Hello community,
I am trying to make Istio accept a request with an absoluteUR in the path. The goal is to route requests both to external services (using ServiceEntries) but also services in the mesh. We are using 1.1.0-snapshot.6. I have tries to mask string that looks like links below in order to be able to post this topic.
Using the configuration at the end of this post I can access the service in a normal fashion
curl --cacert httpbin,example,com/2_intermediate/certs/ca-chain.cert.pem https:||httpbin,example,com/headers
which gives me the following logs in the ingress gw:
[2019-02-19 10:03:19.670][18][critical][lua] [external/envoy/source/extensions/filters/http/lua/lua_filter.cc:544] script log: The path is: ''/headers' [2019-02-19T10:03:19.670Z] "GET /headers HTTP/1.1" 200 - "-" 0 622 47 45 "172.20.104.162" "curl/7.62.0" "5e94a4c1-d16e-4c82-8aad-cfc4bed56dc5" "httpbin,example,com" "100.123.42.169:80" outbound|8000||httpbin.default.svc.cluster.local - 100.123.42.136:443 172.20.104.162:57054 httpbin,example,com
Using curl to fire away a request to the same host as it were a proxy fails with a 404
curl --cacert httpbin,example,com/2_intermediate/certs/ca-chain.cert.pem --request-target "http:||httpbin,example,com/headers" https:||httpbin,example,com/headers
and the log that follows is:
[2019-02-19T10:02:44.120Z] "GET http:||httpbin,example,com/headers HTTP/1.1" 404 - "-" 0 0 0 - "-" "curl/7.62.0" "-" "httpbin,example,com" "-" - - 100.123.42.136:443 172.20.104.162:57022 httpbin,example,com
As you can see the faulty request is not decorated with the request-id and the lua filter is not triggered. It seems like the request is aborted by the mixer.
Is there a way that I can intercept this request so I can make the necessary changes to the path and other headers or am I taking the wrong approach all together?
The configuration is inspired by the Securing Gateways with HTTPS and looks like the following
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gw
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "httpbin,example,com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin,example,com"
gateways:
- httpbin-gw
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
- uri:
prefix: /headers
route:
- destination:
port:
number: 8000
host: httpbin
---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "httpbin-istio-client-mtls"
spec:
host: httpbin.default.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: httpbin-lua
spec:
workloadLabels:
app: istio-ingressgateway
filters:
- listenerMatch:
portNumber: 443
listenerType: GATEWAY
filterName: envoy.lua
insertPosition:
index: FIRST
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_request(request_handle)
request_handle:logCritical("The path is: '" .. request_handle:headers():get(":path") .. "'")
end
Thanks,
Petter