search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.85k stars 4.77k forks source link

Unable to get original_dst Envoy configuration to work for routing outbound connections #35437

Closed kpramesh2212 closed 2 months ago

kpramesh2212 commented 2 months ago

Hello Envoy Team,

I am attempting to configure Envoy to route all outbound connections through an Envoy proxy using the original_dst cluster type. Despite following the available documentation and various examples, I am unable to get this configuration to work as expected.

Envoy version: v1.30.4

Envoy configuration

admin:
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 10000
static_resources:
  listeners:
    - address:
        socket_address:
          address: 0.0.0.0
          port_value: 9000
      transparent: true
      filter_chains:
        - filters:
            - name: envoy.filters.network.tcp_proxy
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
                stat_prefix: egress_tcp
                cluster: original-dst-cluster
                access_log:
                  - name: envoy.access_loggers.file
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      path: /tmp/tcp_access.log
                      log_format:
                        text_format: "[%START_TIME%] \"%DOWNSTREAM_REMOTE_ADDRESS% -> %UPSTREAM_REMOTE_ADDRESS%\" \"%DOWNSTREAM_WIRE_BYTES_RECEIVED% bytes received from downstream, %DOWNSTREAM_WIRE_BYTES_SENT% bytes sent to downstream\" \"%UPSTREAM_WIRE_BYTES_SENT% bytes send to upstream, %UPSTREAM_WIRE_BYTES_RECEIVED% bytes recevied from upstream\" \"termination_reason=%CONNECTION_TERMINATION_DETAILS%\"\n"

      listener_filters:
        - name: envoy.filters.listener.original_dst
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
  clusters:
    - name: original-dst-cluster
      type: ORIGINAL_DST
      lb_policy: CLUSTER_PROVIDED
      connect_timeout: 10s
      dns_lookup_family: V4_ONLY

Docker Compose file

version: '2'

services:
  sleep:
    container_name: sleep
    build: .
    privileged: true
    ports:
      - "10000:10000"
    cap_add:
      - NET_ADMIN
      - NET_RAW

  envoy:
    container_name: envoy
    image: envoyproxy/envoy:v1.30-latest
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: service:sleep
    depends_on:
      - sleep
    volumes:
      - ./envoy:/etc/envoy/
      - ./utils:/utils

Dockerfile

FROM ubuntu
RUN apt update && apt install -y iptables nano iputils-ping curl net-tools dnsutils
CMD ["sleep", "365d"]

iptables rule

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 9000

Output (Before running iptables rule)

docker exec -it sleep bash image

Output (after running iptables rule)

docker exec -it sleep bash
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 9000

image

I am literally following the instructions in this document: https://venilnoronha.medium.com/introduction-to-original-destination-in-envoy-d8a8aa184bb6

My Primary goal is to route all tcp outbound traffic through envoy

Request for Assistance

I kindly request your help in identifying any issues or missing configurations that could be preventing the original_dst routing from functioning correctly. Are there any additional steps or configurations required to achieve the desired routing behavior?

Thank you very much for your time and assistance. I look forward to your guidance.

Regards Ramesh

yanavlasov commented 2 months ago

Please do a bit more debugging. I.e. enable and collect Envoy logs to see if it is receiving connections.

kpramesh2212 commented 2 months ago

Please do a bit more debugging. I.e. enable and collect Envoy logs to see if it is receiving connections.

@yanavlasov Thank you for your quick response

I have enabled debug logging and access logging in Envoy. I can confirm that connections are reaching Envoy, as indicated by the access logs. However, I am having difficulty interpreting the debug logs to understand what might be going wrong.

I have tried to connect to another url image

Please find the attached logs envoy.log tcp_access.log

Any assistance would be of great help

Thank you once again for taking the time to review this

kpramesh2212 commented 2 months ago

I am also attaching the trace logs here [Uploading envoy-trace.log…]() tcp_access.log

kpramesh2212 commented 2 months ago

@yanavlasov

Thank you for taking the time to review my issue. I’ve added additional details and logs that might help in diagnosing the problem: If there are any specific details or configurations you need, please let me know. I’m happy to provide any additional information or tests that could help resolve this.

yanavlasov commented 2 months ago

I do not see anything wrong with the Envoy. I'm sorry I can not provide more insight into this. You may also want to ask on the envoy-users Slack channel.

kpramesh2212 commented 2 months ago

@yanavlasov Thank you for your support I finally figured out the root cause

The problem was with the iptables rules

Basically the rule iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 9000

was also redirecting the envoy traffic to envoy itself causing the traffic to go in a loop.

The fix was to not redirect traffic originating from envoy