I have a simple ‘go’ server listening for HTTPs traffic on port 8443 running in a container (inside a K8s cluster). I have an istio ingress gateway (version 1.15) running at the edge of the K8s cluster (listening on port 443). Once I exposed the service (incoming 443 targeted to port 8443) and declared the virtual service (matching URL ‘/testgo’ to be forwarded to port 443 of the service) and destination rule (using SIMPLE TLS), I am able to access the service (from outside the cluster) using “https://GATEWAY_HOST/test” .
Now, I want to enable local HTTP rate limiting on this service so enabled proxy injection. I was able to access the service (still listening for HTTPs traffic) only when I set ‘peerAuthentication’ to ‘DISABLE’ (using the advise at ALPN filter incorrectly applies to non-Istio TLS traffic · Issue #40680 · istio/istio · GitHub).
But now the local HTTP rate limit filter (using sample provided at Istio / Enabling Rate Limits using Envoy) does not work. Is this because the injected Envoy proxy is now just passing through the traffic and has no knowledge on whether it is HTTP or not ?
Is it possible to do HTTP level rate limiting when peerAuthentication is set to DISABLE and the backend is listening on HTTPs ?
Please note that the exact same filter works if the backend starts listening on plain HTTP, peerAuthentication is changed to PERMISSIVE (or STRICT) and destination rule is changed to use MUTUAL TLS.
The service, virtualservice, destinationrule and peerAuthentication resources like below for the service listening on HTTPs (port 8443):
apiVersion: v1 kind: Service metadata: name: test-service spec: selector: app: web ports: - protocol: TCP port: 443 targetPort: 8443 name: https
kind: VirtualService apiVersion: networking.istio.io/v1alpha3 metadata: name: test spec: gateways: - default-ingressgateway hosts: - '*' http: - match: - uri: prefix: /testgo/ rewrite: uri: "/" route: - destination: host: test-service port: number: 443
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: test spec: host: test-service trafficPolicy: tls: mode: SIMPLE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: test-go-server namespace: default spec: selector: matchLabels: app: web mtls: mode: DISABLE