I have a running nginx server that has a relatively simple config (only including relevant parts):
http {
server {
gzip on;
set $allowed false;
if ($http_host ~ "(domain1.com)|(domain2.net)|(etc)") {
set $allowed true;
}
if ($allowed = false) {
return 403;
break;
}
listen 8888;
server_name ~.+;
proxy_connect;
proxy_max_temp_file_size 0;
resolver 8.8.8.8;
location / {
proxy_pass http://$http_host;
proxy_set_header Host $http_host;
}
}
}
so basically if a client connects to one of the approved domains – response is streamed. I’m really struggling to achieve the same in Envoy. whatever I do it either doesnt work or doesnt forward static content. Another issue I have is if I configure my laptop to use envoy as a proxy – nothing works at all (ie even if connect to domain1.com works, if I try to connect to the same site, but using envoy as a proxy – I get a timeout), whereas the configuration above works as a proxy.
My actual target is Istio, but I’m quite confident I can port it to Istio if I figure out the envoy part
edit: sample istio config that does work for forwarding, but doesnt work as a proxy
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: fwd
namespace: default
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: fwd
namespace: default
spec:
hosts:
- test.domain.com
ports:
- number: 443
name: tls
protocol: tls
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: fwd
namespace: default
spec:
hosts:
- source.domain.com
gateways:
- fwd
http:
- match:
- gateways:
- fwd
port: 80
uri:
prefix: /
route:
- destination:
host: test.domain.com
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: fwd
namespace: default
spec:
host: test.domain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
edit 2: actually found sample envoyconfig
{
"admin": {
"access_log_path": "/tmp/admin_access.log",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 9901
}
}
},
"static_resources": {
"clusters": [
{
"name": "backend",
"type": "SIMPLE",
"connect_timeout": "0.25s",
"lb_policy": "ROUND_ROBIN",
"max_requests_per_connection": 1024,
"max_retries": 3,
"http2_protocol_options": {}
}
],
"listeners": [
{
"name": "listener_0",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 8000
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"config": {
"codec_type": "auto",
"stat_prefix": "ingress_http",
"route_config": {
"virtual_hosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/"
},
"route": {
"cluster": "backend"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.router",
"config": {
"use_remote_address": true,
"dynamic_route_config": {
"grpc_service": {
"envoy_grpc": {
"cluster_name": "backend"
}
}
}
}
}
]
}
}
]
}
]
}
]
}
}
2
Answers
Answer provided by
Kranthiveer Dontineni
almost works:Istio-enabled pod’s outbound traffic is redirected to its sidecar proxy by default, accessing the URLs which are outside the cluster requires some modifications in the configuration of the proxy. The basic or default configuration of Istio and Envoy proxy allows traffic from unknown services to pass through, although this is the easiest way for getting started with Istio it is always recommended to enforce strict policies as per the security standpoint.
In this document it is elaborated how to access external services in different ways, refer this for more information.