All traffic must go from sidecar -> egress gateway -> corporate forward proxy

I have been at this for days, and cannot figure out for the life of me how to send egress http traffic (that has successfully arrived at the egress gateway) from the egress gateway and to its destination through a tcp forward proxy.

On the nodes, this proxy is set via environment variables:

HTTP_PROXY=http://myproxy.mycorporate.internal.domain:9081
HTTPS_PROXY=http://myproxy.mycorporate.internal.domain:9081
NO_PROXY=(list of things not to proxy)

I have tried to set these environment variables via ProxyConfig in the istio-system namespace, and directly on the istio-egressgateway deployment spec. In this case, if i exec into my istio-egressgateway pod and curl an external url, it succeeds through the forward proxy. But istio/envoy traffic does not seem to use these variables or go through the proxy.

I have tried many combinations of serviceentries and virtualservices for the proxy to no avail.

What am i missing?? I am banging my head as no traffic can get to the internet in my VPC without going through this corporate forward proxy. I should also add that istio is configured permissively for egress traffic with all allowed at this moment.

Envoy doesn’t honor such variables. Look at Support generic outbound proxy · Issue #1606 · envoyproxy/envoy · GitHub

The solution for the same has been presented here handson/handson__HTTPS_PROXY_egress_gateway.md at 0bffa778e3247ea73804da6d3591d7c1571c6c7a · bysnupy/handson · GitHub

This feature is available in istio 1.15+. Check out tunnel options.