I’m generating traffic from a container inside istio mesh, the istio sidecar attached to my workload has an EnvoyFilter defined with a host rewrite: we do this:
Original request:
:authority: external-service-url:com
Changed to:
changed :authority
: temporary-url.com
added x-forwarded-host
: external-service-url.com
Request goes out from service’s istio-proxy and reach egress-gateway.
We have defined a Gateway, VirtualService, DestinationRule for temporary-url.com in order to allow traffic and handle traffic.
We also have defined an EnvoyFilter for routing the request to external-service-url.com again like this:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-egress-rewrite
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_ROUTE
match:
routeConfiguration:
vhost:
name: "temporary-url.com"
route:
action: ANY
patch:
operation: MERGE
value:
route:
host_rewrite_header: x-forwarded-host
So the idea here is to send traffic from egress gateway to the original destination, the problem is that egress gateway shows a 404 error, the log shows this:
{
"bytes_received": 0,
"downstream_peer_serial": "4cefb22d0b55239ed4b0b8b86c84cf8e",
"x_forwarded_proto": "https",
"upstream_cluster": null,
"user_agent": "Java-EurekaClient/v\u003cversion_unknown\u003e",
"traceId": null,
"response_code": 404,
"requested_server_name": "temporary-url.com",
"downstream_peer_cert_start": "2022-09-01T13:32:43.000Z",
"downstream_peer_cert_end": "2022-09-02T13:34:43.000Z",
"downstream_tls_version": "TLSv1.2",
"response_flags": "NR",
"upstream_transport_failure_reason": null,
"duration": 0,
"method": "GET",
"downstream_peer_fingerprint_1": "3f03425d5....5c1618c38e1a18",
"downstream_peer_fingerprint_256": "c4ec312bcfeb6e2...4eaea443708106bcfaaef3e55",
"upstream_service_time": null,
"spanId": null,
"start_time": "2022-09-01T20:16:50.087Z",
"downstream_remote_address": "100.64.45.254:52474",
"upstream_local_address": null,
"upstream_host": null,
"path": "/eureka/v2/apps/",
"x_forwarded_for": "100.64.45.254",
"authority": "external-service-url.com:8010",
"bytes_sent": 0,
"protocol": "HTTP/2",
"parentSpanId": null,
"x_forwarded_port": null,
"route_name": null
}
I tried to create a :authority rewrite using lua script like this:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_request(request_handle)
and the result is exactly the same.
Any ideas why this behavior?
Thanks in advance.
Fernando
More information:
istio version: 1.13.5
kubernetes: EKS 1.21.14