Local HTTP rate limit for TLS backend service

Dattaram_Porob · September 11, 2023, 6:17pm

I have a simple ‘go’ server listening for HTTPs traffic on port 8443 running in a container (inside a K8s cluster). I have an istio ingress gateway (version 1.15) running at the edge of the K8s cluster (listening on port 443). Once I exposed the service (incoming 443 targeted to port 8443) and declared the virtual service (matching URL ‘/testgo’ to be forwarded to port 443 of the service) and destination rule (using SIMPLE TLS), I am able to access the service (from outside the cluster) using “https://GATEWAY_HOST/test” .

Now, I want to enable local HTTP rate limiting on this service so enabled proxy injection. I was able to access the service (still listening for HTTPs traffic) only when I set ‘peerAuthentication’ to ‘DISABLE’ (using the advise at ALPN filter incorrectly applies to non-Istio TLS traffic · Issue #40680 · istio/istio · GitHub).

But now the local HTTP rate limit filter (using sample provided at Istio / Enabling Rate Limits using Envoy) does not work. Is this because the injected Envoy proxy is now just passing through the traffic and has no knowledge on whether it is HTTP or not ?
Is it possible to do HTTP level rate limiting when peerAuthentication is set to DISABLE and the backend is listening on HTTPs ?

Please note that the exact same filter works if the backend starts listening on plain HTTP, peerAuthentication is changed to PERMISSIVE (or STRICT) and destination rule is changed to use MUTUAL TLS.

The service, virtualservice, destinationrule and peerAuthentication resources like below for the service listening on HTTPs (port 8443):

apiVersion: v1
kind: Service
metadata:
  name: test-service
spec:
  selector:
    app: web
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443
      name: https

kind: VirtualService
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: test
spec:
  gateways:
    - default-ingressgateway
  hosts:
    - '*'
  http:
  - match:
    - uri:
        prefix: /testgo/
    rewrite:
      uri: "/"
    route:
    - destination:
        host: test-service
        port:
          number: 443

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: test
spec:
  host: test-service
  trafficPolicy:
    tls:
      mode: SIMPLE

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: test-go-server
  namespace: default
spec:
  selector:
    matchLabels:
      app: web
  mtls:
    mode: DISABLE

Topic		Replies	Views
TLS termination at edge Envoy (with nginx pod)	0	547	February 26, 2019
Https only backend service Networking	1	750	February 9, 2022
Is TLS used between istio ingressgateway pod and service pod?	2	1457	February 6, 2019
I have tried to use tls passthrough with istio controller and k8s ingress , it does not work but with Gateway and VirtualServce it works. ere is the ingress YAML Networking	0	406	December 28, 2021
Cannot handle traffic to port 443 if k8s ingress enabled Networking	0	456	October 9, 2019

Local HTTP rate limit for TLS backend service

Related Topics