vsingla
September 30, 2019, 9:55pm
1
One of my apps is accessing cve.cicl.lu over http. I am seeing the following log in mixer for this access. Note the following entries: “requestedServerName”:“cve.circl.lu”, “destinationServiceHost”:“speech.googleapis.com ”, “protocol”:“tcp”. Not sure why protocol is “tcp” and why the destinationServiceHost is speech.googleapis.com ! Any clues/help is appreciated.
{speech.googleapis.com ”,
This can happen if you have VirtualService defined which is routing traffic destined for host cve.circl.lu to speech.googleapis.com. Additionally, if you application is using HTTPS to talk to cve.circl.lu, then sidecar proxy will only TLS SNI based routing and can only report TCP (not HTTP) metrics.
Thanks for replying. I have the following virtual services defined. Do you see any issue with this?
Name: appguard-cvekubectl.kubernetes.io/last-applied-configuration={“apiVersion”:“networking.istio.io/v1alpha3”,“kind”:“VirtualService”,“metadata”:{“annotations”:{},“name”:“appguard-cve”,“namespace”:“default”},"spec ":{…networking.istio.io/v1alpha3
Also, I have the following virtual service for speech API:
Name: bookinfo-google-speech-apis-virtualservicenetworking.istio.io/v1alpha3 speech.googleapis.com speech.googleapis.com
Also, below are the serviceentries:
Name: appguard-cvekubectl.kubernetes.io/last-applied-configuration={“apiVersion”:“networking.istio.io/v1alpha3”,“kind”:“ServiceEntry”,“metadata”:{“annotations”:{},“name”:“appguard-cve”,“namespace”:“default”},“spec”:{"h …networking.istio.io/v1alpha3
Name: bookinfo-google-speech-api-serviceentrynetworking.istio.io/v1alpha3 speech.googleapis.com
It’s little difficult to trace through the examples without formatting. Can you add yaml tags to your comments and then I can see if there’s any issue with your configuration. Thanks!
I was able to resolve the destinationServiceHost issue by adding an entry for port 443 in the ServiceEntry as below (since the access is via HTTPS). BUT I still see the log reporting protocol as tcp as opposed to https. How do I fix this?
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1alpha3","kind":"ServiceEntry","metadata":{"annotations":{},"name":"appguard-cve","namespace":"default"},"spec":{"hosts":["cve.circl.lu"],"location":"MESH_EXTERNAL","ports":[{"name":"cve","number":80,"protocol":"HTTP"}],"resolution":"NONE"}}
clusterName: ""
creationTimestamp: 2019-09-12T18:58:23Z
generation: 1
name: appguard-cve
namespace: default
resourceVersion: "4319139"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/default/serviceentries/appguard-cve
uid: 4bad5b3c-d58f-11e9-b3da-0025b5ee0200
spec:
hosts:
- cve.circl.lu
location: MESH_EXTERNAL
ports:
- name: cve
number: 80
protocol: HTTP
- name: cves
number: 443
protocol: HTTPS
resolution: NONE
So here is how the log looks now. Notice the protocol is still “tcp”
{
Because you’re using HTTPS initiated from your application, the sidecar proxy does TCP proxying via SNI header in the TLS handshake. If you want visibility into external services, you should have the application talk HTTP to the external service and have the sidecar proxy do TLS origination. This means the following:
Application -----HTTP—> Sidecar Proxy ----HTTPS-----> External service
If you configure it like this, the logs and all reported metrics will be HTTP. Here’s an example of how to do this .
vsingla
October 2, 2019, 10:30pm
11
Thanks, appreciate your help!