skip to Main Content

I have a running nginx server that has a relatively simple config (only including relevant parts):

http {
  server {
    gzip on;
    set $allowed false;
    if ($http_host ~ "(domain1.com)|(domain2.net)|(etc)")  {
      set $allowed true;
    }

    if ($allowed = false) {
      return 403;
      break;
    }

    listen 8888;
    server_name ~.+;
    proxy_connect;
    proxy_max_temp_file_size 0;
    resolver 8.8.8.8;
    location / {
        proxy_pass http://$http_host;
        proxy_set_header Host $http_host;
    }
  }
}

so basically if a client connects to one of the approved domains – response is streamed. I’m really struggling to achieve the same in Envoy. whatever I do it either doesnt work or doesnt forward static content. Another issue I have is if I configure my laptop to use envoy as a proxy – nothing works at all (ie even if connect to domain1.com works, if I try to connect to the same site, but using envoy as a proxy – I get a timeout), whereas the configuration above works as a proxy.

My actual target is Istio, but I’m quite confident I can port it to Istio if I figure out the envoy part

edit: sample istio config that does work for forwarding, but doesnt work as a proxy

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: fwd
  namespace: default
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: fwd
  namespace: default
spec:
  hosts:
  - test.domain.com
  ports:
  - number: 443
    name: tls
    protocol: tls
  location: MESH_EXTERNAL
  resolution: DNS

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: fwd
  namespace: default
spec:
  hosts:
  - source.domain.com
  gateways:
  - fwd
  http:
  - match:
    - gateways:
      - fwd
      port: 80
      uri:
        prefix: /
    route:
    - destination:
        host: test.domain.com
        port:
          number: 443

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: fwd
  namespace: default
spec:
  host: test.domain.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE

edit 2: actually found sample envoyconfig

{
    "admin": {
        "access_log_path": "/tmp/admin_access.log",
        "address": {
            "socket_address": {
                "address": "0.0.0.0",
                "port_value": 9901
            }
        }
    },
    "static_resources": {
        "clusters": [
            {
                "name": "backend",
                "type": "SIMPLE",
                "connect_timeout": "0.25s",
                "lb_policy": "ROUND_ROBIN",
                "max_requests_per_connection": 1024,
                "max_retries": 3,
                "http2_protocol_options": {}
            }
        ],
        "listeners": [
            {
                "name": "listener_0",
                "address": {
                    "socket_address": {
                        "address": "0.0.0.0",
                        "port_value": 8000
                    }
                },
                "filter_chains": [
                    {
                        "filters": [
                            {
                                "name": "envoy.http_connection_manager",
                                "config": {
                                    "codec_type": "auto",
                                    "stat_prefix": "ingress_http",
                                    "route_config": {
                                        "virtual_hosts": [
                                            {
                                                "name": "backend",
                                                "domains": [
                                                    "*"
                                                ],
                                                "routes": [
                                                    {
                                                        "match": {
                                                            "prefix": "/"
                                                        },
                                                        "route": {
                                                            "cluster": "backend"
                                                        }
                                                    }
                                                ]
                                            }
                                        ]
                                    },
                                    "http_filters": [
                                        {
                                            "name": "envoy.router",
                                            "config": {
                                                "use_remote_address": true,
                                                "dynamic_route_config": {
                                                    "grpc_service": {
                                                        "envoy_grpc": {
                                                            "cluster_name": "backend"
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

2

Answers


  1. Chosen as BEST ANSWER

    Answer provided by Kranthiveer Dontineni almost works:

    admin:
      address:
        socket_address:
          protocol: TCP
          address: 127.0.0.1
          port_value: 9901
    static_resources:
      listeners:
      - name: listener_0
        address:
          socket_address:
            protocol: TCP
            address: 0.0.0.0
            port_value: 10000
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              stat_prefix: ingress_http
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/force-host-rewrite"
                    route:
                      cluster: dynamic_forward_proxy_cluster
                    typed_per_filter_config:
                      envoy.filters.http.dynamic_forward_proxy:
                        "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
                        host_rewrite_literal: www.example.org
                  - match:
                      prefix: "/"
                    route:
                      cluster: dynamic_forward_proxy_cluster
              http_filters:
              - name: envoy.filters.http.dynamic_forward_proxy
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
                  dns_cache_config:
                    name: dynamic_forward_proxy_cache_config
                    dns_lookup_family: V4_ONLY
                    typed_dns_resolver_config:
                      name: envoy.network.dns_resolver.cares
                      typed_config:
                        "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
                        resolvers:
                        - socket_address:
                            address: "8.8.8.8"
                            port_value: 53
                        dns_resolver_options:
                          use_tcp_for_dns_lookups: true
                          no_default_search_domain: true
              - name: envoy.filters.http.router
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
      clusters:
      - name: dynamic_forward_proxy_cluster
        lb_policy: CLUSTER_PROVIDED
        cluster_type:
          name: envoy.clusters.dynamic_forward_proxy
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
            dns_cache_config:
              name: dynamic_forward_proxy_cache_config
              dns_lookup_family: V4_ONLY
              typed_dns_resolver_config:
                name: envoy.network.dns_resolver.cares
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
                  resolvers:
                  - socket_address:
                      address: "8.8.8.8"
                      port_value: 53
                  dns_resolver_options:
                    use_tcp_for_dns_lookups: true
                    no_default_search_domain: true
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
            common_tls_context:
              validation_context:
                trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}
    

  2. Istio-enabled pod’s outbound traffic is redirected to its sidecar proxy by default, accessing the URLs which are outside the cluster requires some modifications in the configuration of the proxy. The basic or default configuration of Istio and Envoy proxy allows traffic from unknown services to pass through, although this is the easiest way for getting started with Istio it is always recommended to enforce strict policies as per the security standpoint.

    In this document it is elaborated how to access external services in different ways, refer this for more information.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search