ProxyProtocolUpstreamTransport is not working as expected

sai_kiran · December 13, 2021, 9:03am

Hi There,

I enabled the proxy protocol on ingress gateway and ingress gateway is configured with SSL passthrough. I am accessing https://test.api.com

Enabled Proxy Protocol to upstream also like below:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol-upstream
namespace: istio-system
spec:
configPatches:
- applyTo: CLUSTER
patch:
operation: MERGE
value:
transport_socket:
name: envoy.transport_sockets.upstream_proxy_protocol
typed_config:
‘@type’: >-
type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
config:
version: V2
transport_socket:
name: envoy.transport_sockets.raw_buffer
workloadSelector:
labels:
app: istio-ingressgateway

In the Application pod level added Proxy listener like below:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol-api
namespace: default
spec:
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
workloadSelector:
labels:
app: test-app

Now the problem is the routing is not going to application pod.

If ProxyProtocolUpstreamTransport is not configured, then the application pod proxy getting the tls server name as outbound_.443_._customservice.default.svc.cluster.local, where as with the UpstreamTransport it was showing as original hostname

Istio proxy logs of ingress gateway:

2021-12-13T08:26:24.618028Z debug envoy filter tls inspector: new connection accepted
2021-12-13T08:26:24.618080Z debug envoy filter proxy_protocol: New connection accepted
2021-12-13T08:26:24.618123Z debug envoy filter tls inspector: new connection accepted
2021-12-13T08:26:24.618175Z debug envoy filter tls:onServerName(), requestedServerName: test.api.com
2021-12-13T08:26:24.618244Z debug envoy filter [C311] new tcp proxy session
2021-12-13T08:26:24.618270Z debug envoy filter [C311] Creating connection to cluster outbound|443||customservice.default.svc.cluster.local
2021-12-13T08:26:24.618316Z debug envoy pool creating a new connection
2021-12-13T08:26:24.618389Z debug envoy pool [C312] connecting
2021-12-13T08:26:24.618398Z debug envoy connection [C312] connecting to 172.17.18.31:8990
2021-12-13T08:26:24.618472Z debug envoy connection [C312] connection in progress
2021-12-13T08:26:24.618483Z debug envoy pool queueing request due to no available connections
2021-12-13T08:26:24.618486Z debug envoy conn_handler [C311] new connection
2021-12-13T08:26:24.620812Z debug envoy connection [C312] connected
2021-12-13T08:26:24.620847Z debug envoy pool [C312] assigning connection
2021-12-13T08:26:24.620866Z debug envoy filter [C311] TCP:onUpstreamEvent(), requestedServerName: test.api.com

Istio proxy log of application pod

2021-12-13T08:26:38.538574Z debug envoy filter tls inspector: new connection accepted
2021-12-13T08:26:38.538602Z debug envoy filter proxy_protocol: New connection accepted
2021-12-13T08:26:38.538629Z debug envoy filter tls inspector: new connection accepted
2021-12-13T08:26:38.538684Z debug envoy filter tls:onServerName(), requestedServerName: test.api.com
2021-12-13T08:26:38.538783Z debug envoy filter [C9098] new tcp proxy session
2021-12-13T08:26:38.538815Z debug envoy filter [C9098] Creating connection to cluster InboundPassthroughClusterIpv4
2021-12-13T08:26:38.538844Z debug envoy upstream transport socket match, socket default selected for host with address XX.XX.XX.XX:443
2021-12-13T08:26:38.538851Z debug envoy upstream Created host XX.XX.XX.XX:443.
2021-12-13T08:26:38.538871Z debug envoy pool creating a new connection
2021-12-13T08:26:38.538904Z debug envoy upstream addHost() adding XX.XX.XX.XX:443
2021-12-13T08:26:38.538957Z debug envoy upstream membership update for TLS cluster InboundPassthroughClusterIpv4 added 1 removed 0
2021-12-13T08:26:38.538966Z debug envoy upstream re-creating local LB for TLS cluster InboundPassthroughClusterIpv4
2021-12-13T08:26:38.538974Z debug envoy upstream membership update for TLS cluster InboundPassthroughClusterIpv4 added 1 removed 0
2021-12-13T08:26:38.538981Z debug envoy pool [C9099] connecting
2021-12-13T08:26:38.538989Z debug envoy upstream re-creating local LB for TLS cluster InboundPassthroughClusterIpv4

Am I missing any configuration?

tehnicaorg · March 3, 2022, 10:10am

Hi @sai_kiran , did you manage to solve this problem?

Topic		Replies	Views
Config istio proxy protocol	3	1004	April 12, 2023
Enable proxy protocol from Istio to upstreams Networking	2	1860	April 12, 2023
Proxy ingress traffic to a specific pod Networking	0	1392	April 21, 2022
Istio proxy protocol does not work for tcp stream on EKS Networking	0	1311	July 19, 2020
Error setting up EnvoyFilter for PROXY protocol Networking	0	1036	April 20, 2022

ProxyProtocolUpstreamTransport is not working as expected

Related topics