Configure HTTP Egress Traffic using Wildcard Hosts

With the use of an additional SNI proxy container, we have a way to route HTTPS traffic through the egress gateway without having to specify particular hosts: https://istio.io/docs/examples/advanced-gateways/wildcard-egress-hosts/

Is there a way to similarly configure HTTP traffic (without TLS) to be routed from application container, through sidecar, then to egress gateway and out? So far I have only found a way to do this by creating ServiceEntries for specific external servers not for wild-carded destinations.

@vadimeisenbergibm, @frankbu @geeknoid: Your suggestions would be much appreciated.

Thanks!

1 Like

Perhaps the envoy Original destination host request header can be used? https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/original_dst

@skydoctor You can do it, I tested various proxy options here https://github.com/vadimeisenbergibm/envoy-generic-forward-proxy.

The problem is however, with performance, since the additional Nginx proxy will not respect the original keep-alive directive, and the connections will not be kept alive.

@vadimeisenbergibm does configuring “keepalive” on NGINX keep the connection open?

http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive

I do not remember currently, there was some problem with it.

Did you have to follow these steps for your use case?

What additional SNI proxy did you end up installing? Do you use it in production? Do you recommend it?

I believe I need that additional SNI proxy for my use case, right?

Thanks!