Configure HTTP Egress Traffic using Wildcard Hosts

Networking
1

With the use of an additional SNI proxy container, we have a way to route HTTPS traffic through the egress gateway without having to specify particular hosts: https://istio.io/docs/examples/advanced-gateways/wildcard-egress-hosts/

Is there a way to similarly configure HTTP traffic (without TLS) to be routed from application container, through sidecar, then to egress gateway and out? So far I have only found a way to do this by creating ServiceEntries for specific external servers not for wild-carded destinations.

@vadimeisenbergibm, @frankbu @geeknoid: Your suggestions would be much appreciated.

Thanks!

1 Like
2

Perhaps the envoy Original destination host request header can be used? https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/original_dst

3

@skydoctor You can do it, I tested various proxy options here https://github.com/vadimeisenbergibm/envoy-generic-forward-proxy.

The problem is however, with performance, since the additional Nginx proxy will not respect the original keep-alive directive, and the connections will not be kept alive.

4

@vadimeisenbergibm does configuring “keepalive” on NGINX keep the connection open?

http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive

5

I do not remember currently, there was some problem with it.

6

Did you have to follow these steps for your use case?

What additional SNI proxy did you end up installing? Do you use it in production? Do you recommend it?

I believe I need that additional SNI proxy for my use case, right?

Thanks!

7

Yes @luis.longo, you need an additional SNI proxy for your use case. You can use nginx as described in this page. The configuration is the following:

cat <<EOF > ./sni-proxy.conf
# setup custom path that do not require root access
pid /tmp/nginx.pid;

events {
}

stream {
  log_format log_stream '\$remote_addr [\$time_local] \$protocol [\$ssl_preread_server_name]'
  '\$status \$bytes_sent \$bytes_received \$session_time';

  access_log /var/log/nginx/access.log log_stream;
  error_log  /var/log/nginx/error.log;

  # tcp forward proxy by SNI
  server {
    resolver 8.8.8.8 ipv6=off;
    listen       127.0.0.1:18443;
    proxy_pass   \$ssl_preread_server_name:443;
    ssl_preread  on;
  }
}
EOF
8

Hi all! I saw the @vadimeisenbergibm and @skydoctor answers on using Envoy original destination load balancer and host header as described in this page, but is it possible to also originate mTLS connection at the egress?
I mean is it possible HTTP traffic (without TLS) to be routed from application container, through sidecar, then to egress gateway, where mTLS communication to be originated (using client certificates) and then routed to SNI proxy and out? Using wildcard hosts?
I asked the same question also here in Stackoverflow

9

I am also having same issue. I want to configure egress gateway for http for arbitrary domain (*.com). In documentation, I saw https for arbitrary domain which works fine but i need it for http.

10

@ttsokov were you able to implement your use case?

We would like to implement the same setup, use HTTP in the apps but enforce the TLS origination in the egress gateway for any host without the need to list all the possible destination hosts.