Egress Gateway HTTPS proxy

I tried setting up Egress to HTTPS proxy as per documentation

Thereafter routing the traffic to egress gateway as such:

apiVersion: networking. istio. io/v1alpha3
kind: Gateway
metadata:
name: org-devops-egressgw
spec:
selector:
istio: egressgateway
servers:

  • port:
    number: 80
    name: tcp
    protocol: TCP
    hosts:
    • proxy-server

apiVersion: networking. istio. io/v1alpha3
kind: DestinationRule
metadata:
name: org-devops-pvt-egressdr
spec:
host: istio-egressgateway. istio-system. svc. cluster. local
subsets:

  • name: proxy ### name of the serviceentry

apiVersion: networking. istio. io/v1alpha3
kind: VirtualService
metadata:
name: proxy
spec:
hosts:

  • proxy-server
    gateways:
  • org-devops-egressgw
  • mesh
    tcp:
  • match:
    • gateways:
      • mesh
        port: 80
        route:
    • destination:
      host: istio-egressgateway. istio-system. svc. cluster. local
      subset: proxy
  • match:
    • gateways:
      • org-devops-egressgw
        port: 80
        route:
    • destination:
      host: proxy-server

From my application istio-proxy, I can see the outbound traffic as such:
[2021-02-03T03:59:37.934Z] “- - -” 0 - “-” “-” 185 0 1 - “-” “-” “-” “-” “172.17.16.11:8080” outbound|80|proxy|istio-egressgateway. istio-system. svc. cluster. local 172.17.23.63:36234 xxx.xxx.xxx.xxx:80 172.17.23.63:59646 - -

From these logs, it seems like the sidecar can access egress pods. I manage to ping successfully from the application pod to the proxy server. However, I am not able to curl from application port to internet services. The error message is as follows:
sh-4.2$ curl https://www. google. com -vvv

  • About to connect() to proxy xxx.xxx.xxx.xxx port 80 (#0)
  • Trying xxx.xxx.xxx.xxx…
  • Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 80 (#0)
  • Establish HTTP proxy tunnel to www. google. com:443
  • Proxy auth using Basic with user ‘*****’

CONNECT www. google. com:443 HTTP/1.1
Host: www. google. com:443
Proxy-Authorization: Basic ****
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive

  • Proxy CONNECT aborted
  • Connection #0 to host xxx.xxx.xxx.xxx left intact
    curl: (56) Proxy CONNECT aborted

From the egress-gateway pod, I am getting UH errors:
[2021-02-03T05:08:56.376Z] “- - -” 0 UH “-” “-” 0 0 0 - “-” “-” “-” “-” “-” - - 172.17.16.11:8080 172.17.23.63:55172 - -

172.17.16.11 should be the egress-gateway pod whereas 172.17.23.63 should be application pod.

I would like to get help for this issue. Please note that the application pods only have 8443 exposed and the service to the application pods is redirected to 443.

Have you tried handson/handson__HTTPS_PROXY_egress_gateway.md at 0bffa778e3247ea73804da6d3591d7c1571c6c7a · bysnupy/handson · GitHub ?