I'm trying to do this one: call public.com/api/v1/{proxy} to envoy proxy behind an ingress proxy. Envoy proxy will forward traffic to https private endpoint inside my VPC with diffrent path: https://private.com/internal/{proxy}.
But I'm still facing the issue
upstream reset: reset reason: protocol error, transport failure reason:
I even tried with public https endpoint but it's still the same.
Below is my configuration:
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
- name: listener
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
'@type': "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
stat_prefix: http_proxy
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: all
virtual_hosts:
- name: local_service
domains:
- '*'
routes:
- match: { prefix: "/api/v1"}
route:
prefix_rewrite: "/internal/"
cluster: allbackend_cluster
http_filters:
- name: envoy.filters.http.router
clusters:
- name: allbackend_cluster
connect_timeout: 1s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: allbackend_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: private.com
port_value: 443
After I changed configuration with pure http endpoint, it run correctly. But do we know how to forward to https endpoint?
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
- name: listener
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
'@type': "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
stat_prefix: http_proxy
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
route_config:
name: all
virtual_hosts:
- name: local_service
domains:
- '*'
routes:
- match: { prefix: "/api/v1"}
route:
prefix_rewrite: "/internal/"
host_rewrite_literal: "privatehttp.com"
cluster: allbackend_cluster
http_filters:
- name: envoy.filters.http.router
clusters:
- name: allbackend_cluster
connect_timeout: 1s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: allbackend_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: privatehttp.com
port_value: 80
CodePudding user response:
I believe you need to add certificates information for envoy
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/ssl/certs/https.crt"
private_key:
filename: "/etc/ssl/certs/key.pem"
And also add trust the certificate used by cluster.
tls_context:
common_tls_context:
validation_context:
trusted_ca:
filename: "/etc/ssl/certs/cluster.crt"