Using Istio Gateway as forward proxy


#1

Hello community,

I am trying to make Istio accept a request with an absoluteUR in the path. The goal is to route requests both to external services (using ServiceEntries) but also services in the mesh. We are using 1.1.0-snapshot.6. I have tries to mask string that looks like links below in order to be able to post this topic.

Using the configuration at the end of this post I can access the service in a normal fashion

curl --cacert httpbin,example,com/2_intermediate/certs/ca-chain.cert.pem https:||httpbin,example,com/headers

which gives me the following logs in the ingress gw:

[2019-02-19 10:03:19.670][18][critical][lua] [external/envoy/source/extensions/filters/http/lua/lua_filter.cc:544] script log: The path is: ''/headers' [2019-02-19T10:03:19.670Z] "GET /headers HTTP/1.1" 200 - "-" 0 622 47 45 "172.20.104.162" "curl/7.62.0" "5e94a4c1-d16e-4c82-8aad-cfc4bed56dc5" "httpbin,example,com" "100.123.42.169:80" outbound|8000||httpbin.default.svc.cluster.local - 100.123.42.136:443 172.20.104.162:57054 httpbin,example,com

Using curl to fire away a request to the same host as it were a proxy fails with a 404

curl --cacert httpbin,example,com/2_intermediate/certs/ca-chain.cert.pem --request-target "http:||httpbin,example,com/headers" https:||httpbin,example,com/headers

and the log that follows is:

[2019-02-19T10:02:44.120Z] "GET http:||httpbin,example,com/headers HTTP/1.1" 404 - "-" 0 0 0 - "-" "curl/7.62.0" "-" "httpbin,example,com" "-" - - 100.123.42.136:443 172.20.104.162:57022 httpbin,example,com

As you can see the faulty request is not decorated with the request-id and the lua filter is not triggered. It seems like the request is aborted by the mixer.

Is there a way that I can intercept this request so I can make the necessary changes to the path and other headers or am I taking the wrong approach all together?

The configuration is inspired by the Securing Gateways with HTTPS and looks like the following

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gw
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "httpbin,example,com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "httpbin,example,com"
  gateways:
  - httpbin-gw
  http:
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    - uri:
        prefix: /headers
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "httpbin-istio-client-mtls"
spec:
  host: httpbin.default.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpbin-lua
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
  - listenerMatch:
      portNumber: 443
      listenerType: GATEWAY
    filterName: envoy.lua
    insertPosition:
      index: FIRST
    filterType: HTTP
    filterConfig:
      inlineCode: |
        function envoy_on_request(request_handle)
          request_handle:logCritical("The path is: '" .. request_handle:headers():get(":path") .. "'")
        end

Thanks,
Petter