How to redirect to extrernal proxy in https

1

Hello,

I nedd some helps with an issue. I want ro redirect all flux in my tiny proxy and forward to destination. I know that tiny proxy doesn’t accept https so I create destinationrule to use CONNECT protocol.
Whan I curl with http everythng is ok but when I need tu curl in https to google it’s failed:

The following is my actuel configuration:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-forward-proxy.external.svc.cluster.local
spec:
  hosts:
    - external-forward-proxy.external.svc.cluster.local
  location: MESH_EXTERNAL
  ports:
    - number: 8888
      name: http
      protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: example-com
spec:
  hosts:
    - www.google.com
  location: MESH_EXTERNAL
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: example-com-via-egress-gateway
spec:
  hosts:
    - www.google.com
  gateways:
    - istio-egressgateway
    - mesh
  http:
    - match:
        - gateways:
            - mesh
          port: 80
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            port:
              number: 80
    - match:
        - gateways:
            - istio-egressgateway
          port: 443
      route:
        - destination:
            host: external-forward-proxy.external.svc.cluster.local
            port:
              number: 8888
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: tunnel-tls
spec:
  host: external-forward-proxy.external.svc.cluster.local
  trafficPolicy:
    tunnel:
      protocol: CONNECT
      targetPort: 8888
      targetHost: external-forward-proxy.external.svc.cluster.local
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - www.google.com
    - port:
        number: 443   # Ajoutez cette section pour le trafic HTTPS
        name: https
        protocol: HTTPS
      hosts:
        - www.google.com
      tls:
        mode: ISTIO_MUTUAL

root@FR-76S3GS3:/home/laurent/istio/test# kubectl exec "$SOURCE_POD" -c sleep -- sh -c "curl -I -v   https://www.google.com/ "
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 142.250.201.164:443...
* Connected to www.google.com (142.250.201.164) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /cacert.pem
*  CApath: /etc/ssl/certs
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to www.google.com:443
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection
curl: (35) Recv failure: Connection reset by peer
command terminated with exit code 35
root@FR-76S3GS3:/home/laurent/istio/test#

root@FR-76S3GS3:/home/laurent/istio/test# kubectl logs "$SOURCE_POD" -c istio-proxy
[2023-12-20T08:21:43.212Z] "- - -" 0 NC - - "-" 0 0 2 - "-" "-" "-" "-" "-" - - 142.250.201.164:443 10.1.212.83:43862 www.google.com -
root@FR-76S3GS3:/home/laurent/istio/test#

nothing appear in tinyproxy logs ansd istioegresspod when I use https

Anyone can help ?