HTTP 404 When "AUTHORITY" and "REQUESTED_SERVER_NAME" are different

Hi there,

I have a use case where a request is sent by Azure App Gateway (APW) to Istio.

Problem Statement:
The flow of the request is like below
User :arrow_right: AGW (test.abc.com) [overriding the backend hostname] :arrow_right: Istio (sandpit.abc.com)

This is what is I see in “istio-ingressgateway” pod’s log

[2021-06-16T18:24:10.794Z] "GET /online/api/health HTTP/1.1" 404 NR "-" 0 0 0 - "10.xxx.xx.36" "-" "c5571349-6ea1-4745-8a9f-13a542c42b25" "test.abc.com" "-" - - 10.xxx.9.118:8443 10.xxx.xx.36:30099 sandpit.abc.com -

It looks like the handshake happens on host SNI “sandpit.abc.com” and Authority is being passed as “test.abc.com”. This might confuse Istio in the selection of Virtual Services hence 404 NR

Setup:

  1. Gateway is configured to handle both hosts test.abc.com and sandpit.abc.com
  2. Virtual Service is configured to handle both hosts test.abc.com and sandpit.abc.com

When a request is sent directly to

  1. test.abc.com - Works
  2. sandpit.abc.com - Works
  3. AGW (sandpit.abc.com) :arrow_right: Istio (sandpit.abc.com) - works

Inference:
When “AUTHORITY” and “REQUESTED_SERVER_NAME” are same Istio responds with HTTP 200 else HTTP 404

Question:
Is there any way to modify “REQUESTED_SERVER_NAME” before the request is processed by Istio? or is there any solution to make this setup work

Hello @dhavlev , any news on this request you made, I’m having a similar problem.
My issue is in the egress gateway pod, it is originated by an authority header rewrite

Any news ? I have similar issue at istio 1.15.2 on GKE 1.24.3

Hello from 2023 @FernandoVillarreal and @little_crazzy any news on this? :slight_smile: