Egress Gateway HTTPS proxy

Config
1

I tried setting up Egress to HTTPS proxy as per documentation

Thereafter routing the traffic to egress gateway as such:

apiVersion: networking. istio. io/v1alpha3
kind: Gateway
metadata:
name: org-devops-egressgw
spec:
selector:
istio: egressgateway
servers:

  • port:
    number: 80
    name: tcp
    protocol: TCP
    hosts:
    • proxy-server

apiVersion: networking. istio. io/v1alpha3
kind: DestinationRule
metadata:
name: org-devops-pvt-egressdr
spec:
host: istio-egressgateway. istio-system. svc. cluster. local
subsets:

  • name: proxy ### name of the serviceentry

apiVersion: networking. istio. io/v1alpha3
kind: VirtualService
metadata:
name: proxy
spec:
hosts:

  • proxy-server
    gateways:
  • org-devops-egressgw
  • mesh
    tcp:
  • match:
    • gateways:
      • mesh
        port: 80
        route:
    • destination:
      host: istio-egressgateway. istio-system. svc. cluster. local
      subset: proxy
  • match:
    • gateways:
      • org-devops-egressgw
        port: 80
        route:
    • destination:
      host: proxy-server

From my application istio-proxy, I can see the outbound traffic as such:
[2021-02-03T03:59:37.934Z] “- - -” 0 - “-” “-” 185 0 1 - “-” “-” “-” “-” “172.17.16.11:8080” outbound|80|proxy|istio-egressgateway. istio-system. svc. cluster. local 172.17.23.63:36234 xxx.xxx.xxx.xxx:80 172.17.23.63:59646 - -

From these logs, it seems like the sidecar can access egress pods. I manage to ping successfully from the application pod to the proxy server. However, I am not able to curl from application port to internet services. The error message is as follows:
sh-4.2$ curl https://www. google. com -vvv

  • About to connect() to proxy xxx.xxx.xxx.xxx port 80 (#0)
  • Trying xxx.xxx.xxx.xxx…
  • Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 80 (#0)
  • Establish HTTP proxy tunnel to www. google. com:443
  • Proxy auth using Basic with user ‘*****’

CONNECT www. google. com:443 HTTP/1.1
Host: www. google. com:443
Proxy-Authorization: Basic ****
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive

  • Proxy CONNECT aborted
  • Connection #0 to host xxx.xxx.xxx.xxx left intact
    curl: (56) Proxy CONNECT aborted

From the egress-gateway pod, I am getting UH errors:
[2021-02-03T05:08:56.376Z] “- - -” 0 UH “-” “-” 0 0 0 - “-” “-” “-” “-” “-” - - 172.17.16.11:8080 172.17.23.63:55172 - -

172.17.16.11 should be the egress-gateway pod whereas 172.17.23.63 should be application pod.

I would like to get help for this issue. Please note that the application pods only have 8443 exposed and the service to the application pods is redirected to 443.

2

Have you tried handson/handson__HTTPS_PROXY_egress_gateway.md at 0bffa778e3247ea73804da6d3591d7c1571c6c7a · bysnupy/handson · GitHub ?