All traffic must go from sidecar -> egress gateway -> corporate forward proxy

I have been at this for days, and cannot figure out for the life of me how to send egress http traffic (that has successfully arrived at the egress gateway) from the egress gateway and to its destination through a tcp forward proxy.

On the nodes, this proxy is set via environment variables:

HTTP_PROXY=http://myproxy.mycorporate.internal.domain:9081
HTTPS_PROXY=http://myproxy.mycorporate.internal.domain:9081
NO_PROXY=(list of things not to proxy)

I have tried to set these environment variables via ProxyConfig in the istio-system namespace, and directly on the istio-egressgateway deployment spec. In this case, if i exec into my istio-egressgateway pod and curl an external url, it succeeds through the forward proxy. But istio/envoy traffic does not seem to use these variables or go through the proxy.

I have tried many combinations of serviceentries and virtualservices for the proxy to no avail.

What am i missing?? I am banging my head as no traffic can get to the internet in my VPC without going through this corporate forward proxy. I should also add that istio is configured permissively for egress traffic with all allowed at this moment.

Envoy doesn’t honor such variables. Look at Support generic outbound proxy · Issue #1606 · envoyproxy/envoy · GitHub

The solution for the same has been presented here handson/handson__HTTPS_PROXY_egress_gateway.md at 0bffa778e3247ea73804da6d3591d7c1571c6c7a · bysnupy/handson · GitHub

This feature is available in istio 1.15+. Check out tunnel options.

Thanks for pointing this out. I’ve tried this but I’m certainly missing something. The docs mention that this doesn’t yet work for http forwarders, only tcp. I haven’t seen any working examples of anyone using this to forward egress traffic through a tcp connect proxy. Are there any resources you’ve seen or a working example somewhere?

1 Like

Hi, i am also looking for a working example of an istio service mesh connecting to an corporate proxy. I have seen from the docs that istio serves transparent proxy using envoy and performs sni inspection, so there should not be a need to explicitly define a HTTP_PROXY variable in the pod side.

1 Like