }
+}
+
+impl<N> svc::NewService<(TransportHeader, ClientInfo)> for NewRecord<N>
+where
+    N: svc::NewService<(TransportHeader, ClientInfo)>,
+{
+    type Service = N::Service;
+
+    fn new_service(&self, (header, client): (TransportHeader, ClientInfo)) -> Self::Service {
+        self.metrics
+            .connections
+            .get_or_create(&Labels {
+                header: header.clone(),
+                client_id: client.client_id.clone(),
+            })
+            .inc();
+
+        self.inner.new_service((header, client))
+    }
+}
+
+impl prom::EncodeLabelSetMut for Labels {
+    fn encode_label_set(&self, enc: &mut prom::encoding::LabelSetEncoder<'_>) -> std::fmt::Result {
+        use prom::encoding::EncodeLabel;
+        (
+            "session_protocol",
+            self.header.protocol.as_ref().map(|p| match p {
+                SessionProtocol::Http1 => "http/1",
+                SessionProtocol::Http2 => "http/2",
+            }),
+        )
+            .encode(enc.encode_label())?;
+        ("target_port", self.header.port).encode(enc.encode_label())?;
+        ("target_name", self.header.name.as_deref()).encode(enc.encode_label())?;
+        ("client_id", self.client_id.to_str()).encode(enc.encode_label())?;
+        Ok(())
+    }
+}
+
+impl prom::encoding::EncodeLabelSet for Labels {
+    fn encode(&self, mut enc: prom::encoding::LabelSetEncoder<'_>) -> Result<(), std::fmt::Error> {
+        self.encode_label_set(&mut enc)
+    }
+}
--- a/linkerd/app/inbound/src/direct/metrics/tests.rs
+++ b/linkerd/app/inbound/src/direct/metrics/tests.rs
@ -0,0 +1,115 @@
+use super::*;
+use crate::direct::ClientInfo;
+use futures::future;
+use linkerd_app_core::{
+    io,
+    metrics::prom,
+    svc, tls,
+    transport::addrs::{ClientAddr, OrigDstAddr, Remote},
+    transport_header::{SessionProtocol, TransportHeader},
+    Error,
+};
+use std::str::FromStr;
+
+fn new_ok<T>() -> svc::ArcNewTcp<T, io::BoxedIo> {
+    svc::ArcNewService::new(|_| svc::BoxService::new(svc::mk(|_| future::ok::<(), Error>(()))))
+}
+
+macro_rules! assert_counted {
+    ($registry:expr, $proto:expr, $port:expr, $name:expr, $value:expr) => {{
+        let mut buf = String::new();
+        prom::encoding::text::encode_registry(&mut buf, $registry).expect("encode registry failed");
+        let metric = format!("connections_total{{session_protocol=\"{}\",target_port=\"{}\",target_name=\"{}\",client_id=\"test.client\"}}", $proto, $port, $name);
+        assert_eq!(
+            buf.split_terminator('\n')
+                .find(|l| l.starts_with(&*metric)),
+            Some(&*format!("{metric} {}", $value)),
+            "metric '{metric}' not found in:\n{buf}"
+        );
+    }};
+}
+
+// Added helper to setup and run the test
+fn run_metric_test(header: TransportHeader) -> prom::Registry {
+    let mut registry = prom::Registry::default();
+    let families = MetricsFamilies::register(&mut registry);
+    let new_record = svc::layer::Layer::layer(&NewRecord::layer(families.clone()), new_ok());
+    // common client info
+    let client_id = tls::ClientId::from_str("test.client").unwrap();
+    let client_addr = Remote(ClientAddr(([127, 0, 0, 1], 40000).into()));
+    let local_addr = OrigDstAddr(([127, 0, 0, 1], 4143).into());
+    let client_info = ClientInfo {
+        client_id: client_id.clone(),
+        alpn: Some(tls::NegotiatedProtocol("transport.l5d.io/v1".into())),
+        client_addr,
+        local_addr,
+    };
+    let _svc = svc::NewService::new_service(&new_record, (header.clone(), client_info.clone()));
+    registry
+}
+
+#[test]
+fn records_metrics_http1_local() {
+    let header = TransportHeader {
+        port: 8080,
+        name: None,
+        protocol: Some(SessionProtocol::Http1),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/1", 8080, "", 1);
+}
+
+#[test]
+fn records_metrics_http2_local() {
+    let header = TransportHeader {
+        port: 8081,
+        name: None,
+        protocol: Some(SessionProtocol::Http2),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/2", 8081, "", 1);
+}
+
+#[test]
+fn records_metrics_opaq_local() {
+    let header = TransportHeader {
+        port: 8082,
+        name: None,
+        protocol: None,
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "", 8082, "", 1);
+}
+
+#[test]
+fn records_metrics_http1_gateway() {
+    let header = TransportHeader {
+        port: 8080,
+        name: Some("mysvc.myns.svc.cluster.local".parse().unwrap()),
+        protocol: Some(SessionProtocol::Http1),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/1", 8080, "mysvc.myns.svc.cluster.local", 1);
+}
+
+#[test]
+fn records_metrics_http2_gateway() {
+    let header = TransportHeader {
+        port: 8081,
+        name: Some("mysvc.myns.svc.cluster.local".parse().unwrap()),
+        protocol: Some(SessionProtocol::Http2),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/2", 8081, "mysvc.myns.svc.cluster.local", 1);
+}
+
+#[test]
+fn records_metrics_opaq_gateway() {
+    let header = TransportHeader {
+        port: 8082,
+        name: Some("mysvc.myns.svc.cluster.local".parse().unwrap()),
+        protocol: None,
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "", 8082, "mysvc.myns.svc.cluster.local", 1);
+}
--- a/linkerd/app/inbound/src/http.rs
+++ b/linkerd/app/inbound/src/http.rs
@ -18,7 +18,7 @@ pub mod fuzz {
        test_util::{support::connect::Connect, *},
        Config, Inbound,
    };
-    use hyper::{client::conn::Builder as ClientBuilder, Body, Request, Response};
+    use hyper::{Body, Request, Response};
    use libfuzzer_sys::arbitrary::Arbitrary;
    use linkerd_app_core::{
        identity, io,
@ -41,9 +41,8 @@ pub mod fuzz {
    }

    pub async fn fuzz_entry_raw(requests: Vec<HttpRequestSpec>) {
-        let mut server = hyper::server::conn::Http::new();
-        server.http1_only(true);
-        let mut client = ClientBuilder::new();
+        let server = hyper::server::conn::http1::Builder::new();
+        let mut client = hyper::client::conn::http1::Builder::new();
        let connect =
            support::connect().endpoint_fn_boxed(Target::addr(), hello_fuzz_server(server));
        let profiles = profile::resolver();
@ -55,7 +54,7 @@ pub mod fuzz {
        let cfg = default_config();
        let (rt, _shutdown) = runtime();
        let server = build_fuzz_server(cfg, rt, profiles, connect).new_service(Target::HTTP1);
-        let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+        let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;

        // Now send all of the requests
        for inp in requests.iter() {
@ -74,7 +73,7 @@ pub mod fuzz {
                            .header(header_name, header_value)
                            .body(Body::default())
                        {
-                            let rsp = http_util::http_request(&mut client, req).await;
+                            let rsp = client.send_request(req).await;
                            tracing::info!(?rsp);
                            if let Ok(rsp) = rsp {
                                let body = http_util::body_to_string(rsp.into_body()).await;
@ -86,18 +85,18 @@ pub mod fuzz {
            }
        }

-        drop(client);
        // It's okay if the background task returns an error, as this would
        // indicate that the proxy closed the connection --- which it will do on
        // invalid inputs. We want to ensure that the proxy doesn't crash in the
        // face of these inputs, and the background task will panic in this
        // case.
-        let res = bg.await;
+        drop(client);
+        let res = bg.join_all().await;
        tracing::info!(?res, "background tasks completed")
    }

    fn hello_fuzz_server(
-        http: hyper::server::conn::Http,
+        http: hyper::server::conn::http1::Builder,
    ) -> impl Fn(Remote<ServerAddr>) -> io::Result<io::BoxedIo> {
        move |_endpoint| {
            let (client_io, server_io) = support::io::duplex(4096);
@ -163,12 +162,12 @@ pub mod fuzz {
    }

    #[derive(Clone, Debug)]
-    struct Target(http::Version);
+    struct Target(http::Variant);

    // === impl Target ===

    impl Target {
-        const HTTP1: Self = Self(http::Version::Http1);
+        const HTTP1: Self = Self(http::Variant::Http1);

        fn addr() -> SocketAddr {
            ([127, 0, 0, 1], 80).into()
@ -193,8 +192,8 @@ pub mod fuzz {
        }
    }

-    impl svc::Param<http::Version> for Target {
-        fn param(&self) -> http::Version {
+    impl svc::Param<http::Variant> for Target {
+        fn param(&self) -> http::Variant {
            self.0
        }
    }
@ -228,6 +227,9 @@ pub mod fuzz {
                        kind: "server".into(),
                        name: "testsrv".into(),
                    }),
+                    local_rate_limit: Arc::new(
+                        linkerd_proxy_server_policy::LocalRateLimit::default(),
+                    ),
                },
            );
            policy
@ -236,11 +238,14 @@ pub mod fuzz {

    impl svc::Param<policy::ServerLabel> for Target {
        fn param(&self) -> policy::ServerLabel {
-            policy::ServerLabel(Arc::new(policy::Meta::Resource {
-                group: "policy.linkerd.io".into(),
-                kind: "server".into(),
-                name: "testsrv".into(),
-            }))
+            policy::ServerLabel(
+                Arc::new(policy::Meta::Resource {
+                    group: "policy.linkerd.io".into(),
+                    kind: "server".into(),
+                    name: "testsrv".into(),
+                }),
+                1000,
+            )
        }
    }

--- a/linkerd/app/inbound/src/http/router.rs
+++ b/linkerd/app/inbound/src/http/router.rs
@ -33,7 +33,7 @@ struct Logical {
    /// The request's logical destination. Used for profile discovery.
    logical: Option<NameAddr>,
    addr: Remote<ServerAddr>,
-    http: http::Version,
+    http: http::Variant,
    tls: tls::ConditionalServerTls,
    permit: policy::HttpRoutePermit,
    labels: tap::Labels,
@ -69,7 +69,7 @@ struct LogicalError {
 impl<C> Inbound<C> {
    pub(crate) fn push_http_router<T, P>(self, profiles: P) -> Inbound<svc::ArcNewCloneHttp<T>>
    where
-        T: Param<http::Version>
+        T: Param<http::Variant>
            + Param<Remote<ServerAddr>>
            + Param<Remote<ClientAddr>>
            + Param<tls::ConditionalServerTls>
@ -83,6 +83,7 @@ impl<C> Inbound<C> {
    {
        self.map_stack(|config, rt, connect| {
            let allow_profile = config.allow_discovery.clone();
+            let unsafe_authority_labels = config.unsafe_authority_labels;
            let h1_params = config.proxy.connect.http1;
            let h2_params = config.proxy.connect.http2.clone();

@ -105,8 +106,8 @@ impl<C> Inbound<C> {
                        addr: t.addr,
                        permit: t.permit,
                        params: match t.http {
-                            http::Version::Http1 => http::client::Params::Http1(h1_params),
-                            http::Version::H2 => http::client::Params::H2(h2_params.clone())
+                            http::Variant::Http1 => http::client::Params::Http1(h1_params),
+                            http::Variant::H2 => http::client::Params::H2(h2_params.clone())
                        },
                    }
                })
@ -122,7 +123,9 @@ impl<C> Inbound<C> {
                    rt.metrics
                        .proxy
                        .http_endpoint
-                        .to_layer::<classify::Response, _, _>(),
+                        .to_layer_via::<classify::Response, _, _, _>(
+                            endpoint_labels(unsafe_authority_labels),
+                        ),
                )
                .push_on_service(http_tracing::client(rt.span_sink.clone(), super::trace_labels()))
                .push_on_service(http::BoxResponse::layer())
@ -163,14 +166,14 @@ impl<C> Inbound<C> {
                    |(rx, logical): (Option<profiles::Receiver>, Logical)| -> Result<_, Infallible> {
                        if let Some(rx) = rx {
                            if let Some(addr) = rx.logical_addr() {
-                                return Ok(svc::Either::A(Profile {
+                                return Ok(svc::Either::Left(Profile {
                                    addr,
                                    logical,
                                    profiles: rx,
                                }));
                            }
                        }
-                        Ok(svc::Either::B(logical))
+                        Ok(svc::Either::Right(logical))
                    },
                    http.clone().into_inner(),
                )
@ -189,7 +192,7 @@ impl<C> Inbound<C> {
                        // discovery (so that we skip the profile stack above).
                        let addr = match logical.logical.clone() {
                            Some(addr) => addr,
-                            None => return Ok(svc::Either::B((None, logical))),
+                            None => return Ok(svc::Either::Right((None, logical))),
                        };
                        if !allow_profile.matches(addr.name()) {
                            tracing::debug!(
@ -197,9 +200,9 @@ impl<C> Inbound<C> {
                                suffixes = %allow_profile,
                                "Skipping discovery, address not in configured DNS suffixes",
                            );
-                            return Ok(svc::Either::B((None, logical)));
+                            return Ok(svc::Either::Right((None, logical)));
                        }
-                        Ok(svc::Either::A(logical))
+                        Ok(svc::Either::Left(logical))
                    },
                    router
                        .check_new_service::<(Option<profiles::Receiver>, Logical), http::Request<_>>()
@ -387,13 +390,17 @@ impl Param<transport::labels::Key> for Logical {
    }
 }

-impl Param<metrics::EndpointLabels> for Logical {
-    fn param(&self) -> metrics::EndpointLabels {
+fn endpoint_labels(
+    unsafe_authority_labels: bool,
+) -> impl svc::ExtractParam<metrics::EndpointLabels, Logical> + Clone {
+    move |t: &Logical| -> metrics::EndpointLabels {
        metrics::InboundEndpointLabels {
-            tls: self.tls.clone(),
-            authority: self.logical.as_ref().map(|d| d.as_http_authority()),
-            target_addr: self.addr.into(),
-            policy: self.permit.labels.clone(),
+            tls: t.tls.as_ref().map(|t| t.labels()),
+            authority: unsafe_authority_labels
+                .then(|| t.logical.as_ref().map(|d| d.as_http_authority()))
+                .flatten(),
+            target_addr: t.addr.into(),
+            policy: t.permit.labels.clone(),
        }
        .into()
    }
--- a/linkerd/app/inbound/src/http/server.rs
+++ b/linkerd/app/inbound/src/http/server.rs
@ -1,6 +1,6 @@
 use super::set_identity_header::NewSetIdentityHeader;
 use crate::{policy, Inbound};
-pub use linkerd_app_core::proxy::http::{normalize_uri, Version};
+pub use linkerd_app_core::proxy::http::{normalize_uri, Variant};
 use linkerd_app_core::{
    config::ProxyConfig,
    errors, http_tracing, io,
@ -31,7 +31,7 @@ impl<H> Inbound<H> {
    pub fn push_http_server<T, HSvc>(self) -> Inbound<svc::ArcNewCloneHttp<T>>
    where
        // Connection target.
-        T: Param<Version>
+        T: Param<Variant>
            + Param<normalize_uri::DefaultAuthority>
            + Param<tls::ConditionalServerTls>
            + Param<ServerLabel>
@ -95,7 +95,7 @@ impl<H> Inbound<H> {
    pub fn push_http_tcp_server<T, I, HSvc>(self) -> Inbound<svc::ArcNewTcp<T, I>>
    where
        // Connection target.
-        T: Param<Version>,
+        T: Param<Variant>,
        T: Clone + Send + Unpin + 'static,
        // Server-side socket.
        I: io::AsyncRead + io::AsyncWrite + io::PeerAddr + Send + Unpin + 'static,
@ -203,6 +203,10 @@ impl errors::HttpRescue<Error> for ServerRescue {
            ));
        }

+        if errors::is_caused_by::<linkerd_proxy_server_policy::RateLimitError>(&*error) {
+            return Ok(errors::SyntheticHttpResponse::rate_limited(error));
+        }
+
        if errors::is_caused_by::<crate::GatewayDomainInvalid>(&*error) {
            return Ok(errors::SyntheticHttpResponse::not_found(error));
        }
--- a/linkerd/app/inbound/src/http/tests.rs
+++ b/linkerd/app/inbound/src/http/tests.rs
@ -6,21 +6,22 @@ use crate::{
    },
    Config, Inbound,
 };
-use hyper::{body::HttpBody, client::conn::Builder as ClientBuilder, Body, Request, Response};
+use hyper::{Request, Response};
 use linkerd_app_core::{
    classify,
-    errors::respond::L5D_PROXY_ERROR,
+    errors::header::L5D_PROXY_ERROR,
    identity, io, metrics,
-    proxy::http,
-    svc::{self, NewService, Param},
+    proxy::http::{self, BoxBody},
+    svc::{self, http::TokioExecutor, NewService, Param},
    tls,
    transport::{ClientAddr, OrigDstAddr, Remote, ServerAddr},
-    NameAddr, ProxyRuntime,
+    Error, NameAddr, ProxyRuntime,
 };
 use linkerd_app_test::connect::ConnectFuture;
 use linkerd_tracing::test::trace_init;
 use std::{net::SocketAddr, sync::Arc};
 use tokio::time;
+use tower::ServiceExt;
 use tracing::Instrument;

 fn build_server<I>(
@ -32,7 +33,7 @@ fn build_server<I>(
 where
    I: io::AsyncRead + io::AsyncWrite + io::PeerAddr + Send + Unpin + 'static,
 {
-    Inbound::new(cfg, rt)
+    Inbound::new(cfg, rt, &mut Default::default())
        .with_stack(connect)
        .map_stack(|cfg, _, s| {
            s.push_map_target(|t| Param::<Remote<ServerAddr>>::param(&t))
@ -46,9 +47,10 @@ where

 #[tokio::test(flavor = "current_thread")]
 async fn unmeshed_http1_hello_world() {
-    let mut server = hyper::server::conn::Http::new();
-    server.http1_only(true);
-    let mut client = ClientBuilder::new();
+    let mut server = hyper::server::conn::http1::Builder::new();
+    server.timer(hyper_util::rt::TokioTimer::new());
+    let mut client = hyper::client::conn::http1::Builder::new();
+
    let _trace = trace_init();

    // Build a mock "connector" that returns the upstream "server" IO.
@ -63,29 +65,38 @@ async fn unmeshed_http1_hello_world() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_HTTP1);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;

    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let rsp = http_util::http_request(&mut client, req).await.unwrap();
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
    assert_eq!(rsp.status(), http::StatusCode::OK);
    let body = http_util::body_to_string(rsp.into_body()).await.unwrap();
    assert_eq!(body, "Hello world!");

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
 async fn downgrade_origin_form() {
    // Reproduces https://github.com/linkerd/linkerd2/issues/5298
-    let mut server = hyper::server::conn::Http::new();
-    server.http1_only(true);
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut server = hyper::server::conn::http1::Builder::new();
+    server.timer(hyper_util::rt::TokioTimer::new());
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
    let _trace = trace_init();

    // Build a mock "connector" that returns the upstream "server" IO.
@ -100,30 +111,67 @@ async fn downgrade_origin_form() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_H2);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = {
+        tracing::info!(settings = ?client, "connecting client with");
+        let (client_io, server_io) = io::duplex(4096);
+
+        let (client, conn) = client
+            .handshake(hyper_util::rt::TokioIo::new(client_io))
+            .await
+            .expect("Client must connect");
+
+        let mut bg = tokio::task::JoinSet::new();
+        bg.spawn(
+            async move {
+                server.oneshot(server_io).await?;
+                tracing::info!("proxy serve task complete");
+                Ok(())
+            }
+            .instrument(tracing::info_span!("proxy")),
+        );
+        bg.spawn(
+            async move {
+                conn.await?;
+                tracing::info!("client background complete");
+                Ok(())
+            }
+            .instrument(tracing::info_span!("client_bg")),
+        );
+
+        (client, bg)
+    };

    let req = Request::builder()
        .method(http::Method::GET)
        .uri("/")
        .header(http::header::HOST, "foo.svc.cluster.local")
        .header("l5d-orig-proto", "HTTP/1.1")
-        .body(Body::default())
+        .body(BoxBody::empty())
        .unwrap();
-    let rsp = http_util::http_request(&mut client, req).await.unwrap();
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
    assert_eq!(rsp.status(), http::StatusCode::OK);
    let body = http_util::body_to_string(rsp.into_body()).await.unwrap();
    assert_eq!(body, "Hello world!");

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
 async fn downgrade_absolute_form() {
-    let mut server = hyper::server::conn::Http::new();
-    server.http1_only(true);
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
+    let mut server = hyper::server::conn::http1::Builder::new();
+    server.timer(hyper_util::rt::TokioTimer::new());
    let _trace = trace_init();

    // Build a mock "connector" that returns the upstream "server" IO.
@ -138,22 +186,60 @@ async fn downgrade_absolute_form() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_H2);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+
+    let (mut client, bg) = {
+        tracing::info!(settings = ?client, "connecting client with");
+        let (client_io, server_io) = io::duplex(4096);
+
+        let (client, conn) = client
+            .handshake(hyper_util::rt::TokioIo::new(client_io))
+            .await
+            .expect("Client must connect");
+
+        let mut bg = tokio::task::JoinSet::new();
+        bg.spawn(
+            async move {
+                server.oneshot(server_io).await?;
+                tracing::info!("proxy serve task complete");
+                Ok(())
+            }
+            .instrument(tracing::info_span!("proxy")),
+        );
+        bg.spawn(
+            async move {
+                conn.await?;
+                tracing::info!("client background complete");
+                Ok(())
+            }
+            .instrument(tracing::info_span!("client_bg")),
+        );
+
+        (client, bg)
+    };

    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550/")
        .header(http::header::HOST, "foo.svc.cluster.local")
        .header("l5d-orig-proto", "HTTP/1.1; absolute-form")
-        .body(Body::default())
+        .body(BoxBody::empty())
        .unwrap();
-    let rsp = http_util::http_request(&mut client, req).await.unwrap();
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
    assert_eq!(rsp.status(), http::StatusCode::OK);
    let body = http_util::body_to_string(rsp.into_body()).await.unwrap();
    assert_eq!(body, "Hello world!");

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
@ -165,7 +251,7 @@ async fn http1_bad_gateway_meshed_response_error_header() {

    // Build a client using the connect that always errors so that responses
    // are BAD_GATEWAY.
-    let mut client = ClientBuilder::new();
+    let mut client = hyper::client::conn::http1::Builder::new();
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -173,25 +259,34 @@ async fn http1_bad_gateway_meshed_response_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_http1());
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;

    // Send a request and assert that it is a BAD_GATEWAY with the expected
    // header message.
    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::BAD_GATEWAY);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::BAD_GATEWAY);
    // NOTE: this does not include a stack error context for that endpoint
    // because we don't build a real HTTP endpoint stack, which adds error
    // context to this error, and the client rescue layer is below where the
    // logical error context is added.
-    check_error_header(response.headers(), "server is not listening");
+    check_error_header(rsp.headers(), "client error (Connect)");

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
@ -203,7 +298,7 @@ async fn http1_bad_gateway_unmeshed_response() {

    // Build a client using the connect that always errors so that responses
    // are BAD_GATEWAY.
-    let mut client = ClientBuilder::new();
+    let mut client = hyper::client::conn::http1::Builder::new();
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -211,24 +306,33 @@ async fn http1_bad_gateway_unmeshed_response() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_HTTP1);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;

    // Send a request and assert that it is a BAD_GATEWAY with the expected
    // header message.
    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::BAD_GATEWAY);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::BAD_GATEWAY);
    assert!(
-        response.headers().get(L5D_PROXY_ERROR).is_none(),
+        rsp.headers().get(L5D_PROXY_ERROR).is_none(),
        "response must not contain L5D_PROXY_ERROR header"
    );

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
@ -238,12 +342,11 @@ async fn http1_connect_timeout_meshed_response_error_header() {

    // Build a mock connect that sleeps longer than the default inbound
    // connect timeout.
-    let server = hyper::server::conn::Http::new();
-    let connect = support::connect().endpoint(Target::addr(), connect_timeout(server));
+    let connect = support::connect().endpoint(Target::addr(), connect_timeout());

    // Build a client using the connect that always sleeps so that responses
    // are GATEWAY_TIMEOUT.
-    let mut client = ClientBuilder::new();
+    let mut client = hyper::client::conn::http1::Builder::new();
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -251,26 +354,35 @@ async fn http1_connect_timeout_meshed_response_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_http1());
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;

    // Send a request and assert that it is a GATEWAY_TIMEOUT with the
    // expected header message.
    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::GATEWAY_TIMEOUT);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::GATEWAY_TIMEOUT);

    // NOTE: this does not include a stack error context for that endpoint
    // because we don't build a real HTTP endpoint stack, which adds error
    // context to this error, and the client rescue layer is below where the
    // logical error context is added.
-    check_error_header(response.headers(), "connect timed out after 1s");
+    check_error_header(rsp.headers(), "client error (Connect)");

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
@ -280,12 +392,11 @@ async fn http1_connect_timeout_unmeshed_response_error_header() {

    // Build a mock connect that sleeps longer than the default inbound
    // connect timeout.
-    let server = hyper::server::conn::Http::new();
-    let connect = support::connect().endpoint(Target::addr(), connect_timeout(server));
+    let connect = support::connect().endpoint(Target::addr(), connect_timeout());

    // Build a client using the connect that always sleeps so that responses
    // are GATEWAY_TIMEOUT.
-    let mut client = ClientBuilder::new();
+    let mut client = hyper::client::conn::http1::Builder::new();
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -293,24 +404,33 @@ async fn http1_connect_timeout_unmeshed_response_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_HTTP1);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;

    // Send a request and assert that it is a GATEWAY_TIMEOUT with the
    // expected header message.
    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::empty())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::GATEWAY_TIMEOUT);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::GATEWAY_TIMEOUT);
    assert!(
-        response.headers().get(L5D_PROXY_ERROR).is_none(),
+        rsp.headers().get(L5D_PROXY_ERROR).is_none(),
        "response must not contain L5D_PROXY_ERROR header"
    );

+    // Wait for all of the background tasks to complete, panicking if any returned an error.
    drop(client);
-    bg.await.expect("background task failed");
+    bg.join_all()
+        .await
+        .into_iter()
+        .collect::<Result<Vec<()>, Error>>()
+        .expect("background task failed");
 }

 #[tokio::test(flavor = "current_thread")]
@ -321,8 +441,8 @@ async fn h2_response_meshed_error_header() {
    let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());

    // Build a client using the connect that always errors.
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -330,25 +450,28 @@ async fn h2_response_meshed_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_h2());
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http2(&mut client, server).await;

    // Send a request and assert that it is SERVICE_UNAVAILABLE with the
    // expected header message.
    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::empty())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::GATEWAY_TIMEOUT);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::GATEWAY_TIMEOUT);

-    check_error_header(response.headers(), "service in fail-fast");
+    check_error_header(rsp.headers(), "service in fail-fast");

    // Drop the client and discard the result of awaiting the proxy background
    // task. The result is discarded because it hits an error that is related
    // to the mock implementation and has no significance to the test.
-    drop(client);
-    let _ = bg.await;
+    let _ = bg.join_all().await;
 }

 #[tokio::test(flavor = "current_thread")]
@ -359,8 +482,8 @@ async fn h2_response_unmeshed_error_header() {
    let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());

    // Build a client using the connect that always errors.
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -368,27 +491,30 @@ async fn h2_response_unmeshed_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_H2);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http2(&mut client, server).await;

    // Send a request and assert that it is SERVICE_UNAVAILABLE with the
    // expected header message.
    let req = Request::builder()
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::GATEWAY_TIMEOUT);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::GATEWAY_TIMEOUT);
    assert!(
-        response.headers().get(L5D_PROXY_ERROR).is_none(),
+        rsp.headers().get(L5D_PROXY_ERROR).is_none(),
        "response must not contain L5D_PROXY_ERROR header"
    );

    // Drop the client and discard the result of awaiting the proxy background
    // task. The result is discarded because it hits an error that is related
    // to the mock implementation and has no significance to the test.
-    drop(client);
-    let _ = bg.await;
+    let _ = bg.join_all().await;
 }

 #[tokio::test(flavor = "current_thread")]
@ -399,8 +525,8 @@ async fn grpc_meshed_response_error_header() {
    let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());

    // Build a client using the connect that always errors.
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -408,7 +534,7 @@ async fn grpc_meshed_response_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_h2());
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http2(&mut client, server).await;

    // Send a request and assert that it is OK with the expected header
    // message.
@ -416,18 +542,21 @@ async fn grpc_meshed_response_error_header() {
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
        .header(http::header::CONTENT_TYPE, "application/grpc")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::OK);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::OK);

-    check_error_header(response.headers(), "service in fail-fast");
+    check_error_header(rsp.headers(), "service in fail-fast");

    // Drop the client and discard the result of awaiting the proxy background
    // task. The result is discarded because it hits an error that is related
    // to the mock implementation and has no significance to the test.
-    drop(client);
-    let _ = bg.await;
+    let _ = bg.join_all().await;
 }

 #[tokio::test(flavor = "current_thread")]
@ -438,8 +567,8 @@ async fn grpc_unmeshed_response_error_header() {
    let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());

    // Build a client using the connect that always errors.
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -447,7 +576,7 @@ async fn grpc_unmeshed_response_error_header() {
    let cfg = default_config();
    let (rt, _shutdown) = runtime();
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::UNMESHED_H2);
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http2(&mut client, server).await;

    // Send a request and assert that it is OK with the expected header
    // message.
@ -455,20 +584,23 @@ async fn grpc_unmeshed_response_error_header() {
        .method(http::Method::GET)
        .uri("http://foo.svc.cluster.local:5550")
        .header(http::header::CONTENT_TYPE, "application/grpc")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();
-    let response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::OK);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::OK);
    assert!(
-        response.headers().get(L5D_PROXY_ERROR).is_none(),
+        rsp.headers().get(L5D_PROXY_ERROR).is_none(),
        "response must not contain L5D_PROXY_ERROR header"
    );

    // Drop the client and discard the result of awaiting the proxy background
    // task. The result is discarded because it hits an error that is related
    // to the mock implementation and has no significance to the test.
-    drop(client);
-    let _ = bg.await;
+    let _ = bg.join_all().await;
 }

 #[tokio::test(flavor = "current_thread")]
@ -477,8 +609,8 @@ async fn grpc_response_class() {

    // Build a mock connector serves a gRPC server that returns errors.
    let connect = {
-        let mut server = hyper::server::conn::Http::new();
-        server.http2_only(true);
+        let mut server = hyper::server::conn::http2::Builder::new(TokioExecutor::new());
+        server.timer(hyper_util::rt::TokioTimer::new());
        support::connect().endpoint_fn_boxed(
            Target::addr(),
            grpc_status_server(server, tonic::Code::Unknown),
@ -486,8 +618,8 @@ async fn grpc_response_class() {
    };

    // Build a client using the connect that always errors.
-    let mut client = ClientBuilder::new();
-    client.http2_only(true);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
    let profiles = profile::resolver();
    let profile_tx =
        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@ -500,7 +632,7 @@ async fn grpc_response_class() {
        .http_endpoint
        .into_report(time::Duration::from_secs(3600));
    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_h2());
-    let (mut client, bg) = http_util::connect_and_accept(&mut client, server).await;
+    let (mut client, bg) = http_util::connect_and_accept_http2(&mut client, server).await;

    // Send a request and assert that it is OK with the expected header
    // message.
@ -508,29 +640,43 @@ async fn grpc_response_class() {
        .method(http::Method::POST)
        .uri("http://foo.svc.cluster.local:5550")
        .header(http::header::CONTENT_TYPE, "application/grpc")
-        .body(Body::default())
+        .body(BoxBody::default())
        .unwrap();

-    let mut response = http_util::http_request(&mut client, req).await.unwrap();
-    assert_eq!(response.status(), http::StatusCode::OK);
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::OK);

-    response.body_mut().data().await;
-    let trls = response.body_mut().trailers().await.unwrap().unwrap();
+    use http_body_util::BodyExt;
+    let mut body = rsp.into_body();
+    let trls = body
+        .frame()
+        .await
+        .unwrap()
+        .unwrap()
+        .into_trailers()
+        .expect("trailers frame");
    assert_eq!(trls.get("grpc-status").unwrap().to_str().unwrap(), "2");

    let response_total = metrics
        .get_response_total(
            &metrics::EndpointLabels::Inbound(metrics::InboundEndpointLabels {
-                tls: Target::meshed_h2().1,
-                authority: Some("foo.svc.cluster.local:5550".parse().unwrap()),
+                tls: Target::meshed_h2().1.map(|t| t.labels()),
+                authority: None,
                target_addr: "127.0.0.1:80".parse().unwrap(),
                policy: metrics::RouteAuthzLabels {
                    route: metrics::RouteLabels {
-                        server: metrics::ServerLabel(Arc::new(policy::Meta::Resource {
-                            group: "policy.linkerd.io".into(),
-                            kind: "server".into(),
-                            name: "testsrv".into(),
-                        })),
+                        server: metrics::ServerLabel(
+                            Arc::new(policy::Meta::Resource {
+                                group: "policy.linkerd.io".into(),
+                                kind: "server".into(),
+                                name: "testsrv".into(),
+                            }),
+                            80,
+                        ),
                        route: policy::Meta::new_default("default"),
                    },
                    authz: Arc::new(policy::Meta::Resource {
@ -546,24 +692,124 @@ async fn grpc_response_class() {
        .expect("response_total not found");
    assert_eq!(response_total, 1.0);

-    drop((client, bg));
+    drop(bg);
+}
+
+#[tokio::test(flavor = "current_thread")]
+async fn unsafe_authority_labels_true() {
+    let _trace = trace_init();
+
+    let mut cfg = default_config();
+    cfg.unsafe_authority_labels = true;
+    test_unsafe_authority_labels(cfg, Some("foo.svc.cluster.local:5550".parse().unwrap())).await;
+}
+
+#[tokio::test(flavor = "current_thread")]
+async fn unsafe_authority_labels_false() {
+    let _trace = trace_init();
+
+    let cfg = default_config();
+    test_unsafe_authority_labels(cfg, None).await;
+}
+
+async fn test_unsafe_authority_labels(
+    cfg: Config,
+    expected_authority: Option<http::uri::Authority>,
+) {
+    let connect = {
+        let mut server = hyper::server::conn::http1::Builder::new();
+        server.timer(hyper_util::rt::TokioTimer::new());
+        support::connect().endpoint_fn_boxed(Target::addr(), hello_server(server))
+    };
+
+    // Build a client using the connect that always errors.
+    let mut client = hyper::client::conn::http1::Builder::new();
+    let profiles = profile::resolver();
+    let profile_tx =
+        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
+    profile_tx.send(profile::Profile::default()).unwrap();
+
+    let (rt, _shutdown) = runtime();
+    let metrics = rt
+        .metrics
+        .clone()
+        .http_endpoint
+        .into_report(time::Duration::from_secs(3600));
+    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_http1());
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;
+
+    // Send a request and assert that it is OK with the expected header
+    // message.
+    let req = Request::builder()
+        .method(http::Method::POST)
+        .uri("http://foo.svc.cluster.local:5550")
+        .header(http::header::CONTENT_TYPE, "text/plain")
+        .body(BoxBody::default())
+        .unwrap();
+
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::OK);
+
+    use http_body_util::BodyExt;
+    let mut body = rsp.into_body();
+    while let Some(Ok(_)) = body.frame().await {}
+
+    tracing::info!("{metrics:#?}");
+    let response_total = metrics
+        .get_response_total(
+            &metrics::EndpointLabels::Inbound(metrics::InboundEndpointLabels {
+                tls: Target::meshed_http1().1.as_ref().map(|t| t.labels()),
+                authority: expected_authority,
+                target_addr: "127.0.0.1:80".parse().unwrap(),
+                policy: metrics::RouteAuthzLabels {
+                    route: metrics::RouteLabels {
+                        server: metrics::ServerLabel(
+                            Arc::new(policy::Meta::Resource {
+                                group: "policy.linkerd.io".into(),
+                                kind: "server".into(),
+                                name: "testsrv".into(),
+                            }),
+                            80,
+                        ),
+                        route: policy::Meta::new_default("default"),
+                    },
+                    authz: Arc::new(policy::Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "serverauthorization".into(),
+                        name: "testsaz".into(),
+                    }),
+                },
+            }),
+            Some(http::StatusCode::OK),
+            &classify::Class::Http(Ok(http::StatusCode::OK)),
+        )
+        .expect("response_total not found");
+    assert_eq!(response_total, 1.0);
+
+    drop(bg);
 }

 #[tracing::instrument]
 fn hello_server(
-    http: hyper::server::conn::Http,
+    server: hyper::server::conn::http1::Builder,
 ) -> impl Fn(Remote<ServerAddr>) -> io::Result<io::BoxedIo> {
    move |endpoint| {
        let span = tracing::info_span!("hello_server", ?endpoint);
        let _e = span.enter();
        tracing::info!("mock connecting");
        let (client_io, server_io) = support::io::duplex(4096);
-        let hello_svc = hyper::service::service_fn(|request: Request<Body>| async move {
-            tracing::info!(?request);
-            Ok::<_, io::Error>(Response::new(Body::from("Hello world!")))
-        });
+        let hello_svc =
+            hyper::service::service_fn(|request: Request<hyper::body::Incoming>| async move {
+                tracing::info!(?request);
+                Ok::<_, io::Error>(Response::new(BoxBody::from_static("Hello world!")))
+            });
        tokio::spawn(
-            http.serve_connection(server_io, hello_svc)
+            server
+                .serve_connection(hyper_util::rt::TokioIo::new(server_io), hello_svc)
                .in_current_span(),
        );
        Ok(io::BoxedIo::new(client_io))
@ -572,7 +818,7 @@ fn hello_server(

 #[tracing::instrument]
 fn grpc_status_server(
-    http: hyper::server::conn::Http,
+    server: hyper::server::conn::http2::Builder<TokioExecutor>,
    status: tonic::Code,
 ) -> impl Fn(Remote<ServerAddr>) -> io::Result<io::BoxedIo> {
    move |endpoint| {
@ -581,26 +827,33 @@ fn grpc_status_server(
        tracing::info!("mock connecting");
        let (client_io, server_io) = support::io::duplex(4096);
        tokio::spawn(
-            http.serve_connection(
-                server_io,
-                hyper::service::service_fn(move |request: Request<Body>| async move {
-                    tracing::info!(?request);
-                    let (mut tx, rx) = Body::channel();
-                    tokio::spawn(async move {
-                        let mut trls = ::http::HeaderMap::new();
-                        trls.insert("grpc-status", (status as u32).to_string().parse().unwrap());
-                        tx.send_trailers(trls).await
-                    });
-                    Ok::<_, io::Error>(
-                        http::Response::builder()
-                            .version(::http::Version::HTTP_2)
-                            .header("content-type", "application/grpc")
-                            .body(rx)
-                            .unwrap(),
-                    )
-                }),
-            )
-            .in_current_span(),
+            server
+                .serve_connection(
+                    hyper_util::rt::TokioIo::new(server_io),
+                    hyper::service::service_fn(
+                        move |request: Request<hyper::body::Incoming>| async move {
+                            tracing::info!(?request);
+                            let (mut tx, rx) =
+                                http_body_util::channel::Channel::<bytes::Bytes, Error>::new(1024);
+                            tokio::spawn(async move {
+                                let mut trls = ::http::HeaderMap::new();
+                                trls.insert(
+                                    "grpc-status",
+                                    (status as u32).to_string().parse().unwrap(),
+                                );
+                                tx.send_trailers(trls).await
+                            });
+                            Ok::<_, io::Error>(
+                                http::Response::builder()
+                                    .version(::http::Version::HTTP_2)
+                                    .header("content-type", "application/grpc")
+                                    .body(rx)
+                                    .unwrap(),
+                            )
+                        },
+                    ),
+                )
+                .in_current_span(),
        );
        Ok(io::BoxedIo::new(client_io))
    }
@ -608,18 +861,11 @@ fn grpc_status_server(

 #[tracing::instrument]
 fn connect_error() -> impl Fn(Remote<ServerAddr>) -> io::Result<io::BoxedIo> {
-    move |_| {
-        Err(io::Error::new(
-            io::ErrorKind::Other,
-            "server is not listening",
-        ))
-    }
+    move |_| Err(io::Error::other("server is not listening"))
 }

 #[tracing::instrument]
-fn connect_timeout(
-    http: hyper::server::conn::Http,
-) -> Box<dyn FnMut(Remote<ServerAddr>) -> ConnectFuture + Send> {
+fn connect_timeout() -> Box<dyn FnMut(Remote<ServerAddr>) -> ConnectFuture + Send> {
    Box::new(move |endpoint| {
        let span = tracing::info_span!("connect_timeout", ?endpoint);
        Box::pin(
@ -636,7 +882,7 @@ fn connect_timeout(
 }

 #[derive(Clone, Debug)]
-struct Target(http::Version, tls::ConditionalServerTls);
+struct Target(http::Variant, tls::ConditionalServerTls);

 #[track_caller]
 fn check_error_header(hdrs: &::http::HeaderMap, expected: &str) {
@ -655,17 +901,17 @@ fn check_error_header(hdrs: &::http::HeaderMap, expected: &str) {

 impl Target {
    const UNMESHED_HTTP1: Self = Self(
-        http::Version::Http1,
+        http::Variant::Http1,
        tls::ConditionalServerTls::None(tls::NoServerTls::NoClientHello),
    );
    const UNMESHED_H2: Self = Self(
-        http::Version::H2,
+        http::Variant::H2,
        tls::ConditionalServerTls::None(tls::NoServerTls::NoClientHello),
    );

    fn meshed_http1() -> Self {
        Self(
-            http::Version::Http1,
+            http::Variant::Http1,
            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                client_id: Some(tls::ClientId(
                    "foosa.barns.serviceaccount.identity.linkerd.cluster.local"
@ -679,7 +925,7 @@ impl Target {

    fn meshed_h2() -> Self {
        Self(
-            http::Version::H2,
+            http::Variant::H2,
            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                client_id: Some(tls::ClientId(
                    "foosa.barns.serviceaccount.identity.linkerd.cluster.local"
@ -714,8 +960,8 @@ impl svc::Param<Remote<ClientAddr>> for Target {
    }
 }

-impl svc::Param<http::Version> for Target {
-    fn param(&self) -> http::Version {
+impl svc::Param<http::Variant> for Target {
+    fn param(&self) -> http::Variant {
        self.0
    }
 }
@ -748,6 +994,7 @@ impl svc::Param<policy::AllowPolicy> for Target {
                    kind: "server".into(),
                    name: "testsrv".into(),
                }),
+                local_rate_limit: Default::default(),
            },
        );
        policy
@ -756,11 +1003,14 @@ impl svc::Param<policy::AllowPolicy> for Target {

 impl svc::Param<policy::ServerLabel> for Target {
    fn param(&self) -> policy::ServerLabel {
-        policy::ServerLabel(Arc::new(policy::Meta::Resource {
-            group: "policy.linkerd.io".into(),
-            kind: "server".into(),
-            name: "testsrv".into(),
-        }))
+        policy::ServerLabel(
+            Arc::new(policy::Meta::Resource {
+                group: "policy.linkerd.io".into(),
+                kind: "server".into(),
+                name: "testsrv".into(),
+            }),
+            80,
+        )
    }
 }

--- a/linkerd/app/inbound/src/lib.rs
+++ b/linkerd/app/inbound/src/lib.rs
@ -18,12 +18,17 @@ mod server;
 #[cfg(any(test, feature = "test-util", fuzzing))]
 pub mod test_util;

-pub use self::{metrics::InboundMetrics, policy::DefaultPolicy};
+#[cfg(fuzzing)]
+pub use self::http::fuzz as http_fuzz;
+pub use self::{
+    detect::MetricsFamilies as DetectMetrics, metrics::InboundMetrics, policy::DefaultPolicy,
+};
 use linkerd_app_core::{
    config::{ConnectConfig, ProxyConfig, QueueConfig},
    drain,
-    http_tracing::OpenCensusSink,
+    http_tracing::SpanSink,
    identity, io,
+    metrics::prom,
    proxy::{tap, tcp},
    svc,
    transport::{self, Remote, ServerAddr},
@ -33,9 +38,6 @@ use std::{fmt::Debug, time::Duration};
 use thiserror::Error;
 use tracing::debug_span;

-#[cfg(fuzzing)]
-pub use self::http::fuzz as http_fuzz;
-
 #[derive(Clone, Debug)]
 pub struct Config {
    pub allow_discovery: NameMatch,
@ -53,6 +55,9 @@ pub struct Config {

    /// Configures how HTTP requests are buffered *for each inbound port*.
    pub http_request_queue: QueueConfig,
+
+    /// Enables unsafe authority labels.
+    pub unsafe_authority_labels: bool,
 }

 #[derive(Clone)]
@ -67,7 +72,7 @@ struct Runtime {
    metrics: InboundMetrics,
    identity: identity::creds::Receiver,
    tap: tap::Registry,
-    span_sink: OpenCensusSink,
+    span_sink: Option<SpanSink>,
    drain: drain::Watch,
 }

@ -108,10 +113,6 @@ impl<S> Inbound<S> {
        &self.runtime.identity
    }

-    pub fn proxy_metrics(&self) -> &metrics::Proxy {
-        &self.runtime.metrics.proxy
-    }
-
    /// A helper for gateways to instrument policy checks.
    pub fn authorize_http<N>(
        &self,
@ -149,9 +150,9 @@ impl<S> Inbound<S> {
 }

 impl Inbound<()> {
-    pub fn new(config: Config, runtime: ProxyRuntime) -> Self {
+    pub fn new(config: Config, runtime: ProxyRuntime, prom: &mut prom::Registry) -> Self {
        let runtime = Runtime {
-            metrics: InboundMetrics::new(runtime.metrics),
+            metrics: InboundMetrics::new(runtime.metrics, prom),
            identity: runtime.identity,
            tap: runtime.tap,
            span_sink: runtime.span_sink,
@ -167,7 +168,11 @@ impl Inbound<()> {
    #[cfg(any(test, feature = "test-util"))]
    pub fn for_test() -> (Self, drain::Signal) {
        let (rt, drain) = test_util::runtime();
-        let this = Self::new(test_util::default_config(), rt);
+        let this = Self::new(
+            test_util::default_config(),
+            rt,
+            &mut prom::Registry::default(),
+        );
        (this, drain)
    }

@ -201,6 +206,7 @@ impl Inbound<()> {
            // forwarding and HTTP proxying).
            let ConnectConfig {
                ref keepalive,
+                ref user_timeout,
                ref timeout,
                ..
            } = config.proxy.connect;
@ -209,7 +215,7 @@ impl Inbound<()> {
            #[error("inbound connection must not target port {0}")]
            struct Loop(u16);

-            svc::stack(transport::ConnectTcp::new(*keepalive))
+            svc::stack(transport::ConnectTcp::new(*keepalive, *user_timeout))
                // Limits the time we wait for a connection to be established.
                .push_connect_timeout(*timeout)
                // Prevent connections that would target the inbound proxy port from looping.
--- a/linkerd/app/inbound/src/metrics.rs
+++ b/linkerd/app/inbound/src/metrics.rs
@ -13,7 +13,7 @@ pub(crate) mod error;

 pub use linkerd_app_core::metrics::*;

-/// Holds outbound proxy metrics.
+/// Holds LEGACY inbound proxy metrics.
 #[derive(Clone, Debug)]
 pub struct InboundMetrics {
    pub http_authz: authz::HttpAuthzMetrics,
@ -25,21 +25,32 @@ pub struct InboundMetrics {
    /// Holds metrics that are common to both inbound and outbound proxies. These metrics are
    /// reported separately
    pub proxy: Proxy,
+
+    pub detect: crate::detect::MetricsFamilies,
+    pub direct: crate::direct::MetricsFamilies,
 }

 impl InboundMetrics {
-    pub(crate) fn new(proxy: Proxy) -> Self {
+    pub(crate) fn new(proxy: Proxy, reg: &mut prom::Registry) -> Self {
+        let detect =
+            crate::detect::MetricsFamilies::register(reg.sub_registry_with_prefix("tcp_detect"));
+        let direct = crate::direct::MetricsFamilies::register(
+            reg.sub_registry_with_prefix("tcp_transport_header"),
+        );
+
        Self {
            http_authz: authz::HttpAuthzMetrics::default(),
            http_errors: error::HttpErrorMetrics::default(),
            tcp_authz: authz::TcpAuthzMetrics::default(),
            tcp_errors: error::TcpErrorMetrics::default(),
            proxy,
+            detect,
+            direct,
        }
    }
 }

-impl FmtMetrics for InboundMetrics {
+impl legacy::FmtMetrics for InboundMetrics {
    fn fmt_metrics(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        self.http_authz.fmt_metrics(f)?;
        self.http_errors.fmt_metrics(f)?;
--- a/linkerd/app/inbound/src/metrics/authz.rs
+++ b/linkerd/app/inbound/src/metrics/authz.rs
@ -1,8 +1,9 @@
-use crate::policy::{AllowPolicy, HttpRoutePermit, ServerPermit};
+use crate::policy::{AllowPolicy, HttpRoutePermit, Meta, ServerPermit};
 use linkerd_app_core::{
    metrics::{
-        metrics, Counter, FmtLabels, FmtMetrics, RouteAuthzLabels, RouteLabels, ServerAuthzLabels,
-        ServerLabel, TargetAddr, TlsAccept,
+        legacy::{Counter, FmtLabels, FmtMetrics},
+        metrics, RouteAuthzLabels, RouteLabels, ServerAuthzLabels, ServerLabel, TargetAddr,
+        TlsAccept,
    },
    tls,
    transport::OrigDstAddr,
@ -21,6 +22,10 @@ metrics! {
        "The total number of inbound HTTP requests that could not be associated with a route"
    },

+    inbound_http_local_ratelimit_total: Counter {
+        "The total number of inbound HTTP requests that were rate-limited"
+    },
+
    inbound_tcp_authz_allow_total: Counter {
        "The total number of inbound TCP connections that were authorized"
    },
@ -43,6 +48,7 @@ struct HttpInner {
    allow: Mutex<HashMap<RouteAuthzKey, Counter>>,
    deny: Mutex<HashMap<RouteKey, Counter>>,
    route_not_found: Mutex<HashMap<ServerKey, Counter>>,
+    http_local_rate_limit: Mutex<HashMap<HttpLocalRateLimitKey, Counter>>,
 }

 #[derive(Debug, Default)]
@ -52,10 +58,17 @@ struct TcpInner {
    terminate: Mutex<HashMap<ServerKey, Counter>>,
 }

+#[derive(Clone, Debug, Eq, PartialEq, Hash)]
+pub struct HTTPLocalRateLimitLabels {
+    pub server: ServerLabel,
+    pub rate_limit: Option<Arc<Meta>>,
+    pub scope: &'static str,
+}
+
 #[derive(Debug, Hash, PartialEq, Eq)]
 struct Key<L> {
    target: TargetAddr,
-    tls: tls::ConditionalServerTls,
+    tls: tls::ConditionalServerTlsLabels,
    labels: L,
 }

@ -63,11 +76,12 @@ type ServerKey = Key<ServerLabel>;
 type ServerAuthzKey = Key<ServerAuthzLabels>;
 type RouteKey = Key<RouteLabels>;
 type RouteAuthzKey = Key<RouteAuthzLabels>;
+type HttpLocalRateLimitKey = Key<HTTPLocalRateLimitLabels>;

 // === impl HttpAuthzMetrics ===

 impl HttpAuthzMetrics {
-    pub fn allow(&self, permit: &HttpRoutePermit, tls: tls::ConditionalServerTls) {
+    pub fn allow(&self, permit: &HttpRoutePermit, tls: tls::ConditionalServerTlsLabels) {
        self.0
            .allow
            .lock()
@ -80,7 +94,7 @@ impl HttpAuthzMetrics {
        &self,
        labels: ServerLabel,
        dst: OrigDstAddr,
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
    ) {
        self.0
            .route_not_found
@ -90,7 +104,12 @@ impl HttpAuthzMetrics {
            .incr();
    }

-    pub fn deny(&self, labels: RouteLabels, dst: OrigDstAddr, tls: tls::ConditionalServerTls) {
+    pub fn deny(
+        &self,
+        labels: RouteLabels,
+        dst: OrigDstAddr,
+        tls: tls::ConditionalServerTlsLabels,
+    ) {
        self.0
            .deny
            .lock()
@ -98,6 +117,20 @@ impl HttpAuthzMetrics {
            .or_default()
            .incr();
    }
+
+    pub fn ratelimit(
+        &self,
+        labels: HTTPLocalRateLimitLabels,
+        dst: OrigDstAddr,
+        tls: tls::ConditionalServerTlsLabels,
+    ) {
+        self.0
+            .http_local_rate_limit
+            .lock()
+            .entry(HttpLocalRateLimitKey::new(labels, dst, tls))
+            .or_default()
+            .incr();
+    }
 }

 impl FmtMetrics for HttpAuthzMetrics {
@ -140,6 +173,19 @@ impl FmtMetrics for HttpAuthzMetrics {
        }
        drop(route_not_found);

+        let local_ratelimit = self.0.http_local_rate_limit.lock();
+        if !local_ratelimit.is_empty() {
+            inbound_http_local_ratelimit_total.fmt_help(f)?;
+            inbound_http_local_ratelimit_total.fmt_scopes(
+                f,
+                local_ratelimit
+                    .iter()
+                    .map(|(k, c)| ((k.target, (&k.labels, TlsAccept(&k.tls))), c)),
+                |c| c,
+            )?;
+        }
+        drop(local_ratelimit);
+
        Ok(())
    }
 }
@ -147,7 +193,7 @@ impl FmtMetrics for HttpAuthzMetrics {
 // === impl TcpAuthzMetrics ===

 impl TcpAuthzMetrics {
-    pub fn allow(&self, permit: &ServerPermit, tls: tls::ConditionalServerTls) {
+    pub fn allow(&self, permit: &ServerPermit, tls: tls::ConditionalServerTlsLabels) {
        self.0
            .allow
            .lock()
@ -156,7 +202,7 @@ impl TcpAuthzMetrics {
            .incr();
    }

-    pub fn deny(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTls) {
+    pub fn deny(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTlsLabels) {
        self.0
            .deny
            .lock()
@ -165,7 +211,7 @@ impl TcpAuthzMetrics {
            .incr();
    }

-    pub fn terminate(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTls) {
+    pub fn terminate(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTlsLabels) {
        self.0
            .terminate
            .lock()
@ -202,10 +248,36 @@ impl FmtMetrics for TcpAuthzMetrics {
    }
 }

+// === impl HTTPLocalRateLimitLabels ===
+
+impl FmtLabels for HTTPLocalRateLimitLabels {
+    fn fmt_labels(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let Self {
+            server,
+            rate_limit,
+            scope,
+        } = self;
+
+        server.fmt_labels(f)?;
+        if let Some(rl) = rate_limit {
+            write!(
+                f,
+                ",ratelimit_group=\"{}\",ratelimit_kind=\"{}\",ratelimit_name=\"{}\",ratelimit_scope=\"{}\"",
+                rl.group(),
+                rl.kind(),
+                rl.name(),
+                scope,
+            )
+        } else {
+            write!(f, ",ratelimit_scope=\"{scope}\"")
+        }
+    }
+}
+
 // === impl Key ===

 impl<L> Key<L> {
-    fn new(labels: L, dst: OrigDstAddr, tls: tls::ConditionalServerTls) -> Self {
+    fn new(labels: L, dst: OrigDstAddr, tls: tls::ConditionalServerTlsLabels) -> Self {
        Self {
            tls,
            target: TargetAddr(dst.into()),
@ -216,24 +288,30 @@ impl<L> Key<L> {

 impl<L: FmtLabels> FmtLabels for Key<L> {
    fn fmt_labels(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        (self.target, (&self.labels, TlsAccept(&self.tls))).fmt_labels(f)
+        let Self {
+            target,
+            tls,
+            labels,
+        } = self;
+
+        (target, (labels, TlsAccept(tls))).fmt_labels(f)
    }
 }

 impl ServerKey {
-    fn from_policy(policy: &AllowPolicy, tls: tls::ConditionalServerTls) -> Self {
+    fn from_policy(policy: &AllowPolicy, tls: tls::ConditionalServerTlsLabels) -> Self {
        Self::new(policy.server_label(), policy.dst_addr(), tls)
    }
 }

 impl RouteAuthzKey {
-    fn from_permit(permit: &HttpRoutePermit, tls: tls::ConditionalServerTls) -> Self {
+    fn from_permit(permit: &HttpRoutePermit, tls: tls::ConditionalServerTlsLabels) -> Self {
        Self::new(permit.labels.clone(), permit.dst, tls)
    }
 }

 impl ServerAuthzKey {
-    fn from_permit(permit: &ServerPermit, tls: tls::ConditionalServerTls) -> Self {
+    fn from_permit(permit: &ServerPermit, tls: tls::ConditionalServerTlsLabels) -> Self {
        Self::new(permit.labels.clone(), permit.dst, tls)
    }
 }
--- a/linkerd/app/inbound/src/metrics/error.rs
+++ b/linkerd/app/inbound/src/metrics/error.rs
@ -8,7 +8,7 @@ use crate::{
 };
 use linkerd_app_core::{
    errors::{FailFastError, LoadShedError},
-    metrics::FmtLabels,
+    metrics::legacy::FmtLabels,
    tls,
 };
 use std::fmt;
--- a/linkerd/app/inbound/src/metrics/error/http.rs
+++ b/linkerd/app/inbound/src/metrics/error/http.rs
@ -1,6 +1,9 @@
 use super::ErrorKind;
 use linkerd_app_core::{
-    metrics::{metrics, Counter, FmtMetrics, ServerLabel},
+    metrics::{
+        legacy::{Counter, FmtMetrics},
+        metrics, ServerLabel,
+    },
    svc::{self, stack::NewMonitor},
    transport::{labels::TargetAddr, OrigDstAddr},
    Error,
--- a/linkerd/app/inbound/src/metrics/error/tcp.rs
+++ b/linkerd/app/inbound/src/metrics/error/tcp.rs
@ -1,6 +1,9 @@
 use super::ErrorKind;
 use linkerd_app_core::{
-    metrics::{metrics, Counter, FmtMetrics},
+    metrics::{
+        legacy::{Counter, FmtMetrics},
+        metrics,
+    },
    svc::{self, stack::NewMonitor},
    transport::{labels::TargetAddr, OrigDstAddr},
    Error,
--- a/linkerd/app/inbound/src/policy.rs
+++ b/linkerd/app/inbound/src/policy.rs
@ -5,6 +5,8 @@ mod http;
 mod store;
 mod tcp;

+use crate::metrics::authz::HTTPLocalRateLimitLabels;
+
 pub(crate) use self::store::Store;
 pub use self::{
    config::Config,
@ -27,7 +29,8 @@ pub use linkerd_proxy_server_policy::{
    authz::Suffix,
    grpc::Route as GrpcRoute,
    http::{filter::Redirection, Route as HttpRoute},
-    route, Authentication, Authorization, Meta, Protocol, RoutePolicy, ServerPolicy,
+    route, Authentication, Authorization, Meta, Protocol, RateLimitError, RoutePolicy,
+    ServerPolicy,
 };
 use std::sync::Arc;
 use thiserror::Error;
@ -44,7 +47,7 @@ pub trait GetPolicy {
    fn get_policy(&self, dst: OrigDstAddr) -> AllowPolicy;
 }

-#[derive(Clone, Debug, PartialEq, Eq)]
+#[derive(Clone, Debug)]
 pub enum DefaultPolicy {
    Allow(ServerPolicy),
    Deny,
@ -90,6 +93,7 @@ impl From<DefaultPolicy> for ServerPolicy {
            DefaultPolicy::Allow(p) => p,
            DefaultPolicy::Deny => ServerPolicy {
                protocol: Protocol::Opaque(Arc::new([])),
+                local_rate_limit: Default::default(),
                meta: Meta::new_default("deny"),
            },
        }
@ -129,7 +133,21 @@ impl AllowPolicy {

    #[inline]
    pub fn server_label(&self) -> ServerLabel {
-        ServerLabel(self.server.borrow().meta.clone())
+        ServerLabel(self.server.borrow().meta.clone(), self.dst.port())
+    }
+
+    pub fn ratelimit_label(&self, error: &RateLimitError) -> HTTPLocalRateLimitLabels {
+        use RateLimitError::*;
+
+        let scope = match error {
+            Total(_) => "total",
+            PerIdentity(_) | Override(_) => "identity",
+        };
+        HTTPLocalRateLimitLabels {
+            server: self.server_label(),
+            rate_limit: self.server.borrow().local_rate_limit.meta(),
+            scope,
+        }
    }

    async fn changed(&mut self) {
@ -202,7 +220,7 @@ impl ServerPermit {
            protocol: server.protocol.clone(),
            labels: ServerAuthzLabels {
                authz: authz.meta.clone(),
-                server: ServerLabel(server.meta.clone()),
+                server: ServerLabel(server.meta.clone(), dst.port()),
            },
        }
    }
--- a/linkerd/app/inbound/src/policy/api.rs
+++ b/linkerd/app/inbound/src/policy/api.rs
@ -33,9 +33,8 @@ static INVALID_POLICY: once_cell::sync::OnceCell<ServerPolicy> = once_cell::sync

 impl<S> Api<S>
 where
-    S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error> + Clone,
-    S::ResponseBody:
-        http::HttpBody<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+    S: tonic::client::GrpcService<tonic::body::Body, Error = Error> + Clone,
+    S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
 {
    pub(super) fn new(
        workload: Arc<str>,
@ -58,10 +57,9 @@ where

 impl<S> Service<u16> for Api<S>
 where
-    S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+    S: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
    S: Clone + Send + Sync + 'static,
-    S::ResponseBody:
-        http::HttpBody<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+    S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
    S::Future: Send + 'static,
 {
    type Response =
--- a/linkerd/app/inbound/src/policy/config.rs
+++ b/linkerd/app/inbound/src/policy/config.rs
@ -40,10 +40,10 @@ impl Config {
        limits: ReceiveLimits,
    ) -> impl GetPolicy + Clone + Send + Sync + 'static
    where
-        C: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+        C: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
        C: Clone + Unpin + Send + Sync + 'static,
-        C::ResponseBody: http::HttpBody<Data = tonic::codegen::Bytes, Error = Error>,
-        C::ResponseBody: Default + Send + 'static,
+        C::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error>,
+        C::ResponseBody: Send + 'static,
        C::Future: Send,
    {
        match self {
--- a/linkerd/app/inbound/src/policy/defaults.rs
+++ b/linkerd/app/inbound/src/policy/defaults.rs
@ -36,6 +36,15 @@ pub fn cluster_unauthenticated(
    )
 }

+pub fn audit(timeout: Duration) -> ServerPolicy {
+    mk(
+        "audit",
+        all_nets(),
+        Authentication::Unauthenticated,
+        timeout,
+    )
+}
+
 pub fn all_mtls_unauthenticated(timeout: Duration) -> ServerPolicy {
    mk(
        "all-tls-unauthenticated",
@ -79,5 +88,6 @@ fn mk(
    ServerPolicy {
        meta: Meta::new_default(name),
        protocol,
+        local_rate_limit: Default::default(),
    }
 }
--- a/linkerd/app/inbound/src/policy/http.rs
+++ b/linkerd/app/inbound/src/policy/http.rs
@ -9,7 +9,7 @@ use linkerd_app_core::{
    svc::{self, ServiceExt},
    tls,
    transport::{ClientAddr, OrigDstAddr, Remote},
-    Error, Result,
+    Conditional, Error, Result,
 };
 use linkerd_proxy_server_policy::{grpc, http, route::RouteMatch};
 use std::{sync::Arc, task};
@ -171,6 +171,8 @@ where
            }
        };

+        try_fut!(self.check_rate_limit());
+
        future::Either::Left(
            self.inner
                .new_service((permit, self.target.clone()))
@ -202,7 +204,25 @@ impl<T, N> HttpPolicyService<T, N> {
            .iter()
            .find(|a| super::is_authorized(a, self.connection.client, &self.connection.tls))
        {
-            Some(authz) => authz,
+            Some(authz) => {
+                if authz.meta.is_audit() {
+                    tracing::info!(
+                        server.group = %labels.server.0.group(),
+                        server.kind = %labels.server.0.kind(),
+                        server.name = %labels.server.0.name(),
+                        route.group = %labels.route.group(),
+                        route.kind = %labels.route.kind(),
+                        route.name = %labels.route.name(),
+                        client.tls = ?self.connection.tls,
+                        client.ip = %self.connection.client.ip(),
+                        authz.group = %authz.meta.group(),
+                        authz.kind = %authz.meta.kind(),
+                        authz.name = %authz.meta.name(),
+                        "Request allowed",
+                    );
+                }
+                authz
+            }
            None => {
                tracing::info!(
                    server.group = %labels.server.0.group(),
@ -228,8 +248,11 @@ impl<T, N> HttpPolicyService<T, N> {
                        );
                    }
                }
-                self.metrics
-                    .deny(labels, self.connection.dst, self.connection.tls.clone());
+                self.metrics.deny(
+                    labels,
+                    self.connection.dst,
+                    self.connection.tls.as_ref().map(|t| t.labels()),
+                );
                return Err(HttpRouteUnauthorized(()).into());
            }
        };
@ -259,16 +282,43 @@ impl<T, N> HttpPolicyService<T, N> {
            }
        };

-        self.metrics.allow(&permit, self.connection.tls.clone());
+        self.metrics
+            .allow(&permit, self.connection.tls.as_ref().map(|t| t.labels()));
+
        Ok((permit, r#match, route))
    }

    fn mk_route_not_found(&self) -> Error {
        let labels = self.policy.server_label();
-        self.metrics
-            .route_not_found(labels, self.connection.dst, self.connection.tls.clone());
+        self.metrics.route_not_found(
+            labels,
+            self.connection.dst,
+            self.connection.tls.as_ref().map(|t| t.labels()),
+        );
        HttpRouteNotFound(()).into()
    }
+
+    fn check_rate_limit(&self) -> Result<()> {
+        let id = match self.connection.tls {
+            Conditional::Some(tls::ServerTls::Established {
+                client_id: Some(tls::ClientId(ref id)),
+                ..
+            }) => Some(id),
+            _ => None,
+        };
+        self.policy
+            .borrow()
+            .local_rate_limit
+            .check(id)
+            .map_err(|err| {
+                self.metrics.ratelimit(
+                    self.policy.ratelimit_label(&err),
+                    self.connection.dst,
+                    self.connection.tls.as_ref().map(|t| t.labels()),
+                );
+                err.into()
+            })
+    }
 }

 fn apply_http_filters<B>(
--- a/linkerd/app/inbound/src/policy/http/tests.rs
+++ b/linkerd/app/inbound/src/policy/http/tests.rs
@ -1,6 +1,8 @@
 use super::*;
 use crate::policy::{Authentication, Authorization, Meta, Protocol, ServerPolicy};
 use linkerd_app_core::{svc::Service, Infallible};
+use linkerd_http_box::BoxBody;
+use linkerd_proxy_server_policy::{LocalRateLimit, RateLimitError};

 macro_rules! conn {
    ($client:expr, $dst:expr) => {{
@ -19,7 +21,7 @@ macro_rules! conn {
 }

 macro_rules! new_svc {
-    ($proto:expr, $conn:expr, $rsp:expr) => {{
+    ($proto:expr, $conn:expr, $rsp:expr, $rl: expr) => {{
        let (policy, tx) = AllowPolicy::for_test(
            $conn.dst,
            ServerPolicy {
@ -29,6 +31,7 @@ macro_rules! new_svc {
                    kind: "Server".into(),
                    name: "testsrv".into(),
                }),
+                local_rate_limit: Arc::new($rl),
            },
        );
        let svc = HttpPolicyService {
@ -38,7 +41,7 @@ macro_rules! new_svc {
            metrics: HttpAuthzMetrics::default(),
            inner: |(permit, _): (HttpRoutePermit, ())| {
                let f = $rsp;
-                svc::mk(move |req: ::http::Request<hyper::Body>| {
+                svc::mk(move |req: ::http::Request<BoxBody>| {
                    futures::future::ready((f)(permit.clone(), req))
                })
            },
@ -46,19 +49,28 @@ macro_rules! new_svc {
        (svc, tx)
    }};

-    ($proto:expr) => {{
+    ($proto:expr, $conn:expr, $rsp:expr) => {{
+        new_svc!($proto, $conn, $rsp, Default::default())
+    }};
+
+    ($proto:expr, $rl:expr) => {{
        new_svc!(
            $proto,
            conn!(),
-            |permit: HttpRoutePermit, _req: ::http::Request<hyper::Body>| {
+            |permit: HttpRoutePermit, _req: ::http::Request<BoxBody>| {
                let mut rsp = ::http::Response::builder()
-                    .body(hyper::Body::default())
+                    .body(BoxBody::default())
                    .unwrap();
                rsp.extensions_mut().insert(permit.clone());
                Ok::<_, Infallible>(rsp)
-            }
+            },
+            $rl
        )
    }};
+
+    ($proto:expr) => {{
+        new_svc!($proto, Default::default())
+    }};
 }

 #[tokio::test(flavor = "current_thread")]
@ -108,11 +120,7 @@ async fn http_route() {

    // Test that authorization policies allow requests:
    let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
        .await
        .expect("serves");
    let permit = rsp
@ -126,7 +134,7 @@ async fn http_route() {
        .call(
            ::http::Request::builder()
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -138,7 +146,7 @@ async fn http_route() {
        .call(
            ::http::Request::builder()
                .method(::http::Method::DELETE)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -197,15 +205,12 @@ async fn http_route() {
                },
            ],
        }])),
+        local_rate_limit: Arc::new(Default::default()),
    })
    .expect("must send");

    assert!(svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap(),)
        .await
        .expect_err("fails")
        .is::<HttpRouteUnauthorized>());
@ -214,7 +219,7 @@ async fn http_route() {
        .call(
            ::http::Request::builder()
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -225,7 +230,7 @@ async fn http_route() {
        .call(
            ::http::Request::builder()
                .method(::http::Method::DELETE)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -273,14 +278,14 @@ async fn http_filter_header() {
            },
        }],
    }]));
-    let inner = |permit: HttpRoutePermit, req: ::http::Request<hyper::Body>| -> Result<_> {
+    let inner = |permit: HttpRoutePermit, req: ::http::Request<BoxBody>| -> Result<_> {
        assert_eq!(req.headers().len(), 1);
        assert_eq!(
            req.headers().get("testkey"),
            Some(&"testval".parse().unwrap())
        );
        let mut rsp = ::http::Response::builder()
-            .body(hyper::Body::default())
+            .body(BoxBody::default())
            .unwrap();
        rsp.extensions_mut().insert(permit);
        Ok(rsp)
@ -288,11 +293,7 @@ async fn http_filter_header() {
    let (mut svc, _tx) = new_svc!(proto, conn!(), inner);

    let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
        .await
        .expect("serves");
    let permit = rsp
@ -342,16 +343,12 @@ async fn http_filter_inject_failure() {
        }],
    }]));
    let inner = |_: HttpRoutePermit,
-                 _: ::http::Request<hyper::Body>|
-     -> Result<::http::Response<hyper::Body>> { unreachable!() };
+                 _: ::http::Request<BoxBody>|
+     -> Result<::http::Response<BoxBody>> { unreachable!() };
    let (mut svc, _tx) = new_svc!(proto, conn!(), inner);

    let err = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
        .await
        .expect_err("fails");
    assert_eq!(
@ -363,6 +360,82 @@ async fn http_filter_inject_failure() {
    );
 }

+#[tokio::test(flavor = "current_thread")]
+async fn rate_limit_allow() {
+    use linkerd_app_core::{Ipv4Net, Ipv6Net};
+
+    let rmeta = Meta::new_default("default");
+
+    // Rate-limit with plenty of room for two consecutive requests
+    let rl = LocalRateLimit::new_no_overrides_for_test(Some(10), Some(5));
+
+    let authorizations = Arc::new([Authorization {
+        meta: rmeta.clone(),
+        networks: vec![Ipv4Net::default().into(), Ipv6Net::default().into()],
+        authentication: Authentication::Unauthenticated,
+    }]);
+
+    let (mut svc, _tx) = new_svc!(
+        Protocol::Http1(Arc::new([http::default(authorizations.clone())])),
+        rl
+    );
+
+    // First request should be allowed
+    let rsp = svc
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
+        .await
+        .expect("serves");
+    assert_eq!(rsp.status(), ::http::StatusCode::OK);
+
+    // Second request should be allowed as well
+    let rsp = svc
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
+        .await
+        .expect("serves");
+    assert_eq!(rsp.status(), ::http::StatusCode::OK);
+}
+
+#[tokio::test(flavor = "current_thread")]
+async fn rate_limit_deny() {
+    use linkerd_app_core::{Ipv4Net, Ipv6Net};
+
+    let rmeta = Meta::new_default("default");
+
+    // Rate-limit with room for only one request per second
+    let rl = LocalRateLimit::new_no_overrides_for_test(Some(10), Some(1));
+
+    let authorizations = Arc::new([Authorization {
+        meta: rmeta.clone(),
+        networks: vec![Ipv4Net::default().into(), Ipv6Net::default().into()],
+        authentication: Authentication::Unauthenticated,
+    }]);
+
+    let (mut svc, _tx) = new_svc!(
+        Protocol::Http1(Arc::new([http::default(authorizations.clone())])),
+        rl
+    );
+
+    // First request should be allowed
+    let rsp = svc
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
+        .await
+        .expect("serves");
+    assert_eq!(rsp.status(), ::http::StatusCode::OK);
+
+    // Second request should be denied
+    let rsp = svc
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
+        .await
+        .expect_err("should deny");
+    let err = rsp
+        .downcast_ref::<RateLimitError>()
+        .expect("rate limit error");
+    match err {
+        RateLimitError::PerIdentity(rps) => assert_eq!(rps, &std::num::NonZeroU32::new(1).unwrap()),
+        _ => panic!("unexpected error"),
+    };
+}
+
 #[tokio::test(flavor = "current_thread")]
 async fn grpc_route() {
    use linkerd_proxy_server_policy::grpc::{
@ -422,7 +495,7 @@ async fn grpc_route() {
            ::http::Request::builder()
                .uri("/foo.bar.bah/baz")
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -438,7 +511,7 @@ async fn grpc_route() {
            ::http::Request::builder()
                .uri("/foo.bar.bah/qux")
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -450,7 +523,7 @@ async fn grpc_route() {
            ::http::Request::builder()
                .uri("/boo.bar.bah/bah")
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -502,14 +575,14 @@ async fn grpc_filter_header() {
            },
        }],
    }]));
-    let inner = |permit: HttpRoutePermit, req: ::http::Request<hyper::Body>| -> Result<_> {
+    let inner = |permit: HttpRoutePermit, req: ::http::Request<BoxBody>| -> Result<_> {
        assert_eq!(req.headers().len(), 1);
        assert_eq!(
            req.headers().get("testkey"),
            Some(&"testval".parse().unwrap())
        );
        let mut rsp = ::http::Response::builder()
-            .body(hyper::Body::default())
+            .body(BoxBody::default())
            .unwrap();
        rsp.extensions_mut().insert(permit);
        Ok(rsp)
@ -521,7 +594,7 @@ async fn grpc_filter_header() {
            ::http::Request::builder()
                .uri("/foo.bar.bah/baz")
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
@ -579,8 +652,8 @@ async fn grpc_filter_inject_failure() {
        }],
    }]));
    let inner = |_: HttpRoutePermit,
-                 _: ::http::Request<hyper::Body>|
-     -> Result<::http::Response<hyper::Body>> { unreachable!() };
+                 _: ::http::Request<BoxBody>|
+     -> Result<::http::Response<BoxBody>> { unreachable!() };
    let (mut svc, _tx) = new_svc!(proto, conn!(), inner);

    let err = svc
@ -588,7 +661,7 @@ async fn grpc_filter_inject_failure() {
            ::http::Request::builder()
                .uri("/foo.bar.bah/baz")
                .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                .unwrap(),
        )
        .await
--- a/linkerd/app/inbound/src/policy/store.rs
+++ b/linkerd/app/inbound/src/policy/store.rs
@ -74,11 +74,10 @@ impl<S> Store<S> {
        opaque_ports: RangeInclusiveSet<u16>,
    ) -> Self
    where
-        S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+        S: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
        S: Clone + Send + Sync + 'static,
        S::Future: Send,
-        S::ResponseBody:
-            http::HttpBody<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+        S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
    {
        let opaque_default = Self::make_opaque(default.clone());
        // The initial set of policies never expire from the cache.
@ -139,11 +138,10 @@ impl<S> Store<S> {

 impl<S> GetPolicy for Store<S>
 where
-    S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+    S: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
    S: Clone + Send + Sync + 'static,
    S::Future: Send,
-    S::ResponseBody:
-        http::HttpBody<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+    S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
 {
    fn get_policy(&self, dst: OrigDstAddr) -> AllowPolicy {
        // Lookup the policy for the target port in the cache. If it doesn't
--- a/linkerd/app/inbound/src/policy/tcp.rs
+++ b/linkerd/app/inbound/src/policy/tcp.rs
@ -77,7 +77,8 @@ where
                // This new services requires a ClientAddr, so it must necessarily be built for each
                // connection. So we can just increment the counter here since the service can only
                // be used at most once.
-                self.metrics.allow(&permit, tls.clone());
+                self.metrics
+                    .allow(&permit, tls.as_ref().map(|t| t.labels()));

                let inner = self.inner.new_service((permit, target));
                TcpPolicy::Authorized(Authorized {
@ -97,7 +98,7 @@ where
                    ?tls, %client,
                    "Connection denied"
                );
-                self.metrics.deny(&policy, tls);
+                self.metrics.deny(&policy, tls.as_ref().map(|t| t.labels()));
                TcpPolicy::Unauthorized(deny)
            }
        }
@ -167,7 +168,7 @@ where
                                %client,
                                "Connection terminated due to policy change",
                            );
-                            metrics.terminate(&policy, tls);
+                            metrics.terminate(&policy, tls.as_ref().map(|t| t.labels()));
                            return Err(denied.into());
                        }
                    }
@ -194,6 +195,19 @@ fn check_authorized(
    {
        for authz in &**authzs {
            if super::is_authorized(authz, client_addr, tls) {
+                if authz.meta.is_audit() {
+                    tracing::info!(
+                        server.group = %server.meta.group(),
+                        server.kind = %server.meta.kind(),
+                        server.name = %server.meta.name(),
+                        client.tls = ?tls,
+                        client.ip = %client_addr.ip(),
+                        authz.group = %authz.meta.group(),
+                        authz.kind = %authz.meta.kind(),
+                        authz.name = %authz.meta.name(),
+                        "Request allowed",
+                    );
+                }
                return Ok(ServerPermit::new(dst, server, authz));
            }
        }
--- a/linkerd/app/inbound/src/policy/tcp/tests.rs
+++ b/linkerd/app/inbound/src/policy/tcp/tests.rs
@ -26,6 +26,7 @@ async fn unauthenticated_allowed() {
            kind: "server".into(),
            name: "test".into(),
        }),
+        local_rate_limit: Arc::new(Default::default()),
    };

    let tls = tls::ConditionalServerTls::None(tls::NoServerTls::NoClientHello);
@ -42,11 +43,14 @@ async fn unauthenticated_allowed() {
                    kind: "serverauthorization".into(),
                    name: "unauth".into()
                }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                }))
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                )
            },
        }
    );
@ -75,6 +79,7 @@ async fn authenticated_identity() {
            kind: "server".into(),
            name: "test".into(),
        }),
+        local_rate_limit: Arc::new(Default::default()),
    };

    let tls = tls::ConditionalServerTls::Some(tls::ServerTls::Established {
@ -94,11 +99,14 @@ async fn authenticated_identity() {
                    kind: "serverauthorization".into(),
                    name: "tls-auth".into()
                }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                }))
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                )
            }
        }
    );
@ -138,6 +146,7 @@ async fn authenticated_suffix() {
            kind: "server".into(),
            name: "test".into(),
        }),
+        local_rate_limit: Arc::new(Default::default()),
    };

    let tls = tls::ConditionalServerTls::Some(tls::ServerTls::Established {
@ -156,11 +165,14 @@ async fn authenticated_suffix() {
                    kind: "serverauthorization".into(),
                    name: "tls-auth".into()
                }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                })),
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                ),
            }
        }
    );
@ -197,6 +209,7 @@ async fn tls_unauthenticated() {
            kind: "server".into(),
            name: "test".into(),
        }),
+        local_rate_limit: Arc::new(Default::default()),
    };

    let tls = tls::ConditionalServerTls::Some(tls::ServerTls::Established {
@ -215,11 +228,14 @@ async fn tls_unauthenticated() {
                    kind: "serverauthorization".into(),
                    name: "tls-unauth".into()
                }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                })),
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                ),
            }
        }
    );
@ -247,7 +263,7 @@ fn orig_dst_addr() -> OrigDstAddr {
    OrigDstAddr(([192, 0, 2, 2], 1000).into())
 }

-impl tonic::client::GrpcService<tonic::body::BoxBody> for MockSvc {
+impl tonic::client::GrpcService<tonic::body::Body> for MockSvc {
    type ResponseBody = linkerd_app_core::control::RspBody;
    type Error = Error;
    type Future = futures::future::Pending<Result<http::Response<Self::ResponseBody>, Self::Error>>;
@ -259,7 +275,7 @@ impl tonic::client::GrpcService<tonic::body::BoxBody> for MockSvc {
        unreachable!()
    }

-    fn call(&mut self, _req: http::Request<tonic::body::BoxBody>) -> Self::Future {
+    fn call(&mut self, _req: http::Request<tonic::body::Body>) -> Self::Future {
        unreachable!()
    }
 }
--- a/linkerd/app/inbound/src/server.rs
+++ b/linkerd/app/inbound/src/server.rs
@ -27,10 +27,10 @@ impl Inbound<()> {
        limits: ReceiveLimits,
    ) -> impl policy::GetPolicy + Clone + Send + Sync + 'static
    where
-        C: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+        C: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
        C: Clone + Unpin + Send + Sync + 'static,
-        C::ResponseBody: http::HttpBody<Data = tonic::codegen::Bytes, Error = Error>,
-        C::ResponseBody: Default + Send + 'static,
+        C::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error>,
+        C::ResponseBody: Send + 'static,
        C::Future: Send,
    {
        self.config
@ -55,6 +55,8 @@ impl Inbound<()> {
        I: Debug + Unpin + Send + Sync + 'static,
        P: profiles::GetProfile<Error = Error>,
    {
+        let detect_metrics = self.runtime.metrics.detect.clone();
+
        // Handles connections to ports that can't be determined to be HTTP.
        let forward = self
            .clone()
@ -97,7 +99,7 @@ impl Inbound<()> {
        // Determines how to handle an inbound connection, dispatching it to the appropriate
        // stack.
        http.push_http_tcp_server()
-            .push_detect(forward)
+            .push_detect(detect_metrics, forward)
            .push_accept(addr.port(), policies, direct)
            .into_inner()
    }
--- a/linkerd/app/inbound/src/test_util.rs
+++ b/linkerd/app/inbound/src/test_util.rs
@ -3,14 +3,12 @@ pub use futures::prelude::*;
 use linkerd_app_core::{
    config,
    dns::Suffix,
-    drain, exp_backoff,
-    identity::rustls,
-    metrics,
+    drain, exp_backoff, identity, metrics,
    proxy::{
        http::{h1, h2},
        tap,
    },
-    transport::{DualListenAddr, Keepalive},
+    transport::{DualListenAddr, Keepalive, UserTimeout},
    ProxyRuntime,
 };
 pub use linkerd_app_test as support;
@ -46,6 +44,7 @@ pub fn default_config() -> Config {
                kind: "server".into(),
                name: "testsrv".into(),
            }),
+            local_rate_limit: Arc::new(Default::default()),
        }
        .into(),
        ports: Default::default(),
@ -59,10 +58,12 @@ pub fn default_config() -> Config {
            server: config::ServerConfig {
                addr: DualListenAddr(([0, 0, 0, 0], 0).into(), None),
                keepalive: Keepalive(None),
+                user_timeout: UserTimeout(None),
                http2: h2::ServerParams::default(),
            },
            connect: config::ConnectConfig {
                keepalive: Keepalive(None),
+                user_timeout: UserTimeout(None),
                timeout: Duration::from_secs(1),
                backoff: exp_backoff::ExponentialBackoff::try_new(
                    Duration::from_millis(100),
@ -86,6 +87,7 @@ pub fn default_config() -> Config {
        },
        discovery_idle_timeout: Duration::from_secs(20),
        profile_skip_timeout: Duration::from_secs(1),
+        unsafe_authority_labels: false,
    }
 }

@ -94,7 +96,7 @@ pub fn runtime() -> (ProxyRuntime, drain::Signal) {
    let (tap, _) = tap::new();
    let (metrics, _) = metrics::Metrics::new(std::time::Duration::from_secs(10));
    let runtime = ProxyRuntime {
-        identity: rustls::creds::default_for_test().1.into(),
+        identity: identity::creds::default_for_test().1,
        metrics: metrics.proxy,
        tap,
        span_sink: None,
--- a/linkerd/app/integration/Cargo.toml
+++ b/linkerd/app/integration/Cargo.toml
@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-integration"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Proxy integration tests

@ -17,43 +17,56 @@ default = []
 flakey = []

 [dependencies]
-bytes = "1"
+bytes = { workspace = true }
 futures = { version = "0.3", default-features = false, features = ["executor"] }
-h2 = "0.3"
-http = "0.2"
-http-body = "0.4"
-hyper = { version = "0.14", features = [
-    "http1",
-    "http2",
-    "stream",
-    "client",
-    "server",
-] }
+h2 = { workspace = true }
+http = { workspace = true }
+http-body = { workspace = true }
+http-body-util = { workspace = true }
+hyper-util = { workspace = true, features = ["service"] }
 ipnet = "2"
 linkerd-app = { path = "..", features = ["allow-loopback"] }
 linkerd-app-core = { path = "../core" }
-linkerd-metrics = { path = "../../metrics", features = ["test_util"] }
-linkerd2-proxy-api = { version = "0.13", features = [
-    "destination",
-    "arbitrary",
-] }
 linkerd-app-test = { path = "../test" }
+linkerd-meshtls = { path = "../../meshtls", features = ["test-util"] }
+linkerd-metrics = { path = "../../metrics", features = ["test_util"] }
+linkerd-rustls = { path = "../../rustls" }
 linkerd-tracing = { path = "../../tracing" }
 maplit = "1"
 parking_lot = "0.12"
 regex = "1"
-socket2 = "0.5"
+rustls-pemfile = "2.2"
+socket2 = "0.6"
 tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] }
+tokio-rustls = { workspace = true }
 tokio-stream = { version = "0.1", features = ["sync"] }
-tokio-rustls = "0.24"
-rustls-pemfile = "1.0"
-tower = { version = "0.4", default-features = false }
-tonic = { version = "0.10", features = ["transport"], default-features = false }
-tracing = "0.1"
-tracing-subscriber = { version = "0.3", default-features = false, features = [
+tonic = { workspace = true, features = ["transport", "router"], default-features = false }
+tower = { workspace = true, default-features = false }
+tracing = { workspace = true }
+
+[dependencies.hyper]
+workspace = true
+features = [
+    "client",
+    "http1",
+    "http2",
+    "server",
+]
+
+[dependencies.linkerd2-proxy-api]
+workspace = true
+features = [
+    "arbitrary",
+    "destination",
+]
+
+[dependencies.tracing-subscriber]
+version = "0.3"
+default-features = false
+features = [
    "fmt",
    "std",
-] }
+]

 [dev-dependencies]
 flate2 = { version = "1", default-features = false, features = [
@ -61,8 +74,5 @@ flate2 = { version = "1", default-features = false, features = [
 ] }
 # Log streaming isn't enabled by default globally, but we want to test it.
 linkerd-app-admin = { path = "../admin", features = ["log-streaming"] }
-# No code from this crate is actually used; only necessary to enable the Rustls
-# implementation.
-linkerd-meshtls = { path = "../../meshtls", features = ["rustls"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 serde_json = "1"
--- a/linkerd/app/integration/src/client.rs
+++ b/linkerd/app/integration/src/client.rs
@ -1,26 +1,28 @@
 use super::*;
-use linkerd_app_core::proxy::http::TracingExecutor;
+use http::{Request, Response};
+use linkerd_app_core::{proxy::http::TokioExecutor, svc::http::BoxBody};
 use parking_lot::Mutex;
 use std::io;
-use tokio::net::TcpStream;
-use tokio::task::JoinHandle;
+use tokio::{net::TcpStream, task::JoinHandle};
 use tokio_rustls::rustls::{self, ClientConfig};
 use tracing::info_span;

-type ClientError = hyper::Error;
-type Request = http::Request<hyper::Body>;
-type Response = http::Response<hyper::Body>;
-type Sender = mpsc::UnboundedSender<(Request, oneshot::Sender<Result<Response, ClientError>>)>;
+type ClientError = hyper_util::client::legacy::Error;
+type Sender = mpsc::UnboundedSender<(
+    Request<BoxBody>,
+    oneshot::Sender<Result<Response<hyper::body::Incoming>, ClientError>>,
+)>;

 #[derive(Clone)]
 pub struct TlsConfig {
    client_config: Arc<ClientConfig>,
-    name: rustls::ServerName,
+    name: rustls::pki_types::ServerName<'static>,
 }

 impl TlsConfig {
-    pub fn new(client_config: Arc<ClientConfig>, name: &str) -> Self {
-        let name = rustls::ServerName::try_from(name).expect("name must be a valid DNS name");
+    pub fn new(client_config: Arc<ClientConfig>, name: &'static str) -> Self {
+        let name =
+            rustls::pki_types::ServerName::try_from(name).expect("name must be a valid DNS name");
        TlsConfig {
            client_config,
            name,
@ -74,9 +76,6 @@ pub fn http2_tls<T: Into<String>>(addr: SocketAddr, auth: T, tls: TlsConfig) ->
    Client::new(addr, auth.into(), Run::Http2, Some(tls))
 }

-pub fn tcp(addr: SocketAddr) -> tcp::TcpClient {
-    tcp::client(addr)
-}
 pub struct Client {
    addr: SocketAddr,
    run: Run,
@ -132,11 +131,19 @@ impl Client {
    pub fn request(
        &self,
        builder: http::request::Builder,
-    ) -> impl Future<Output = Result<Response, ClientError>> + Send + Sync + 'static {
-        self.send_req(builder.body(Bytes::new().into()).unwrap())
+    ) -> impl Future<Output = Result<Response<hyper::body::Incoming>, ClientError>> + Send + 'static
+    {
+        let req = builder.body(BoxBody::empty()).unwrap();
+        self.send_req(req)
    }

-    pub async fn request_body(&self, req: Request) -> Response {
+    pub async fn request_body<B>(&self, req: Request<B>) -> Response<hyper::body::Incoming>
+    where
+        B: Body + Send + 'static,
+        B::Data: Send + 'static,
+        B::Error: Into<Error>,
+    {
+        let req = req.map(BoxBody::new);
        self.send_req(req).await.expect("response")
    }

@ -152,11 +159,16 @@ impl Client {
        }
    }

-    #[tracing::instrument(skip(self))]
-    pub(crate) fn send_req(
+    #[tracing::instrument(skip(self, req))]
+    pub(crate) fn send_req<B>(
        &self,
-        mut req: Request,
-    ) -> impl Future<Output = Result<Response, ClientError>> + Send + Sync + 'static {
+        mut req: Request<B>,
+    ) -> impl Future<Output = Result<Response<hyper::body::Incoming>, ClientError>> + Send + 'static
+    where
+        B: Body + Send + 'static,
+        B::Data: Send + 'static,
+        B::Error: Into<Error>,
+    {
        if req.uri().scheme().is_none() {
            if self.tls.is_some() {
                *req.uri_mut() = format!("https://{}{}", self.authority, req.uri().path())
@ -170,7 +182,8 @@ impl Client {
        }
        tracing::debug!(headers = ?req.headers(), "request");
        let (tx, rx) = oneshot::channel();
-        let _ = self.tx.send((req.map(Into::into), tx));
+        let req = req.map(BoxBody::new);
+        let _ = self.tx.send((req, tx));
        async { rx.await.expect("request cancelled") }.in_current_span()
    }

@ -220,13 +233,17 @@ enum Run {
    Http2,
 }

+pub type Running = Pin<Box<dyn Future<Output = ()> + Send + 'static>>;
+
 fn run(
    addr: SocketAddr,
    version: Run,
    tls: Option<TlsConfig>,
 ) -> (Sender, JoinHandle<()>, Running) {
-    let (tx, rx) =
-        mpsc::unbounded_channel::<(Request, oneshot::Sender<Result<Response, ClientError>>)>();
+    let (tx, rx) = mpsc::unbounded_channel::<(
+        Request<BoxBody>,
+        oneshot::Sender<Result<Response<hyper::body::Incoming>, ClientError>>,
+    )>();

    let test_name = thread_name();
    let absolute_uris = if let Run::Http1 { absolute_uris } = version {
@ -235,7 +252,12 @@ fn run(
        false
    };

-    let (running_tx, running) = running();
+    let (running_tx, running) = {
+        let (tx, rx) = oneshot::channel();
+        let rx = Box::pin(rx.map(|_| ()));
+        (tx, rx)
+    };
+
    let conn = Conn {
        addr,
        absolute_uris,
@ -250,10 +272,9 @@ fn run(

    let span = info_span!("test client", peer_addr = %addr, ?version, test = %test_name);
    let work = async move {
-        let client = hyper::Client::builder()
+        let client = hyper_util::client::legacy::Client::builder(TokioExecutor::new())
            .http2_only(http2_only)
-            .executor(TracingExecutor)
-            .build::<Conn, hyper::Body>(conn);
+            .build::<Conn, BoxBody>(conn);
        tracing::trace!("client task started");
        let mut rx = rx;
        let (drain_tx, drain) = drain::channel();
@ -263,7 +284,6 @@ fn run(
        // instance would remain un-dropped.
        async move {
            while let Some((req, cb)) = rx.recv().await {
-                let req = req.map(hyper::Body::from);
                tracing::trace!(?req);
                let req = client.request(req);
                tokio::spawn(
@ -295,9 +315,11 @@ struct Conn {
 }

 impl tower::Service<hyper::Uri> for Conn {
-    type Response = RunningIo;
+    type Response = hyper_util::rt::TokioIo<RunningIo>;
    type Error = io::Error;
-    type Future = Pin<Box<dyn Future<Output = io::Result<RunningIo>> + Send + 'static>>;
+    type Future = Pin<
+        Box<dyn Future<Output = io::Result<hyper_util::rt::TokioIo<RunningIo>>> + Send + 'static>,
+    >;

    fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
        Poll::Ready(Ok(()))
@ -327,19 +349,19 @@ impl tower::Service<hyper::Uri> for Conn {
            } else {
                Box::pin(io) as Pin<Box<dyn Io + Send + 'static>>
            };
-            Ok(RunningIo {
+            Ok(hyper_util::rt::TokioIo::new(RunningIo {
                io,
                abs_form,
                _running: Some(running),
-            })
+            }))
        })
    }
 }

-impl hyper::client::connect::Connection for RunningIo {
-    fn connected(&self) -> hyper::client::connect::Connected {
+impl hyper_util::client::legacy::connect::Connection for RunningIo {
+    fn connected(&self) -> hyper_util::client::legacy::connect::Connected {
        // Setting `proxy` to true will configure Hyper to use absolute-form
        // URIs on this connection.
-        hyper::client::connect::Connected::new().proxy(self.abs_form)
+        hyper_util::client::legacy::connect::Connected::new().proxy(self.abs_form)
    }
 }
--- a/linkerd/app/integration/src/controller.rs
+++ b/linkerd/app/integration/src/controller.rs
@ -2,7 +2,7 @@ use super::*;

 pub use linkerd2_proxy_api::destination as pb;
 use linkerd2_proxy_api::net;
-use linkerd_app_core::proxy::http::TracingExecutor;
+use linkerd_app_core::proxy::http::TokioExecutor;
 use parking_lot::Mutex;
 use std::collections::VecDeque;
 use std::net::IpAddr;
@ -262,10 +262,7 @@ impl pb::destination_server::Destination for Controller {
                }

                tracing::warn!(?dst, ?updates, "request does not match");
-                let msg = format!(
-                    "expected get call for {:?} but got get call for {:?}",
-                    dst, req
-                );
+                let msg = format!("expected get call for {dst:?} but got get call for {req:?}");
                calls.push_front(Dst::Call(dst, updates));
                return Err(grpc::Status::new(grpc::Code::Unavailable, msg));
            }
@ -343,7 +340,7 @@ pub(crate) async fn run<T, B>(
    delay: Option<Pin<Box<dyn Future<Output = ()> + Send>>>,
 ) -> Listening
 where
-    T: tower::Service<http::Request<hyper::body::Body>, Response = http::Response<B>>,
+    T: tower::Service<http::Request<hyper::body::Incoming>, Response = http::Response<B>>,
    T: Clone + Send + 'static,
    T::Error: Into<Box<dyn std::error::Error + Send + Sync>>,
    T::Future: Send,
@ -372,12 +369,16 @@ where
                let _ = listening_tx.send(());
            }

-            let mut http = hyper::server::conn::Http::new().with_executor(TracingExecutor);
-            http.http2_only(true);
+            let mut http = hyper::server::conn::http2::Builder::new(TokioExecutor::new());
            loop {
                let (sock, addr) = listener.accept().await?;
                let span = tracing::debug_span!("conn", %addr).or_current();
-                let serve = http.serve_connection(sock, svc.clone());
+                let serve = http
+                    .timer(hyper_util::rt::TokioTimer::new())
+                    .serve_connection(
+                        hyper_util::rt::TokioIo::new(sock),
+                        hyper_util::service::TowerToHyperService::new(svc.clone()),
+                    );
                let f = async move {
                    serve.await.map_err(|error| {
                        tracing::error!(
@ -530,6 +531,7 @@ impl From<DestinationBuilder> for pb::Update {
                    tls_identity,
                    authority_override: None,
                    http2: None,
+                    resource_ref: None,
                }],
                metric_labels: set_labels,
            })),
@ -610,7 +612,11 @@ pub fn retry_budget(
 }

 pub fn dst_override(authority: String, weight: u32) -> pb::WeightedDst {
-    pb::WeightedDst { authority, weight }
+    pb::WeightedDst {
+        authority,
+        weight,
+        backend_ref: None,
+    }
 }

 pub fn route() -> RouteBuilder {
--- a/linkerd/app/integration/src/identity.rs
+++ b/linkerd/app/integration/src/identity.rs
@ -8,7 +8,8 @@ use std::{
 };

 use linkerd2_proxy_api::identity as pb;
-use tokio_rustls::rustls;
+use linkerd_rustls::get_default_provider;
+use tokio_rustls::rustls::{self, server::WebPkiClientVerifier};
 use tonic as grpc;

 pub struct Identity {
@ -34,10 +35,6 @@ type Certify = Box<
        > + Send,
 >;

-static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
-static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
-    &[rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256];
-
 struct Certificates {
    pub leaf: Vec<u8>,
    pub intermediates: Vec<Vec<u8>>,
@ -50,11 +47,17 @@ impl Certificates {
    {
        let f = fs::File::open(p)?;
        let mut r = io::BufReader::new(f);
-        let mut certs = rustls_pemfile::certs(&mut r)
-            .map_err(|_| io::Error::new(io::ErrorKind::Other, "rustls error reading certs"))?;
-        let mut certs = certs.drain(..);
-        let leaf = certs.next().expect("no leaf cert in pemfile");
-        let intermediates = certs.collect();
+        let mut certs = rustls_pemfile::certs(&mut r);
+        let leaf = certs
+            .next()
+            .expect("no leaf cert in pemfile")
+            .map_err(|_| io::Error::other("rustls error reading certs"))?
+            .as_ref()
+            .to_vec();
+        let intermediates = certs
+            .map(|cert| cert.map(|cert| cert.as_ref().to_vec()))
+            .collect::<Result<Vec<_>, _>>()
+            .map_err(|_| io::Error::other("rustls error reading certs"))?;

        Ok(Certificates {
            leaf,
@ -62,11 +65,14 @@ impl Certificates {
        })
    }

-    pub fn chain(&self) -> Vec<rustls::Certificate> {
+    pub fn chain(&self) -> Vec<rustls::pki_types::CertificateDer<'static>> {
        let mut chain = Vec::with_capacity(self.intermediates.len() + 1);
        chain.push(self.leaf.clone());
        chain.extend(self.intermediates.clone());
-        chain.into_iter().map(rustls::Certificate).collect()
+        chain
+            .into_iter()
+            .map(rustls::pki_types::CertificateDer::from)
+            .collect()
    }

    pub fn response(&self) -> pb::CertifyResponse {
@ -79,43 +85,46 @@ impl Certificates {
 }

 impl Identity {
-    fn load_key<P>(p: P) -> rustls::PrivateKey
+    fn load_key<P>(p: P) -> rustls::pki_types::PrivateKeyDer<'static>
    where
        P: AsRef<Path>,
    {
        let p8 = fs::read(&p).expect("read key");
-        rustls::PrivateKey(p8)
+        rustls::pki_types::PrivateKeyDer::try_from(p8).expect("decode key")
    }

    fn configs(
        trust_anchors: &str,
        certs: &Certificates,
-        key: rustls::PrivateKey,
+        key: rustls::pki_types::PrivateKeyDer<'static>,
    ) -> (Arc<rustls::ClientConfig>, Arc<rustls::ServerConfig>) {
        use std::io::Cursor;
        let mut roots = rustls::RootCertStore::empty();
-        let trust_anchors =
-            rustls_pemfile::certs(&mut Cursor::new(trust_anchors)).expect("error parsing pemfile");
-        let (added, skipped) = roots.add_parsable_certificates(&trust_anchors[..]);
+        let trust_anchors = rustls_pemfile::certs(&mut Cursor::new(trust_anchors))
+            .collect::<Result<Vec<_>, _>>()
+            .expect("error parsing pemfile");
+        let (added, skipped) = roots.add_parsable_certificates(trust_anchors);
        assert_ne!(added, 0, "trust anchors must include at least one cert");
        assert_eq!(skipped, 0, "no certs in pemfile should be invalid");

-        let client_config = rustls::ClientConfig::builder()
-            .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES)
-            .with_safe_default_kx_groups()
-            .with_protocol_versions(TLS_VERSIONS)
+        let provider = get_default_provider();
+
+        let client_config = rustls::ClientConfig::builder_with_provider(provider.clone())
+            .with_safe_default_protocol_versions()
            .expect("client config must be valid")
            .with_root_certificates(roots.clone())
            .with_no_client_auth();

-        let server_config = rustls::ServerConfig::builder()
-            .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES)
-            .with_safe_default_kx_groups()
-            .with_protocol_versions(TLS_VERSIONS)
+        let client_cert_verifier =
+            WebPkiClientVerifier::builder_with_provider(Arc::new(roots), provider.clone())
+                .allow_unauthenticated()
+                .build()
+                .expect("server verifier must be valid");
+
+        let server_config = rustls::ServerConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()
            .expect("server config must be valid")
-            .with_client_cert_verifier(Arc::new(
-                rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(roots),
-            ))
+            .with_client_cert_verifier(client_cert_verifier)
            .with_single_cert(certs.chain(), key)
            .unwrap();

@ -204,7 +213,7 @@ impl Controller {
            let f = f.take().expect("called twice?");
            let fut = f(req)
                .map_ok(grpc::Response::new)
-                .map_err(|e| grpc::Status::new(grpc::Code::Internal, format!("{}", e)));
+                .map_err(|e| grpc::Status::new(grpc::Code::Internal, format!("{e}")));
            Box::pin(fut)
        });
        self.expect_calls.lock().push_back(func);
--- a/linkerd/app/integration/src/lib.rs
+++ b/linkerd/app/integration/src/lib.rs
@ -3,6 +3,7 @@
 #![warn(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
 #![forbid(unsafe_code)]
 #![recursion_limit = "256"]
+#![allow(clippy::result_large_err)]

 mod test_env;

@ -26,9 +27,9 @@ pub use bytes::{Buf, BufMut, Bytes};
 pub use futures::stream::{Stream, StreamExt};
 pub use futures::{future, FutureExt, TryFuture, TryFutureExt};
 pub use http::{HeaderMap, Request, Response, StatusCode};
-pub use http_body::Body as HttpBody;
+pub use http_body::Body;
 pub use linkerd_app as app;
-pub use linkerd_app_core::{drain, Addr};
+pub use linkerd_app_core::{drain, Addr, Error};
 pub use linkerd_app_test::*;
 pub use linkerd_tracing::test::*;
 use socket2::Socket;
@ -50,8 +51,6 @@ pub use tower::Service;
 pub const ENV_TEST_PATIENCE_MS: &str = "RUST_TEST_PATIENCE_MS";
 pub const DEFAULT_TEST_PATIENCE: Duration = Duration::from_millis(15);

-pub type Error = Box<dyn std::error::Error + Send + Sync + 'static>;
-
 /// Retry an assertion up to a specified number of times, waiting
 /// `RUST_TEST_PATIENCE_MS` between retries.
 ///
@ -73,7 +72,7 @@ pub type Error = Box<dyn std::error::Error + Send + Sync + 'static>;
 macro_rules! assert_eventually {
    ($cond:expr, retries: $retries:expr, $($arg:tt)+) => {
        {
-            use std::{env, u64};
+            use std::{env};
            use std::str::FromStr;
            use tokio::time::{Instant, Duration};
            use tracing::Instrument as _;
@ -219,15 +218,6 @@ impl Shutdown {

 pub type ShutdownRx = Pin<Box<dyn Future<Output = ()> + Send>>;

-/// A channel used to signal when a Client's related connection is running or closed.
-pub fn running() -> (oneshot::Sender<()>, Running) {
-    let (tx, rx) = oneshot::channel();
-    let rx = Box::pin(rx.map(|_| ()));
-    (tx, rx)
-}
-
-pub type Running = Pin<Box<dyn Future<Output = ()> + Send + Sync + 'static>>;
-
 pub fn s(bytes: &[u8]) -> &str {
    ::std::str::from_utf8(bytes).unwrap()
 }
@ -258,7 +248,7 @@ impl fmt::Display for HumanDuration {
        let secs = self.0.as_secs();
        let subsec_ms = self.0.subsec_nanos() as f64 / 1_000_000f64;
        if secs == 0 {
-            write!(fmt, "{}ms", subsec_ms)
+            write!(fmt, "{subsec_ms}ms")
        } else {
            write!(fmt, "{}s", secs as f64 + subsec_ms)
        }
@ -267,7 +257,7 @@ impl fmt::Display for HumanDuration {

 pub async fn cancelable<E: Send + 'static>(
    drain: drain::Watch,
-    f: impl Future<Output = Result<(), E>> + Send + 'static,
+    f: impl Future<Output = Result<(), E>>,
 ) -> Result<(), E> {
    tokio::select! {
        res = f => res,
--- a/linkerd/app/integration/src/metrics.rs
+++ b/linkerd/app/integration/src/metrics.rs
@ -192,8 +192,8 @@ impl MetricMatch {
    }

    pub async fn assert_in(&self, client: &crate::client::Client) {
+        use std::env;
        use std::str::FromStr;
-        use std::{env, u64};
        use tokio::time::{Duration, Instant};
        use tracing::Instrument as _;
        const MAX_RETRIES: usize = 5;
--- a/linkerd/app/integration/src/policy.rs
+++ b/linkerd/app/integration/src/policy.rs
@ -2,6 +2,7 @@ use super::*;
 pub use api::{inbound, outbound};
 use api::{inbound::inbound_server_policies_server, outbound::outbound_policies_server};
 use futures::stream;
+use http_body_util::combinators::UnsyncBoxBody;
 use linkerd2_proxy_api as api;
 use parking_lot::Mutex;
 use std::collections::VecDeque;
@ -34,6 +35,9 @@ pub struct InboundSender(Tx<inbound::Server>);
 #[derive(Debug, Clone)]
 pub struct OutboundSender(Tx<outbound::OutboundPolicy>);

+#[derive(Clone)]
+struct RoutesSvc(grpc::service::Routes);
+
 type Tx<T> = mpsc::UnboundedSender<Result<T, grpc::Status>>;
 type Rx<T> = UnboundedReceiverStream<Result<T, grpc::Status>>;
 type WatchStream<T> = Pin<Box<dyn Stream<Item = Result<T, grpc::Status>> + Send + Sync + 'static>>;
@ -45,6 +49,7 @@ pub fn all_unauthenticated() -> inbound::Server {
                inbound::proxy_protocol::Detect {
                    timeout: Some(Duration::from_secs(10).try_into().unwrap()),
                    http_routes: vec![],
+                    http_local_rate_limit: None,
                },
            )),
        }),
@ -118,11 +123,11 @@ pub fn outbound_default(dst: impl ToString) -> outbound::OutboundPolicy {
                timeout: Some(Duration::from_secs(10).try_into().unwrap()),
                http1: Some(proxy_protocol::Http1 {
                    routes: vec![route.clone()],
-                    failure_accrual: None,
+                    ..Default::default()
                }),
                http2: Some(proxy_protocol::Http2 {
                    routes: vec![route],
-                    failure_accrual: None,
+                    ..Default::default()
                }),
                opaque: Some(proxy_protocol::Opaque {
                    routes: vec![outbound_default_opaque_route(dst)],
@ -150,7 +155,7 @@ pub fn outbound_default_http_route(dst: impl ToString) -> outbound::HttpRoute {
            }],
            filters: Vec::new(),
            backends: Some(http_first_available(std::iter::once(backend(dst)))),
-            request_timeout: None,
+            ..Default::default()
        }],
    }
 }
@ -167,10 +172,12 @@ pub fn outbound_default_opaque_route(dst: impl ToString) -> outbound::OpaqueRout
                    distribution::FirstAvailable {
                        backends: vec![opaque_route::RouteBackend {
                            backend: Some(backend(dst)),
+                            filters: Vec::new(),
                        }],
                    },
                )),
            }),
+            filters: Vec::new(),
        }],
    }
 }
@ -214,7 +221,7 @@ pub fn http_first_available(
                    .map(|backend| http_route::RouteBackend {
                        backend: Some(backend),
                        filters: Vec::new(),
-                        request_timeout: None,
+                        ..Default::default()
                    })
                    .collect(),
            },
@ -295,7 +302,7 @@ impl Controller {
    }

    pub async fn run(self) -> controller::Listening {
-        let svc = grpc::transport::Server::builder()
+        let routes = grpc::service::Routes::default()
            .add_service(
                inbound_server_policies_server::InboundServerPoliciesServer::new(Server(Arc::new(
                    self.inbound,
@ -303,9 +310,9 @@ impl Controller {
            )
            .add_service(outbound_policies_server::OutboundPoliciesServer::new(
                Server(Arc::new(self.outbound)),
-            ))
-            .into_service();
-        controller::run(svc, "support policy controller", None).await
+            ));
+
+        controller::run(RoutesSvc(routes), "support policy controller", None).await
    }
 }

@ -506,6 +513,35 @@ impl<Req, Rsp> Inner<Req, Rsp> {
    }
 }

+// === impl RoutesSvc ===
+
+impl Service<Request<hyper::body::Incoming>> for RoutesSvc {
+    type Response =
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::Response;
+    type Error =
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::Error;
+    type Future =
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::Future;
+
+    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        let Self(routes) = self;
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::poll_ready(
+            routes, cx,
+        )
+    }
+
+    fn call(&mut self, req: Request<hyper::body::Incoming>) -> Self::Future {
+        use http_body_util::{combinators::UnsyncBoxBody, BodyExt};
+
+        let Self(routes) = self;
+        let req = req.map(|body| {
+            UnsyncBoxBody::new(body.map_err(|err| grpc::Status::from_error(Box::new(err))))
+        });
+
+        routes.call(req)
+    }
+}
+
 fn grpc_no_results() -> grpc::Status {
    grpc::Status::new(
        grpc::Code::NotFound,
--- a/linkerd/app/integration/src/proxy.rs
+++ b/linkerd/app/integration/src/proxy.rs
@ -1,7 +1,9 @@
 use super::*;
 use linkerd_app_core::{
    svc::Param,
-    transport::{listen, orig_dst, Keepalive, ListenAddr, Local, OrigDstAddr, ServerAddr},
+    transport::{
+        listen, orig_dst, Keepalive, ListenAddr, Local, OrigDstAddr, ServerAddr, UserTimeout,
+    },
    Result,
 };
 use std::{collections::HashSet, thread};
@ -68,7 +70,7 @@ struct MockDualOrigDst {

 impl<T> listen::Bind<T> for MockOrigDst
 where
-    T: Param<Keepalive> + Param<ListenAddr>,
+    T: Param<Keepalive> + Param<UserTimeout> + Param<ListenAddr>,
 {
    type Addrs = orig_dst::Addrs;
    type BoundAddrs = Local<ServerAddr>;
@ -106,7 +108,7 @@ impl fmt::Debug for MockOrigDst {
        match self {
            Self::Addr(addr) => f
                .debug_tuple("MockOrigDst::Addr")
-                .field(&format_args!("{}", addr))
+                .field(&format_args!("{addr}"))
                .finish(),
            Self::Direct => f.debug_tuple("MockOrigDst::Direct").finish(),
            Self::None => f.debug_tuple("MockOrigDst::None").finish(),
@ -118,7 +120,7 @@ impl fmt::Debug for MockOrigDst {

 impl<T> listen::Bind<T> for MockDualOrigDst
 where
-    T: Param<Keepalive> + Param<ListenAddr>,
+    T: Param<Keepalive> + Param<UserTimeout> + Param<ListenAddr>,
 {
    type Addrs = orig_dst::Addrs;
    type BoundAddrs = (Local<ServerAddr>, Option<Local<ServerAddr>>);
@ -414,9 +416,9 @@ async fn run(proxy: Proxy, mut env: TestEnv, random_ports: bool) -> Listening {
        use std::fmt::Write;
        let mut ports = inbound_default_ports.iter();
        if let Some(port) = ports.next() {
-            let mut var = format!("{}", port);
+            let mut var = format!("{port}");
            for port in ports {
-                write!(&mut var, ",{}", port).expect("writing to String should never fail");
+                write!(&mut var, ",{port}").expect("writing to String should never fail");
            }
            info!("{}={:?}", app::env::ENV_INBOUND_PORTS, var);
            env.put(app::env::ENV_INBOUND_PORTS, var);
--- a/linkerd/app/integration/src/server.rs
+++ b/linkerd/app/integration/src/server.rs
@ -1,5 +1,7 @@
-use super::app_core::svc::http::TracingExecutor;
+use super::app_core::svc::http::TokioExecutor;
 use super::*;
+use http::{Request, Response};
+use linkerd_app_core::svc::http::BoxBody;
 use std::{
    io,
    sync::atomic::{AtomicUsize, Ordering},
@ -12,23 +14,35 @@ pub fn new() -> Server {
 }

 pub fn http1() -> Server {
-    Server::http1()
+    Server {
+        routes: Default::default(),
+        version: Run::Http1,
+        tls: None,
+    }
 }

 pub fn http1_tls(tls: Arc<ServerConfig>) -> Server {
-    Server::http1_tls(tls)
+    Server {
+        routes: Default::default(),
+        version: Run::Http1,
+        tls: Some(tls),
+    }
 }

 pub fn http2() -> Server {
-    Server::http2()
+    Server {
+        routes: Default::default(),
+        version: Run::Http2,
+        tls: None,
+    }
 }

 pub fn http2_tls(tls: Arc<ServerConfig>) -> Server {
-    Server::http2_tls(tls)
-}
-
-pub fn tcp() -> tcp::TcpServer {
-    tcp::server()
+    Server {
+        routes: Default::default(),
+        version: Run::Http2,
+        tls: Some(tls),
+    }
 }

 pub struct Server {
@ -45,9 +59,8 @@ pub struct Listening {
    pub(super) http_version: Option<Run>,
 }

-type Request = http::Request<hyper::Body>;
-type Response = http::Response<hyper::Body>;
-type RspFuture = Pin<Box<dyn Future<Output = Result<Response, BoxError>> + Send + Sync + 'static>>;
+type RspFuture<B = BoxBody> =
+    Pin<Box<dyn Future<Output = Result<Response<B>, Error>> + Send + 'static>>;

 impl Listening {
    pub fn connections(&self) -> usize {
@ -92,29 +105,6 @@ impl Listening {
 }

 impl Server {
-    fn new(run: Run, tls: Option<Arc<ServerConfig>>) -> Self {
-        Server {
-            routes: HashMap::new(),
-            version: run,
-            tls,
-        }
-    }
-    fn http1() -> Self {
-        Server::new(Run::Http1, None)
-    }
-
-    fn http1_tls(tls: Arc<ServerConfig>) -> Self {
-        Server::new(Run::Http1, Some(tls))
-    }
-
-    fn http2() -> Self {
-        Server::new(Run::Http2, None)
-    }
-
-    fn http2_tls(tls: Arc<ServerConfig>) -> Self {
-        Server::new(Run::Http2, Some(tls))
-    }
-
    /// Return a string body as a 200 OK response, with the string as
    /// the response body.
    pub fn route(mut self, path: &str, resp: &str) -> Self {
@ -126,11 +116,11 @@ impl Server {
    /// to send back.
    pub fn route_fn<F>(self, path: &str, cb: F) -> Self
    where
-        F: Fn(Request) -> Response + Send + Sync + 'static,
+        F: Fn(Request<BoxBody>) -> Response<BoxBody> + Send + Sync + 'static,
    {
        self.route_async(path, move |req| {
            let res = cb(req);
-            async move { Ok::<_, BoxError>(res) }
+            async move { Ok::<_, Error>(res) }
        })
    }

@ -138,9 +128,9 @@ impl Server {
    /// a response to send back.
    pub fn route_async<F, U>(mut self, path: &str, cb: F) -> Self
    where
-        F: Fn(Request) -> U + Send + Sync + 'static,
-        U: TryFuture<Ok = Response> + Send + Sync + 'static,
-        U::Error: Into<BoxError> + Send + 'static,
+        F: Fn(Request<BoxBody>) -> U + Send + Sync + 'static,
+        U: TryFuture<Ok = Response<BoxBody>> + Send + 'static,
+        U::Error: Into<Error> + Send + 'static,
    {
        let func = move |req| Box::pin(cb(req).map_err(Into::into)) as RspFuture;
        self.routes.insert(path.into(), Route(Box::new(func)));
@ -148,16 +138,17 @@ impl Server {
    }

    pub fn route_with_latency(self, path: &str, resp: &str, latency: Duration) -> Self {
-        let resp = Bytes::from(resp.to_string());
+        let body = resp.to_owned();
        self.route_async(path, move |_| {
-            let resp = resp.clone();
+            let body = body.clone();
            async move {
                tokio::time::sleep(latency).await;
-                Ok::<_, BoxError>(
+                Ok::<_, Error>(
                    http::Response::builder()
-                        .status(200)
-                        .body(hyper::Body::from(resp.clone()))
-                        .unwrap(),
+                        .status(StatusCode::OK)
+                        .body(http_body_util::Full::new(Bytes::from(body.clone())))
+                        .unwrap()
+                        .map(BoxBody::new),
                )
            }
        })
@ -193,12 +184,7 @@ impl Server {
            drain.clone(),
            async move {
                tracing::info!("support server running");
-                let mut new_svc = NewSvc(Arc::new(self.routes));
-                let mut http = hyper::server::conn::Http::new().with_executor(TracingExecutor);
-                match self.version {
-                    Run::Http1 => http.http1_only(true),
-                    Run::Http2 => http.http2_only(true),
-                };
+                let svc = Svc(Arc::new(self.routes));
                if let Some(delay) = delay {
                    let _ = listening_tx.take().unwrap().send(());
                    delay.await;
@ -217,27 +203,41 @@ impl Server {
                    let sock = accept_connection(sock, tls_config.clone())
                        .instrument(span.clone())
                        .await?;
-                    let http = http.clone();
                    let srv_conn_count = srv_conn_count.clone();
-                    let svc = new_svc.call(());
+                    let svc = svc.clone();
                    let f = async move {
                        tracing::trace!("serving...");
-                        let svc = svc.await;
-                        tracing::trace!("service acquired");
                        srv_conn_count.fetch_add(1, Ordering::Release);
-                        let svc = svc.map_err(|e| {
-                            tracing::error!("support/server new_service error: {}", e)
-                        })?;
-                        let result = http
-                            .serve_connection(sock, svc)
-                            .await
-                            .map_err(|e| tracing::error!("support/server error: {}", e));
+                        use hyper_util::{rt::TokioIo, service::TowerToHyperService};
+                        let (sock, svc) = (TokioIo::new(sock), TowerToHyperService::new(svc));
+                        let result = match self.version {
+                            Run::Http1 => hyper::server::conn::http1::Builder::new()
+                                .timer(hyper_util::rt::TokioTimer::new())
+                                .serve_connection(sock, svc)
+                                .await
+                                .map_err(|e| tracing::error!("support/server error: {}", e)),
+                            Run::Http2 => {
+                                hyper::server::conn::http2::Builder::new(TokioExecutor::new())
+                                    .timer(hyper_util::rt::TokioTimer::new())
+                                    .serve_connection(sock, svc)
+                                    .await
+                                    .map_err(|e| tracing::error!("support/server error: {}", e))
+                            }
+                        };
                        tracing::trace!(?result, "serve done");
                        result
                    };
-                    tokio::spawn(
-                        cancelable(drain.clone(), f).instrument(span.clone().or_current()),
-                    );
+                    // let fut = Box::pin(cancelable(drain.clone(), f).instrument(span.clone().or_current()))
+                    let drain = drain.clone();
+                    tokio::spawn(async move {
+                        tokio::select! {
+                            res = f => res,
+                            _ = drain.signaled() => {
+                                tracing::debug!("canceled!");
+                                Ok(())
+                            }
+                        }
+                    });
                }
            }
            .instrument(
@ -266,17 +266,19 @@ pub(super) enum Run {
    Http2,
 }

-struct Route(Box<dyn Fn(Request) -> RspFuture + Send + Sync>);
+struct Route(Box<dyn Fn(Request<BoxBody>) -> RspFuture + Send + Sync>);

 impl Route {
    fn string(body: &str) -> Route {
-        let body = Bytes::from(body.to_string());
+        let body = http_body_util::Full::new(Bytes::from(body.to_string()));
        Route(Box::new(move |_| {
+            let body = body.clone();
            Box::pin(future::ok(
                http::Response::builder()
-                    .status(200)
-                    .body(hyper::Body::from(body.clone()))
-                    .unwrap(),
+                    .status(StatusCode::OK)
+                    .body(body)
+                    .unwrap()
+                    .map(BoxBody::new),
            ))
        }))
    }
@ -288,58 +290,53 @@ impl std::fmt::Debug for Route {
    }
 }

-type BoxError = Box<dyn std::error::Error + Send + Sync>;
-
-#[derive(Debug)]
+#[derive(Clone, Debug)]
 struct Svc(Arc<HashMap<String, Route>>);

 impl Svc {
-    fn route(&mut self, req: Request) -> RspFuture {
+    fn route<B>(
+        &mut self,
+        req: Request<B>,
+    ) -> impl Future<Output = Result<Response<BoxBody>, crate::app_core::Error>> + Send
+    where
+        B: Body + Send + Sync + 'static,
+        B::Data: Send + 'static,
+        B::Error: std::error::Error + Send + Sync + 'static,
+    {
        match self.0.get(req.uri().path()) {
            Some(Route(ref func)) => {
                tracing::trace!(path = %req.uri().path(), "found route for path");
-                func(req)
+                func(req.map(BoxBody::new))
            }
            None => {
                tracing::warn!("server 404: {:?}", req.uri().path());
-                let res = http::Response::builder()
-                    .status(404)
-                    .body(Default::default())
-                    .unwrap();
-                Box::pin(async move { Ok(res) })
+                Box::pin(futures::future::ok(
+                    http::Response::builder()
+                        .status(StatusCode::NOT_FOUND)
+                        .body(BoxBody::empty())
+                        .unwrap(),
+                ))
            }
        }
    }
 }

-impl tower::Service<Request> for Svc {
-    type Response = Response;
-    type Error = BoxError;
+impl<B> tower::Service<Request<B>> for Svc
+where
+    B: Body + Send + Sync + 'static,
+    B::Data: Send,
+    B::Error: std::error::Error + Send + Sync,
+{
+    type Response = Response<BoxBody>;
+    type Error = Error;
    type Future = RspFuture;

    fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
        Poll::Ready(Ok(()))
    }

-    fn call(&mut self, req: Request) -> Self::Future {
-        self.route(req)
-    }
-}
-
-#[derive(Debug)]
-struct NewSvc(Arc<HashMap<String, Route>>);
-
-impl Service<()> for NewSvc {
-    type Response = Svc;
-    type Error = ::std::io::Error;
-    type Future = future::Ready<Result<Svc, Self::Error>>;
-
-    fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
-        Poll::Ready(Ok(()))
-    }
-
-    fn call(&mut self, _: ()) -> Self::Future {
-        future::ok(Svc(Arc::clone(&self.0)))
+    fn call(&mut self, req: Request<B>) -> Self::Future {
+        Box::pin(self.route(req))
    }
 }

@ -357,7 +354,6 @@ async fn accept_connection(
                _running: None,
            })
        }
-
        None => Ok(RunningIo {
            io: Box::pin(io),
            abs_form: false,
--- a/linkerd/app/integration/src/tap.rs
+++ b/linkerd/app/integration/src/tap.rs
@ -2,6 +2,7 @@ use super::*;
 use futures::stream;
 use http_body::Body;
 use linkerd2_proxy_api::tap as pb;
+use linkerd_app_core::svc::http::BoxBody;

 pub fn client(addr: SocketAddr) -> Client {
    let api = pb::tap_client::TapClient::new(SyncSvc(client::http2(addr, "localhost")));
@ -106,7 +107,6 @@ pub trait TapEventExt {
    //fn id(&self) -> (u32, u64);
    fn event(&self) -> &pb::tap_event::http::Event;

-    fn request_init_method(&self) -> String;
    fn request_init_authority(&self) -> &str;
    fn request_init_path(&self) -> &str;

@ -134,41 +134,31 @@ impl TapEventExt for pb::TapEvent {
        }
    }

-    fn request_init_method(&self) -> String {
-        match self.event() {
-            pb::tap_event::http::Event::RequestInit(_ev) => {
-                //TODO: ugh
-                unimplemented!("method");
-            }
-            e => panic!("not RequestInit event: {:?}", e),
-        }
-    }
-
    fn request_init_authority(&self) -> &str {
        match self.event() {
            pb::tap_event::http::Event::RequestInit(ev) => &ev.authority,
-            e => panic!("not RequestInit event: {:?}", e),
+            e => panic!("not RequestInit event: {e:?}"),
        }
    }

    fn request_init_path(&self) -> &str {
        match self.event() {
            pb::tap_event::http::Event::RequestInit(ev) => &ev.path,
-            e => panic!("not RequestInit event: {:?}", e),
+            e => panic!("not RequestInit event: {e:?}"),
        }
    }

    fn response_init_status(&self) -> u16 {
        match self.event() {
            pb::tap_event::http::Event::ResponseInit(ev) => ev.http_status as u16,
-            e => panic!("not ResponseInit event: {:?}", e),
+            e => panic!("not ResponseInit event: {e:?}"),
        }
    }

    fn response_end_bytes(&self) -> u64 {
        match self.event() {
            pb::tap_event::http::Event::ResponseEnd(ev) => ev.response_bytes,
-            e => panic!("not ResponseEnd event: {:?}", e),
+            e => panic!("not ResponseEnd event: {e:?}"),
        }
    }

@ -180,7 +170,7 @@ impl TapEventExt for pb::TapEvent {
                }) => code,
                _ => panic!("not Eos GrpcStatusCode: {:?}", ev.eos),
            },
-            ev => panic!("not ResponseEnd event: {:?}", ev),
+            ev => panic!("not ResponseEnd event: {ev:?}"),
        }
    }
 }
@ -188,15 +178,14 @@ impl TapEventExt for pb::TapEvent {
 struct SyncSvc(client::Client);

 type ResponseFuture =
-    Pin<Box<dyn Future<Output = Result<http::Response<hyper::Body>, String>> + Send>>;
+    Pin<Box<dyn Future<Output = Result<http::Response<hyper::body::Incoming>, String>> + Send>>;

 impl<B> tower::Service<http::Request<B>> for SyncSvc
 where
-    B: Body + Send + 'static,
-    B::Data: Send + 'static,
-    B::Error: Send + 'static,
+    B: Body,
+    B::Error: std::fmt::Debug,
 {
-    type Response = http::Response<hyper::Body>;
+    type Response = http::Response<hyper::body::Incoming>;
    type Error = String;
    type Future = ResponseFuture;

@ -205,20 +194,31 @@ where
    }

    fn call(&mut self, req: http::Request<B>) -> Self::Future {
-        // this is okay to do because the body should always be complete, we
-        // just can't prove it.
-        let req = futures::executor::block_on(async move {
-            let (parts, body) = req.into_parts();
-            let body = match hyper::body::to_bytes(body).await {
-                Ok(body) => body,
-                Err(_) => unreachable!("body should not fail"),
-            };
-            http::Request::from_parts(parts, body)
-        });
-        Box::pin(
-            self.0
-                .send_req(req.map(Into::into))
-                .map_err(|err| err.to_string()),
-        )
+        use http_body_util::Full;
+        let Self(client) = self;
+        let req = req.map(Self::collect_body).map(Full::new).map(BoxBody::new);
+        let fut = client.send_req(req).map_err(|err| err.to_string());
+        Box::pin(fut)
+    }
+}
+
+impl SyncSvc {
+    /// Collects the given [`Body`], returning a [`Bytes`].
+    ///
+    /// NB: This blocks the current thread until the provided body has been collected. This is
+    /// an acceptable practice in test code for the sake of simplicitly, because we will always
+    /// provide [`SyncSvc`] with bodies that are complete.
+    fn collect_body<B>(body: B) -> Bytes
+    where
+        B: Body,
+        B::Error: std::fmt::Debug,
+    {
+        futures::executor::block_on(async move {
+            use http_body_util::BodyExt;
+            body.collect()
+                .await
+                .expect("body should not fail")
+                .to_bytes()
+        })
    }
 }
--- a/linkerd/app/integration/src/tcp.rs
+++ b/linkerd/app/integration/src/tcp.rs
@ -1,10 +1,11 @@
 use super::*;
-use std::collections::VecDeque;
-use std::io;
-use std::net::TcpListener as StdTcpListener;
-use std::sync::atomic::{AtomicUsize, Ordering};
-use tokio::net::TcpStream;
-use tokio::task::JoinHandle;
+use std::{
+    collections::VecDeque,
+    io,
+    net::TcpListener as StdTcpListener,
+    sync::atomic::{AtomicUsize, Ordering},
+};
+use tokio::{net::TcpStream, task::JoinHandle};

 type TcpConnSender = mpsc::UnboundedSender<(
    Option<Vec<u8>>,
@ -148,10 +149,6 @@ impl TcpServer {
 }

 impl TcpConn {
-    pub fn target_addr(&self) -> SocketAddr {
-        self.addr
-    }
-
    pub async fn read(&self) -> Vec<u8> {
        self.try_read()
            .await
--- a/linkerd/app/integration/src/test_env.rs
+++ b/linkerd/app/integration/src/test_env.rs
@ -1,6 +1,7 @@
 use linkerd_app::env::{EnvError, Strings};
 use std::collections::HashMap;

+/// An implementation of [`Strings`] that wraps for use in tests.
 #[derive(Clone, Default)]
 pub struct TestEnv {
    values: HashMap<&'static str, String>,
@ -9,18 +10,22 @@ pub struct TestEnv {
 // === impl TestEnv ===

 impl TestEnv {
+    /// Puts a new key-value pair in the test environment.
    pub fn put(&mut self, key: &'static str, value: String) {
        self.values.insert(key, value);
    }

+    /// Returns true if this environment contains the given key.
    pub fn contains_key(&self, key: &'static str) -> bool {
        self.values.contains_key(key)
    }

+    /// Removes a new key-value pair from the test environment.
    pub fn remove(&mut self, key: &'static str) {
        self.values.remove(key);
    }

+    /// Extends this test environment using the other given [`TestEnv`].
    pub fn extend(&mut self, other: TestEnv) {
        self.values.extend(other.values);
    }
--- a/linkerd/app/integration/src/tests/client_policy.rs
+++ b/linkerd/app/integration/src/tests/client_policy.rs
@ -63,11 +63,11 @@ async fn empty_http1_route() {
                                hosts: Vec::new(),
                                rules: Vec::new(),
                            }],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        http2: Some(proxy_protocol::Http2 {
                            routes: vec![policy::outbound_default_http_route(&dst)],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        opaque: Some(proxy_protocol::Opaque {
                            routes: vec![policy::outbound_default_opaque_route(&dst)],
@ -148,7 +148,7 @@ async fn empty_http2_route() {
                        timeout: Some(Duration::from_secs(10).try_into().unwrap()),
                        http1: Some(proxy_protocol::Http1 {
                            routes: vec![policy::outbound_default_http_route(&dst)],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        http2: Some(proxy_protocol::Http2 {
                            routes: vec![outbound::HttpRoute {
@ -156,7 +156,7 @@ async fn empty_http2_route() {
                                hosts: Vec::new(),
                                rules: Vec::new(),
                            }],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        opaque: Some(proxy_protocol::Opaque {
                            routes: vec![policy::outbound_default_opaque_route(&dst)],
@ -223,7 +223,7 @@ async fn header_based_routing() {
            backends: Some(policy::http_first_available(std::iter::once(
                policy::backend(dst),
            ))),
-            request_timeout: None,
+            ..Default::default()
        };

    let route = outbound::HttpRoute {
@ -237,7 +237,7 @@ async fn header_based_routing() {
                backends: Some(policy::http_first_available(std::iter::once(
                    policy::backend(&dst_world),
                ))),
-                request_timeout: None,
+                ..Default::default()
            },
            // x-hello-city: sf | x-hello-city: san francisco
            mk_header_rule(
@ -266,11 +266,11 @@ async fn header_based_routing() {
                        timeout: Some(Duration::from_secs(10).try_into().unwrap()),
                        http1: Some(proxy_protocol::Http1 {
                            routes: vec![route.clone()],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        http2: Some(proxy_protocol::Http2 {
                            routes: vec![route],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        opaque: Some(proxy_protocol::Opaque {
                            routes: vec![policy::outbound_default_opaque_route(&dst_world)],
@ -400,8 +400,7 @@ async fn path_based_routing() {
            backends: Some(policy::http_first_available(std::iter::once(
                policy::backend(dst),
            ))),
-
-            request_timeout: None,
+            ..Default::default()
        };

    let route = outbound::HttpRoute {
@ -415,7 +414,7 @@ async fn path_based_routing() {
                backends: Some(policy::http_first_available(std::iter::once(
                    policy::backend(&dst_world),
                ))),
-                request_timeout: None,
+                ..Default::default()
            },
            // /goodbye/*
            mk_path_rule(
@ -449,11 +448,11 @@ async fn path_based_routing() {
                        timeout: Some(Duration::from_secs(10).try_into().unwrap()),
                        http1: Some(proxy_protocol::Http1 {
                            routes: vec![route.clone()],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        http2: Some(proxy_protocol::Http2 {
                            routes: vec![route],
-                            failure_accrual: None,
+                            ..Default::default()
                        }),
                        opaque: Some(proxy_protocol::Opaque {
                            routes: vec![policy::outbound_default_opaque_route(&dst_world)],
--- a/linkerd/app/integration/src/tests/discovery.rs
+++ b/linkerd/app/integration/src/tests/discovery.rs
@ -381,7 +381,7 @@ mod cross_version {
 }

 fn default_dst_name(port: u16) -> String {
-    format!("{}:{}", HOST, port)
+    format!("{HOST}:{port}")
 }

 fn send_default_dst(
@ -481,16 +481,17 @@ mod http2 {

        let res = fut.await.expect("beta response");
        assert_eq!(res.status(), http::StatusCode::OK);
-        assert_eq!(
-            String::from_utf8(
-                hyper::body::to_bytes(res.into_body())
-                    .await
-                    .unwrap()
-                    .to_vec(),
-            )
-            .unwrap(),
-            "beta"
-        );
+
+        let body = {
+            let body = res.into_body();
+            let body = http_body_util::BodyExt::collect(body)
+                .await
+                .unwrap()
+                .to_bytes()
+                .to_vec();
+            String::from_utf8(body).unwrap()
+        };
+        assert_eq!(body, "beta");
    }
 }

--- a/linkerd/app/integration/src/tests/identity.rs
+++ b/linkerd/app/integration/src/tests/identity.rs
@ -24,7 +24,7 @@ async fn nonblocking_identity_detection() {

    let msg1 = "custom tcp hello\n";
    let msg2 = "custom tcp bye";
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
        .accept(move |read| {
            assert_eq!(read, msg1.as_bytes());
            msg2
@ -33,7 +33,7 @@ async fn nonblocking_identity_detection() {
        .await;

    let proxy = proxy.inbound(srv).run_with_test_env(env).await;
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);

    // Create an idle connection and then an active connection. Ensure that
    // protocol detection on the idle connection does not block communication on
--- a/Show More
+++ b/Show More