I tried setting up Egress to HTTPS proxy as per documentation
Thereafter routing the traffic to egress gateway as such:
apiVersion: networking. istio. io/v1alpha3
kind: Gateway
metadata:
name: org-devops-egressgw
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: tcp
protocol: TCP
hosts:- proxy-server
apiVersion: networking. istio. io/v1alpha3
kind: DestinationRule
metadata:
name: org-devops-pvt-egressdr
spec:
host: istio-egressgateway. istio-system. svc. cluster. local
subsets:
- name: proxy ### name of the serviceentry
apiVersion: networking. istio. io/v1alpha3
kind: VirtualService
metadata:
name: proxy
spec:
hosts:
- proxy-server
gateways: - org-devops-egressgw
- mesh
tcp: - match:
- gateways:
- mesh
port: 80
route:
- mesh
- destination:
host: istio-egressgateway. istio-system. svc. cluster. local
subset: proxy
- gateways:
- match:
- gateways:
- org-devops-egressgw
port: 80
route:
- org-devops-egressgw
- destination:
host: proxy-server
- gateways:
From my application istio-proxy, I can see the outbound traffic as such:
[2021-02-03T03:59:37.934Z] “- - -” 0 - “-” “-” 185 0 1 - “-” “-” “-” “-” “172.17.16.11:8080” outbound|80|proxy|istio-egressgateway. istio-system. svc. cluster. local 172.17.23.63:36234 xxx.xxx.xxx.xxx:80 172.17.23.63:59646 - -
From these logs, it seems like the sidecar can access egress pods. I manage to ping successfully from the application pod to the proxy server. However, I am not able to curl from application port to internet services. The error message is as follows:
sh-4.2$ curl https://www. google. com -vvv
- About to connect() to proxy xxx.xxx.xxx.xxx port 80 (#0)
- Trying xxx.xxx.xxx.xxx…
- Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 80 (#0)
- Establish HTTP proxy tunnel to www. google. com:443
- Proxy auth using Basic with user ‘*****’
CONNECT www. google. com:443 HTTP/1.1
Host: www. google. com:443
Proxy-Authorization: Basic ****
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
- Proxy CONNECT aborted
- Connection #0 to host xxx.xxx.xxx.xxx left intact
curl: (56) Proxy CONNECT aborted
From the egress-gateway pod, I am getting UH errors:
[2021-02-03T05:08:56.376Z] “- - -” 0 UH “-” “-” 0 0 0 - “-” “-” “-” “-” “-” - - 172.17.16.11:8080 172.17.23.63:55172 - -
172.17.16.11 should be the egress-gateway pod whereas 172.17.23.63 should be application pod.
I would like to get help for this issue. Please note that the application pods only have 8443 exposed and the service to the application pods is redirected to 443.