Home > Software design >  How to configure istio (or envoy) to act as a forward proxy
How to configure istio (or envoy) to act as a forward proxy

Time:12-28

I have a running nginx server that has a relatively simple config (only including relevant parts):

http {
  server {
    gzip on;
    set $allowed false;
    if ($http_host ~ "(domain1.com)|(domain2.net)|(etc)")  {
      set $allowed true;
    }

    if ($allowed = false) {
      return 403;
      break;
    }

    listen 8888;
    server_name ~. ;
    proxy_connect;
    proxy_max_temp_file_size 0;
    resolver 8.8.8.8;
    location / {
        proxy_pass http://$http_host;
        proxy_set_header Host $http_host;
    }
  }
}

so basically if a client connects to one of the approved domains - response is streamed. I'm really struggling to achieve the same in Envoy. whatever I do it either doesnt work or doesnt forward static content. Another issue I have is if I configure my laptop to use envoy as a proxy - nothing works at all (ie even if connect to domain1.com works, if I try to connect to the same site, but using envoy as a proxy - I get a timeout), whereas the configuration above works as a proxy.

My actual target is Istio, but I'm quite confident I can port it to Istio if I figure out the envoy part

edit: sample istio config that does work for forwarding, but doesnt work as a proxy

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: fwd
  namespace: default
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: fwd
  namespace: default
spec:
  hosts:
  - test.domain.com
  ports:
  - number: 443
    name: tls
    protocol: tls
  location: MESH_EXTERNAL
  resolution: DNS

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: fwd
  namespace: default
spec:
  hosts:
  - source.domain.com
  gateways:
  - fwd
  http:
  - match:
    - gateways:
      - fwd
      port: 80
      uri:
        prefix: /
    route:
    - destination:
        host: test.domain.com
        port:
          number: 443

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: fwd
  namespace: default
spec:
  host: test.domain.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE

edit 2: actually found sample envoyconfig

{
    "admin": {
        "access_log_path": "/tmp/admin_access.log",
        "address": {
            "socket_address": {
                "address": "0.0.0.0",
                "port_value": 9901
            }
        }
    },
    "static_resources": {
        "clusters": [
            {
                "name": "backend",
                "type": "SIMPLE",
                "connect_timeout": "0.25s",
                "lb_policy": "ROUND_ROBIN",
                "max_requests_per_connection": 1024,
                "max_retries": 3,
                "http2_protocol_options": {}
            }
        ],
        "listeners": [
            {
                "name": "listener_0",
                "address": {
                    "socket_address": {
                        "address": "0.0.0.0",
                        "port_value": 8000
                    }
                },
                "filter_chains": [
                    {
                        "filters": [
                            {
                                "name": "envoy.http_connection_manager",
                                "config": {
                                    "codec_type": "auto",
                                    "stat_prefix": "ingress_http",
                                    "route_config": {
                                        "virtual_hosts": [
                                            {
                                                "name": "backend",
                                                "domains": [
                                                    "*"
                                                ],
                                                "routes": [
                                                    {
                                                        "match": {
                                                            "prefix": "/"
                                                        },
                                                        "route": {
                                                            "cluster": "backend"
                                                        }
                                                    }
                                                ]
                                            }
                                        ]
                                    },
                                    "http_filters": [
                                        {
                                            "name": "envoy.router",
                                            "config": {
                                                "use_remote_address": true,
                                                "dynamic_route_config": {
                                                    "grpc_service": {
                                                        "envoy_grpc": {
                                                            "cluster_name": "backend"
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

CodePudding user response:

Istio-enabled pod’s outbound traffic is redirected to its sidecar proxy by default, accessing the URLs which are outside the cluster requires some modifications in the configuration of the proxy. The basic or default configuration of Istio and Envoy proxy allows traffic from unknown services to pass through, although this is the easiest way for getting started with Istio it is always recommended to enforce strict policies as per the security standpoint.

In this document it is elaborated how to access external services in different ways, refer this for more information.

CodePudding user response:

Answer provided by Kranthiveer Dontineni almost works:

admin:
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/force-host-rewrite"
                route:
                  cluster: dynamic_forward_proxy_cluster
                typed_per_filter_config:
                  envoy.filters.http.dynamic_forward_proxy:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
                    host_rewrite_literal: www.example.org
              - match:
                  prefix: "/"
                route:
                  cluster: dynamic_forward_proxy_cluster
          http_filters:
          - name: envoy.filters.http.dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
              dns_cache_config:
                name: dynamic_forward_proxy_cache_config
                dns_lookup_family: V4_ONLY
                typed_dns_resolver_config:
                  name: envoy.network.dns_resolver.cares
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
                    resolvers:
                    - socket_address:
                        address: "8.8.8.8"
                        port_value: 53
                    dns_resolver_options:
                      use_tcp_for_dns_lookups: true
                      no_default_search_domain: true
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dynamic_forward_proxy_cluster
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
          typed_dns_resolver_config:
            name: envoy.network.dns_resolver.cares
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
              resolvers:
              - socket_address:
                  address: "8.8.8.8"
                  port_value: 53
              dns_resolver_options:
                use_tcp_for_dns_lookups: true
                no_default_search_domain: true
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          validation_context:
            trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}
  • Related