[英]How to configure istio (or envoy) to act as a forward proxy
我有一個正在運行的 nginx 服務器,它的配置相對簡單(僅包括相關部分):
http {
server {
gzip on;
set $allowed false;
if ($http_host ~ "(domain1.com)|(domain2.net)|(etc)") {
set $allowed true;
}
if ($allowed = false) {
return 403;
break;
}
listen 8888;
server_name ~.+;
proxy_connect;
proxy_max_temp_file_size 0;
resolver 8.8.8.8;
location / {
proxy_pass http://$http_host;
proxy_set_header Host $http_host;
}
}
}
所以基本上,如果客戶端連接到批准的域之一 - 響應是流式傳輸的。 我真的很難在 Envoy 中實現同樣的目標。 無論我做什么,要么不起作用,要么不轉發 static 內容。 我遇到的另一個問題是,如果我將我的筆記本電腦配置為使用 envoy 作為代理 - 根本不起作用(即即使連接到 domain1.com 工作,如果我嘗試連接到同一站點,但使用 envoy 作為代理 - 我超時),而上面的配置用作代理。
我的實際目標是 Istio,但我非常有信心如果我弄清楚特使部分,我可以將它移植到 Istio
編輯:用於轉發但不作為代理工作的示例 istio 配置
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: fwd
namespace: default
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: fwd
namespace: default
spec:
hosts:
- test.domain.com
ports:
- number: 443
name: tls
protocol: tls
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: fwd
namespace: default
spec:
hosts:
- source.domain.com
gateways:
- fwd
http:
- match:
- gateways:
- fwd
port: 80
uri:
prefix: /
route:
- destination:
host: test.domain.com
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: fwd
namespace: default
spec:
host: test.domain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
編輯 2:實際找到樣本 envoyconfig
{
"admin": {
"access_log_path": "/tmp/admin_access.log",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 9901
}
}
},
"static_resources": {
"clusters": [
{
"name": "backend",
"type": "SIMPLE",
"connect_timeout": "0.25s",
"lb_policy": "ROUND_ROBIN",
"max_requests_per_connection": 1024,
"max_retries": 3,
"http2_protocol_options": {}
}
],
"listeners": [
{
"name": "listener_0",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 8000
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"config": {
"codec_type": "auto",
"stat_prefix": "ingress_http",
"route_config": {
"virtual_hosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/"
},
"route": {
"cluster": "backend"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.router",
"config": {
"use_remote_address": true,
"dynamic_route_config": {
"grpc_service": {
"envoy_grpc": {
"cluster_name": "backend"
}
}
}
}
}
]
}
}
]
}
]
}
]
}
}
啟用 Istio 的 pod 的出站流量默認重定向到其 sidecar 代理,訪問集群外部的 URL 需要對代理的配置進行一些修改。 Istio 和 Envoy 代理的基本或默認配置允許來自未知服務的流量通過,盡管這是開始使用 Istio 的最簡單方法,但始終建議根據安全角度執行嚴格的策略。
在本文檔中詳細說明了如何以不同的方式訪問外部服務,請參閱此以獲取更多信息。
Kranthiveer Dontineni
提供的答案幾乎有效:
admin:
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/force-host-rewrite"
route:
cluster: dynamic_forward_proxy_cluster
typed_per_filter_config:
envoy.filters.http.dynamic_forward_proxy:
"@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
host_rewrite_literal: www.example.org
- match:
prefix: "/"
route:
cluster: dynamic_forward_proxy_cluster
http_filters:
- name: envoy.filters.http.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
typed_dns_resolver_config:
name: envoy.network.dns_resolver.cares
typed_config:
"@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
resolvers:
- socket_address:
address: "8.8.8.8"
port_value: 53
dns_resolver_options:
use_tcp_for_dns_lookups: true
no_default_search_domain: true
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
typed_dns_resolver_config:
name: envoy.network.dns_resolver.cares
typed_config:
"@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
resolvers:
- socket_address:
address: "8.8.8.8"
port_value: 53
dns_resolver_options:
use_tcp_for_dns_lookups: true
no_default_search_domain: true
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
validation_context:
trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.