Envoy upstream - backend service behind corporate proxy

[josef glemba]

Hello Envoy guys,

I may need help with configuring Envoy to route requests to backend through another proxy.

Envoy used: 1.17.1

If in the envoy container I do "curl" to google.com, it gets correctly routed through b2b proxy, as the endpoint is configured in http_proxy environment variable.

I have tried to follow the manual on:

 https://github.com/envoyproxy/envoy/blob/main/configs/encapsulate_in_http1_connect.yaml

So I copied the envoy configuration for static_resources and clusters, and anything I try to change there just does not work..

1)

original config from git does not work (that i kind of expected)

2)

changing values in

hostname: host.com:443

&

address: 127.0.0.1
port_value: 10001

to google.com:443 and address:port of the proxy does not work, no matter where i put respective values.

So, the question would be:

Is it even possible to receive classic http request to the envoy, envoy will take it and use corporate proxy to reach the backend, then return the response to client? 

And, if it is possible and I just lacking knowledge - how can I configure the envoy for it, please?

Thank you very much, looking forward for any feedback (as i am in dead end ;0) ).

Regards,

Josef

[Zizon Qiu]

try dynamic_forward_proxy?

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/dynamic_forward_proxy_filter.html 

--
You received this message because you are subscribed to the Google Groups "envoy-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-dev/91b6bee0-1b80-4bfd-9eb7-91f223ae05ben%40googlegroups.com.

[josef glemba]

Hi,

I am not sure how could I use this for setting the envoy to use the corporate proxy to reach the backend?

Appreciate the tip.

Regards,

Josef

[Zizon Qiu]

following config is modified from the example config, removing https support.

replace $variable to your actual ip & port

The important part is:

1. two http filters with dynamic_forward_proxy comes first。

2. dynamic_forward_proxy filter resolve host and add to dynamic_forward_proxy_cluster host map

3. router routes to host according the header field and dns resolution at step 2. 

4. the name of dns_cache_config should match in both filter and cluster part

5. filter name envoy.filters.http.dynamic_forward_proxy is required as it is, you can not change it to an arbitrary one.

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: $expose_proxy_front_ip
        port_value: $port
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: dynamic_forward_proxy_cluster
          http_filters:
          - name: envoy.filters.http.dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
              dns_cache_config:
                name: dynamic_forward_proxy_cache_config
                dns_lookup_family: V4_ONLY
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dynamic_forward_proxy_cluster
    connect_timeout: 1s
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY

To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-dev/ff415d37-e09b-4939-8f8f-40eae75c838an%40googlegroups.com.

[josef glemba]

Hi,

I have tried the configuration you kindly provided, and maybe I do use it badly or maybe I was not clear about my issue correctly :-)

1. used your config (in envoy version 1.17.1) - configured the listener to 127.0.0.1:10000

2. did "curl" command as: curl -i -v -k http://localhost:10000/ -H "HOST:www.google.com"

3. obtained response 503 - service unavailable (upstream connect error or disconnect/reset before headers. reset reason: local reset)..

Please let me validate the solution i seek:

Summary:

Reach the google.com service via envoy exposed url, envoy accepts classic http request to specific path, and sends it to google.com via b2b  corporate proxy.

Highlights:

- I would be running only one Envoy instance as "api gateway" (high level description..) in openshift (one pod..)

- Envoy pod is containing environment variables; 

http_proxy=http://b2b.mycompany.com:2222, https_proxy=http://b2b.mycompany.com:2222, no_proxy=localhost, 127.0.0.1, dmz.machine.1.mycompany.com

- b2b.mycompany.com:2222 is http proxy maintained by network team, and it is required to be used for comunication originating from internal network and targeting external network; In my case, my target service will be https://www.google.com/translate"  -> google.com is enabled on the b2b proxy to be reachable.

- if I then do request, inside the envoy pod, just as "curl -k https://www.google.com/translate", i get successfull response (301) 

FLOW: curl -k https://www.google.com/translate... -> it gets recognized to be routed via b2b proxy  thanks to environment proxy variables -> b2b proxy -> google service

- I would then "insert" between the curl and b2b proxy the envoy. 

The envoy would contain configuration for /translate path to be routed to target service via b2b proxy.

Running the curl command against locally running envoy would be reaching the envoy directly

The envoy then recognize the request to be routed via b2b proxy to target service.

Expected response is the same (301) response as in previous case.

FLOW: curl http://localhost:envoyport/translate -> gets routed to envoy -> envoy accept the http request and send the request to google.com via b2b proxy -> b2b proxy -> google service

==> I need help with the " envoy accept the http request and send the request to google.com via b2b proxy ". Is it possible?

Thank you very much, really!

Josef