Do DNS lookup based on a header different than host
83 views
Skip to first unread message
gabriel
Sep 22, 2022, 10:15:47 AM9/22/22
to envoy-users
Hi,
I'm wondering if there is a way to do a DNS lookup in a cluster b ased on a header different than host.
And the cluster is configured with override_auto_sni_header
https://gist.github.com/gabrielgiussi/95fb884deac967460135c9c6c8abbe7d
This is working but jetty has a check by default that will return a 400 if the SNI value is different to the host header. Of course this can be disabled but I was wondering if there is a way to do the DNS lookup using something different than the host header so I can leave this check enabled.
Some context about this, I want to resolve the DNS based on a local K8s name, e.g. my-service.default.svc.cluster.local but use a different value in the host header so the server can present the proper certificate, e.g. `host: my-service.gabriel.com.ar`.
I've actually achieved this by using SNI and just use the host header for DNS lookup, using a different header for SNI, the request will look like this
host: my-service.default.svc.cluster.local
I've actually achieved this by using SNI and just use the host header for DNS lookup, using a different header for SNI, the request will look like this
host: my-service.default.svc.cluster.local
host-sni: my-service.gabriel.com.ar
And the cluster is configured with override_auto_sni_header
https://gist.github.com/gabrielgiussi/95fb884deac967460135c9c6c8abbe7d
This is working but jetty has a check by default that will return a 400 if the SNI value is different to the host header. Of course this can be disabled but I was wondering if there is a way to do the DNS lookup using something different than the host header so I can leave this check enabled.
BTW, should I be using https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter instead of the configuration from the gist?
It isn't clear for me what it means with
"The following config doesn’t terminate TLS in listener, so there is no need to configure TLS context in cluster. The TLS handshake is passed through by Envoy."
It isn't clear for me what it means with
"The following config doesn’t terminate TLS in listener, so there is no need to configure TLS context in cluster. The TLS handshake is passed through by Envoy."
Thanks
Yan Avlasov
Sep 26, 2022, 10:18:26 AM9/26/22
to gabriel, envoy-users
I assume you are using dynamic forwarding proxy (DFP). I don't think you can accomplish something like that with DFP. But if you do not have a lot of k8s clusters you can just create a routing table that routes requests with specific host values to the corresponding Envoy clusters configured with DNS names of k8s clusters.
--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/fa971083-bd27-4764-ae64-2cf326b8a588n%40googlegroups.com.
Gabriel Giussi
Sep 26, 2022, 1:18:25 PM9/26/22
to Yan Avlasov, envoy-users
Thanks for the answer Yan.
I'm indeed using dynamic forwarding proxy.
I'm indeed using dynamic forwarding proxy.
I have a single k8s cluster so that is not the issue, but the amount of services in that one cluster is large and if I understood correctly I will need a cluster configured with strict or logical dns for each one of those services so I guess DFP is a better option in terms of configuration complexity.
Yan Avlasov
Sep 27, 2022, 9:44:12 AM9/27/22
to Gabriel Giussi, envoy-users
Yes, a more common approach is to isolate service into its own clusters. Your use case is not currently supported as Envoy does not allow overwriting the host header. You can file an issue on GitHub with your use case and see if this restriction can be relaxed. Or perhaps someone can come up with an alternative solution.
Reply all
Reply to author
Forward
0 new messages