I’m trying to use istio egressgateway as an HTTPS proxy with TLS PASSTHROUGH for pods that run without Istio’s sidecar.
I’ve used the following guide:
And removed the parts of directing traffic from the mesh gateways, as the pod is not part of the mesh.
Instead, on the pods I’m using the “export https_proxy” and “export http_proxy” commands to direct traffic to the egressgayeways.
Here is the configuration:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: ifconfig.co
namespace: istio-egress
spec:
hosts:
- ifconfig.co
ports:
- name: http-port
number: 80
protocol: HTTP
- name: tls
number: 443
protocol: TLS
resolution: DNS
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: egressgateway
namespace: istio-egress
spec:
selector:
istio: egressgateway
servers:
- hosts:
- ifconfig.co
port:
name: http
number: 80
protocol: HTTP
- hosts:
- ifconfig.co
port:
name: tls
number: 443
protocol: TLS
tls:
mode: PASSTHROUGH
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ifconfig.co-vs
namespace: istio-egress
spec:
gateways:
- egressgateway
hosts:
- ifconfig.co
http:
- route:
- destination:
host: ifconfig.co
port:
number: 80
tls:
- match:
- gateways:
- egressgateway
port: 443
sniHosts:
- ifconfig.co
route:
- destination:
host: ifconfig.co
port:
number: 443
HTTP Testing - Works:
root@sleep-747df6f4d-bcfgp:/# export https_proxy=http://istio-egressgateway.istio-egress.svc.cluster.local:80
root@sleep-747df6f4d-bcfgp:/# export http_proxy=http://istio-egressgateway.istio-egress.svc.cluster.local:80
root@sleep-747df6f4d-bcfgp:/# curl http://ifconfig.co
3.213.148.211
Istio’s access logs:
{"response_flags":"-","upstream_host":"172.67.133.228:80","upstream_cluster":"outbound|80||ifconfig.co","downstream_local_address":"10.190.131.228:8080","upstream_service_time":"108","upstream_transport_failure_reason":null,"duration":108,"bytes_received":0,"user_agent":"curl/7.68.0","downstream_remote_address":"10.190.210.107:44520","route_name":null,"requested_server_name":null,"authority":"ifconfig.co","request_id":"0574a15f-19d1-4f85-ab6a-d32a3b64d599","protocol":"HTTP/1.1","upstream_local_address":"10.190.131.228:38238","path":"/","method":"GET","start_time":"2021-10-19T03:06:01.378Z","bytes_sent":14,"response_code_details":"via_upstream","connection_termination_details":null,"x_forwarded_for":"10.190.210.107","response_code":200}
HTTPS Testing - Doesn’t works:
root@sleep-747df6f4d-bcfgp:/# curl https://ifconfig.co
curl: (56) Received HTTP code 404 from proxy after CONNECT
Istio’s access logs:
{"connection_termination_details":null,"bytes_sent":0,"duration":0,"request_id":"951b6591-4f93-4c2a-bc85-49f96a6d7db2","x_forwarded_for":"10.190.210.107","authority":"ifconfig.co:443","upstream_service_time":null,"user_agent":"curl/7.68.0","response_code_details":"route_not_found","response_code":404,"method":"CONNECT","upstream_local_address":null,"start_time":"2021-10-19T03:07:02.159Z","requested_server_name":null,"downstream_remote_address":"10.190.210.107:48606","upstream_host":null,"response_flags":"NR","route_name":null,"downstream_local_address":"10.190.131.228:8080","path":null,"protocol":"HTTP/1.1","upstream_transport_failure_reason":null,"upstream_cluster":null,"bytes_received":0}
$ istioctl version
client version: 1.9.0
control plane version: 1.9.0
data plane version: 1.9.0 (17 proxies)
$ kubectl version --short
Client Version: v1.18.9-eks-d1db3c
Server Version: v1.19.13-eks-8df270