Closed shibin-george closed 1 year ago
@batchamalick I noticed that you posted a config here that terminated CONNECT and creates tunnel to destination. I amt rying basically the same thing but all I get is 404s for some reason. Any ideas on where am I going wrong? Thanks!
is the port 10010
is configured as in your config the port is 10000
?
is the port
10010
is configured as in your config the port is10000
?
Oh yeah, 10010 is the kubernetes service's port that exposes the envoy deployment. My envoy port is 10000, and the service's port 10010 gets translated to 10000
I'm not sure what envoy you are running but with the same config you shared I can do the test.
curl -x 127.0.0.1:10000 https://api.ipify.org -v
* Trying 127.0.0.1:10000...
* Connected to 127.0.0.1 (127.0.0.1) port 10000 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to api.ipify.org:443
> CONNECT api.ipify.org:443 HTTP/1.1
> Host: api.ipify.org:443
> User-Agent: curl/7.79.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
My envoy version
envoy --version
envoy version: edd69583372955fdfa0b8ca3820dd7312c094e46/1.23.1/Modified/RELEASE/BoringSSL
cc @alyssawilk
alright, so this is tricky and I don't quite know how to explain this. Here's what is happening:
kubectl expose deployment envoy-forward-proxy --type=LoadBalancer --name=envoy-forward-proxy --port=10010 --target-port=10000
curl -x <envoy public IP>:10010 https://api.ipify.org -v
404
curl -x <envoy cluster IP>:10010 https://api.ipify.org -v
404
istio-proxy
sidecar container alongside the envoy container (the istio-proxy
sidecar has curl
)curl -x 127.0.0.1:10000 https://api.ipify.org -v
istio-proxy@envoy-forward-proxy-7d68f66c6-ztkgn:/$ curl -x 127.0.0.1:10000 https://api.ipify.org -v
CONNECT api.ipify.org:443 HTTP/1.1 Host: api.ipify.org:443 User-Agent: curl/7.68.0 Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK < date: Thu, 24 Nov 2022 22:45:30 GMT < server: envoy <
GET / HTTP/1.1 Host: api.ipify.org User-Agent: curl/7.68.0 Accept: /
Does this mean envoy forward-proxy is only to be used for traffic coming from sidecar? and not when exposed via a public IP (like how squid can be used)?
Hi @alyssawilk , would you know what's going wrong here? Thanks!
@shibin-george I tested your dynamic forward proxy on a kind cluster with metallb and it works fine. I think you need to configure an access log to find more information. If it won't be helpful, use wireshark to see what happens under the hood. Do you run squid on the same k8s cluster?
Does this mean envoy forward-proxy is only to be used for traffic coming from sidecar?
No, it's a general purpose proxy.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
I'm not sure what envoy you are running but with the same config you shared I can do the test.
curl -x 127.0.0.1:10000 https://api.ipify.org -v * Trying 127.0.0.1:10000... * Connected to 127.0.0.1 (127.0.0.1) port 10000 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to api.ipify.org:443 > CONNECT api.ipify.org:443 HTTP/1.1 > Host: api.ipify.org:443 > User-Agent: curl/7.79.1 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK
My envoy version
envoy --version envoy version: edd69583372955fdfa0b8ca3820dd7312c094e46/1.23.1/Modified/RELEASE/BoringSSL
I've tried your config, but got 503 error:
curl -x http://localhost:10000 https://google.com -v 56 ↵
* Trying 127.0.0.1:10000...
* Connected to localhost (127.0.0.1) port 10000 (#0)
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/8.1.2
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 503 Service Unavailable
< content-length: 22
< content-type: text/plain
< date: Fri, 08 Sep 2023 10:44:20 GMT
< server: envoy
< connection: close
<
* CONNECT tunnel failed, response 503
* Closing connection 0
curl: (56) CONNECT tunnel failed, response 503
my envoy version is
envoy version: c7e8e7356d3a969c1b8e4e1f2687699acd91c6a1/1.26.1/Distribution/RELEASE/BoringSSL
@batchamalick any comment?
Description: I am trying to set up Envoy to act as a forward proxy for my internet-outbound needs. essentially,
curl -x <Envoy-service's public IP>:<listener port> xyz.com
should result in Envoy starting a TCP tunnel between client (curl) and destination.Here's the config that I'm using:
When I run
curl -x IP:10010 https://api.ipify.org -v
, here's the output I get:If the destination is http instead of https, its still a 404, but a different reason:
My config is borrowed from here but for DFP cluster type. Appreciate any help in figuring out what's going wrong here. squid as forward proxy is working but I don't want to use squid, if I can.