I am trying to make Istio accept a request with an absoluteUR in the path. The goal is to route requests both to external services (using ServiceEntries) but also services in the mesh. We are using 1.1.0-snapshot.6. I have tries to mask string that looks like links below in order to be able to post this topic.
Using the configuration at the end of this post I can access the service in a normal fashion
curl --cacert httpbin,example,com/2_intermediate/certs/ca-chain.cert.pem https:||httpbin,example,com/headers
which gives me the following logs in the ingress gw:
[2019-02-19 10:03:19.670][critical][lua] [external/envoy/source/extensions/filters/http/lua/lua_filter.cc:544] script log: The path is: ''/headers' [2019-02-19T10:03:19.670Z] "GET /headers HTTP/1.1" 200 - "-" 0 622 47 45 "172.20.104.162" "curl/7.62.0" "5e94a4c1-d16e-4c82-8aad-cfc4bed56dc5" "httpbin,example,com" "100.123.42.169:80" outbound|8000||httpbin.default.svc.cluster.local - 100.123.42.136:443 172.20.104.162:57054 httpbin,example,com
Using curl to fire away a request to the same host as it were a proxy fails with a 404
curl --cacert httpbin,example,com/2_intermediate/certs/ca-chain.cert.pem --request-target "http:||httpbin,example,com/headers" https:||httpbin,example,com/headers
and the log that follows is:
[2019-02-19T10:02:44.120Z] "GET http:||httpbin,example,com/headers HTTP/1.1" 404 - "-" 0 0 0 - "-" "curl/7.62.0" "-" "httpbin,example,com" "-" - - 100.123.42.136:443 172.20.104.162:57022 httpbin,example,com
As you can see the faulty request is not decorated with the request-id and the lua filter is not triggered. It seems like the request is aborted by the mixer.
Is there a way that I can intercept this request so I can make the necessary changes to the path and other headers or am I taking the wrong approach all together?
The configuration is inspired by the Securing Gateways with HTTPS and looks like the following
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpbin-gw spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key hosts: - "httpbin,example,com" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "httpbin,example,com" gateways: - httpbin-gw http: - match: - uri: prefix: /status - uri: prefix: /delay - uri: prefix: /headers route: - destination: port: number: 8000 host: httpbin --- apiVersion: "networking.istio.io/v1alpha3" kind: "DestinationRule" metadata: name: "httpbin-istio-client-mtls" spec: host: httpbin.default.svc.cluster.local trafficPolicy: tls: mode: ISTIO_MUTUAL --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: httpbin-lua spec: workloadLabels: app: istio-ingressgateway filters: - listenerMatch: portNumber: 443 listenerType: GATEWAY filterName: envoy.lua insertPosition: index: FIRST filterType: HTTP filterConfig: inlineCode: | function envoy_on_request(request_handle) request_handle:logCritical("The path is: '" .. request_handle:headers():get(":path") .. "'") end