Using Istio egress as HTTPS proxy for pods without sidecar

I’m trying to use istio egressgateway as an HTTPS proxy with TLS PASSTHROUGH for pods that run without Istio’s sidecar.
I’ve used the following guide:

And removed the parts of directing traffic from the mesh gateways, as the pod is not part of the mesh.
Instead, on the pods I’m using the “export https_proxy” and “export http_proxy” commands to direct traffic to the egressgayeways.

Here is the configuration:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: ifconfig.co
  namespace: istio-egress
spec:
  hosts:
  - ifconfig.co
  ports:
  - name: http-port
    number: 80
    protocol: HTTP
  - name: tls
    number: 443
    protocol: TLS
  resolution: DNS

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: egressgateway
  namespace: istio-egress
spec:
  selector:
    istio: egressgateway
  servers:
  - hosts:
    - ifconfig.co
    port:
      name: http
      number: 80
      protocol: HTTP
  - hosts:
    - ifconfig.co
    port:
      name: tls
      number: 443
      protocol: TLS
    tls:
      mode: PASSTHROUGH

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ifconfig.co-vs
  namespace: istio-egress
spec:
  gateways:
  - egressgateway
  hosts:
  - ifconfig.co
  http:
  - route:
    - destination:
        host: ifconfig.co
        port:
          number: 80
  tls:
  - match:
    - gateways:
      - egressgateway
      port: 443
      sniHosts:
      - ifconfig.co
    route:
    - destination:
        host: ifconfig.co
        port:
          number: 443

HTTP Testing - Works:

root@sleep-747df6f4d-bcfgp:/# export https_proxy=http://istio-egressgateway.istio-egress.svc.cluster.local:80
root@sleep-747df6f4d-bcfgp:/# export http_proxy=http://istio-egressgateway.istio-egress.svc.cluster.local:80
root@sleep-747df6f4d-bcfgp:/# curl http://ifconfig.co
3.213.148.211

Istio’s access logs:

{"response_flags":"-","upstream_host":"172.67.133.228:80","upstream_cluster":"outbound|80||ifconfig.co","downstream_local_address":"10.190.131.228:8080","upstream_service_time":"108","upstream_transport_failure_reason":null,"duration":108,"bytes_received":0,"user_agent":"curl/7.68.0","downstream_remote_address":"10.190.210.107:44520","route_name":null,"requested_server_name":null,"authority":"ifconfig.co","request_id":"0574a15f-19d1-4f85-ab6a-d32a3b64d599","protocol":"HTTP/1.1","upstream_local_address":"10.190.131.228:38238","path":"/","method":"GET","start_time":"2021-10-19T03:06:01.378Z","bytes_sent":14,"response_code_details":"via_upstream","connection_termination_details":null,"x_forwarded_for":"10.190.210.107","response_code":200}

HTTPS Testing - Doesn’t works:

root@sleep-747df6f4d-bcfgp:/# curl https://ifconfig.co
curl: (56) Received HTTP code 404 from proxy after CONNECT

Istio’s access logs:

{"connection_termination_details":null,"bytes_sent":0,"duration":0,"request_id":"951b6591-4f93-4c2a-bc85-49f96a6d7db2","x_forwarded_for":"10.190.210.107","authority":"ifconfig.co:443","upstream_service_time":null,"user_agent":"curl/7.68.0","response_code_details":"route_not_found","response_code":404,"method":"CONNECT","upstream_local_address":null,"start_time":"2021-10-19T03:07:02.159Z","requested_server_name":null,"downstream_remote_address":"10.190.210.107:48606","upstream_host":null,"response_flags":"NR","route_name":null,"downstream_local_address":"10.190.131.228:8080","path":null,"protocol":"HTTP/1.1","upstream_transport_failure_reason":null,"upstream_cluster":null,"bytes_received":0}
$ istioctl version
client version: 1.9.0
control plane version: 1.9.0
data plane version: 1.9.0 (17 proxies)
$ kubectl version --short
Client Version: v1.18.9-eks-d1db3c
Server Version: v1.19.13-eks-8df270

Hello @liorf,

Were you able to make it works with the HTTPS setup?