search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.33k stars 4.7k forks source link

How to access the https server through the tunnel with dynamically set hostname using dynamic metadata #34578

Open littlejiancc opened 1 month ago

littlejiancc commented 1 month ago

If you are reporting any crash or any potential security issue, do not open an issue in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately.

Title: One line description How to access the https server through the tunnel with dynamically set hostname using dynamic metadata

Description:

Describe the issue.

client ----https---- server image Image from https://www.zhaohuabing.com/post/2022-09-11-ambient-deep-dive-1/

If do not use dynamic set hostname, use TCP passthrough and set tls, it works

transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

But since internal_upstream needs to be set, there is no place to set tls.

"transport_socket": {
   "name": "envoy.transport_sockets.internal_upstream",
   "typed_config": {
    "@type": "type.googleapis.com/envoy.extensions.transport_sockets.internal_upstream.v3.InternalUpstreamTransport",
    "passthrough_metadata": [
     {
      "kind": {
       "host": {}
      },
      "name": "tunnel"
     }
    ],
    "transport_socket": {
     "name": "envoy.transport_sockets.raw_buffer",
     "typed_config": {
      "@type": "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"
     }
    }
   }

envoy config

{
 "name": "internal_listener",
 "filter_chains": [
  {
   "filters": [
    {
     "name": "tcp",
     "typed_config": {
      "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
      "stat_prefix": "tcpproxy",
      "cluster": "external_proxy_cluster",
      "access_log": [
       {
        "name": "envoy.access_loggers.file",
        "typed_config": {
         "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
         "path": "logs/proxy.log"
        }
       }
      ],
      "tunneling_config": {
       "hostname": "%DYNAMIC_METADATA(tunnel:address)%"
      }
     }
    }
   ]
  }
 ],
 "internal_listener": {}
 }
{
 "version_info": "8",
 "cluster": {
  "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
  "name": "external_proxy_cluster",
  "type": "STRICT_DNS",
  "connect_timeout": "10s",
  "lb_policy": "RING_HASH",
  "ring_hash_lb_config": {
   "hash_function": "MURMUR_HASH_2"
  },
  "load_assignment": {
   "cluster_name": "external_proxy_cluster",
   "endpoints": [
    {
     "lb_endpoints": [
      {
       "endpoint": {
        "address": {
         "socket_address": {
          "address": "forward.proxy.svc",
          "port_value": 80
         }
        },
        "hostname": "forward.proxy.svc"
       }
      }
     ]
    }
   ]
  }
 },
 "last_updated": "2024-06-06T09:58:30.716Z"
}
{
 "version_info": "6",
 "cluster": {
  "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
  "name": "cluster1",
  "connect_timeout": "10s",
  "lb_policy": "RING_HASH",
  "ring_hash_lb_config": {
   "hash_function": "MURMUR_HASH_2"
  },
  "transport_socket": {
   "name": "envoy.transport_sockets.internal_upstream",
   "typed_config": {
    "@type": "type.googleapis.com/envoy.extensions.transport_sockets.internal_upstream.v3.InternalUpstreamTransport",
    "passthrough_metadata": [
     {
      "kind": {
       "host": {}
      },
      "name": "tunnel"
     }
    ],
    "transport_socket": {
     "name": "envoy.transport_sockets.raw_buffer",
     "typed_config": {
      "@type": "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"
     }
    }
   }
  },
  "load_assignment": {
   "cluster_name": "cluster1",
   "endpoints": [
    {
     "lb_endpoints": [
      {
       "endpoint": {
        "address": {
         "envoy_internal_address": {
          "server_listener_name": "internal_listener"
         }
        }
       },
       "metadata": {
        "filter_metadata": {
         "tunnel": {
          "address": "192.168.88.10:443"
         }
        }
       }
      }
     ]
    }
   ]
  }
 },
 "last_updated": "2024-06-06T09:58:30.713Z"
}

[optional Relevant Links:]

Any extra documentation required to understand the issue.

adisuissa commented 1 month ago

cc @kyessenov @alyssawilk as internal-upstream code-owners.

alyssawilk commented 1 month ago

there's lots of ways this could be misconfigured and as far as we know envoy does the right thing. I think you'll have to just debug your particular use case sorry.

littlejiancc commented 1 month ago

@alyssawilk Hi, Thanks for your reply, I know envoy does the right thing, but I read the envoy documentation and found that transport_socket does not support settingenvoy.transport_sockets.internal_upstream and envoy.transport_sockets.tls at the same time.

github-actions[bot] commented 6 hours ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.