I have a running nginx server that has a relatively simple config (only including relevant parts):
http {
server {
gzip on;
set $allowed false;
if ($http_host ~ "(domain1.com)|(domain2.net)|(etc)") {
set $allowed true;
}
if ($allowed = false) {
return 403;
break;
}
listen 8888;
server_name ~. ;
proxy_connect;
proxy_max_temp_file_size 0;
resolver 8.8.8.8;
location / {
proxy_pass http://$http_host;
proxy_set_header Host $http_host;
}
}
}
so basically if a client connects to one of the approved domains - response is streamed. I'm really struggling to achieve the same in Envoy. whatever I do it either doesnt work or doesnt forward static content. Another issue I have is if I configure my laptop to use envoy as a proxy - nothing works at all (ie even if connect to domain1.com works, if I try to connect to the same site, but using envoy as a proxy - I get a timeout), whereas the configuration above works as a proxy.
My actual target is Istio, but I'm quite confident I can port it to Istio if I figure out the envoy part
edit: sample istio config that does work for forwarding, but doesnt work as a proxy
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: fwd
namespace: default
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: fwd
namespace: default
spec:
hosts:
- test.domain.com
ports:
- number: 443
name: tls
protocol: tls
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: fwd
namespace: default
spec:
hosts:
- source.domain.com
gateways:
- fwd
http:
- match:
- gateways:
- fwd
port: 80
uri:
prefix: /
route:
- destination:
host: test.domain.com
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: fwd
namespace: default
spec:
host: test.domain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
edit 2: actually found sample envoyconfig
{
"admin": {
"access_log_path": "/tmp/admin_access.log",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 9901
}
}
},
"static_resources": {
"clusters": [
{
"name": "backend",
"type": "SIMPLE",
"connect_timeout": "0.25s",
"lb_policy": "ROUND_ROBIN",
"max_requests_per_connection": 1024,
"max_retries": 3,
"http2_protocol_options": {}
}
],
"listeners": [
{
"name": "listener_0",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 8000
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"config": {
"codec_type": "auto",
"stat_prefix": "ingress_http",
"route_config": {
"virtual_hosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/"
},
"route": {
"cluster": "backend"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.router",
"config": {
"use_remote_address": true,
"dynamic_route_config": {
"grpc_service": {
"envoy_grpc": {
"cluster_name": "backend"
}
}
}
}
}
]
}
}
]
}
]
}
]
}
}
CodePudding user response:
Istio-enabled pod’s outbound traffic is redirected to its sidecar proxy by default, accessing the URLs which are outside the cluster requires some modifications in the configuration of the proxy. The basic or default configuration of Istio and Envoy proxy allows traffic from unknown services to pass through, although this is the easiest way for getting started with Istio it is always recommended to enforce strict policies as per the security standpoint.
In this document it is elaborated how to access external services in different ways, refer this for more information.
CodePudding user response:
Answer provided by Kranthiveer Dontineni almost works:
admin:
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/force-host-rewrite"
route:
cluster: dynamic_forward_proxy_cluster
typed_per_filter_config:
envoy.filters.http.dynamic_forward_proxy:
"@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
host_rewrite_literal: www.example.org
- match:
prefix: "/"
route:
cluster: dynamic_forward_proxy_cluster
http_filters:
- name: envoy.filters.http.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
typed_dns_resolver_config:
name: envoy.network.dns_resolver.cares
typed_config:
"@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
resolvers:
- socket_address:
address: "8.8.8.8"
port_value: 53
dns_resolver_options:
use_tcp_for_dns_lookups: true
no_default_search_domain: true
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
typed_dns_resolver_config:
name: envoy.network.dns_resolver.cares
typed_config:
"@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
resolvers:
- socket_address:
address: "8.8.8.8"
port_value: 53
dns_resolver_options:
use_tcp_for_dns_lookups: true
no_default_search_domain: true
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
validation_context:
trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}