TLS Handling from Envoy

George_Pentaris · November 2, 2020, 10:40am

I want to ask which is the exact flow between container and envoy proxy sidecar for tls connections.

What I have seen so far:

With tls origination:

Container sends to envoy sidecar plain http
Envoy sidecar starts an https connection with the target. If we use SIMPLE mode envoy proxy sidecar does not perform targe certificate validation

What about an https connection? What I would like to achieve is the following:

Container sends to envoy sidecar https through ISTIO_MUTUAL and trusts sidecar’s certificate
Envoy sidecar starts an https connection with the target. If we use SIMPLE mode envoy proxy sidecar does not perform targe certificate validation

Im not able to achieve this with any configuration. Is it possible?

nick_tetrate · November 3, 2020, 12:52pm

What are you trying to achieve? are you worried about http traffic from your app container to envoy? If so the recommended approach is to use unix domain sockets to communicate with the envoy sidecar.

George_Pentaris · November 3, 2020, 1:35pm

Hi Nick, thanks for the reply.
To be honest Im trying to achieve an https communication between the pod and the target without certificate validation. it seems strange to me that you can do Istio tls origination without certificate validation for http requests from the pod while you cannot do the same for https requests.
i.e
pod ->(http to target URL) reaches envoy sidecar -> (mTLS) to egress Gateway ->(SIMPLE, no validation) to target
while
pod->(https to target) requires certificate validation

Topic		Replies	Views
Https only backend service Networking	1	747	February 9, 2022
Istio pod to pod mTLS Security	3	2199	July 2, 2020
How safe is it to start a tls from the istio envoy and not from the container? Security security	1	373	February 25, 2021
Prevent outbound packet sniffing Security	0	526	November 11, 2020
How does Istio allow mTLS over HTTP(port 80) Security	3	1705	January 25, 2021

TLS Handling from Envoy

Related Topics