Original dst redirection through PROXY protocol

[sum...@apporbit.com]

Hi,

I was looking at how Istio uses Envoy as sidecar proxies in its service mesh by redirecting all incoming and outgoing traffic of an app to Envoy on a particular port using iptables REDIRECT. The corresponding Envoy listener then hands off the connection to the listener for the original destination since "use_original_dst" is enabled. 

Is a similar behavior available for the "use_proxy_proto" option? From the docs, it seems that the PROXY protocol is used only to determine the remote address of the connection. But would the connection be handed off to the appropriate listener based on the original destination communicated via the PROXY protocol as in the case of SO_ORIGINAL_DST above?

Thanks,

Sumeet

[Matt Klein]

+Piotr

This is not possible today, but it should become possible once full filter chain matching semantics are implemented. (Since the proxy proto listener filter would just change the connection addresses prior to matching).

Thanks,

Matt

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users+unsubscribe@googlegroups.com.
To post to this group, send email to envoy...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/e0008d71-a282-48a3-9435-8a1b941a9342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Klein

Software Engineer

mkl...@lyft.com

https://calendly.com/mattklein123

[sum...@apporbit.com]

Thanks for the confirmation.

Is full filter chain matching expected in an upcoming release? 

- Sumeet

On Friday, May 18, 2018 at 11:22:46 PM UTC+5:30, Matt Klein wrote:

+Piotr

This is not possible today, but it should become possible once full filter chain matching semantics are implemented. (Since the proxy proto listener filter would just change the connection addresses prior to matching).

Thanks,

Matt

On Fri, May 18, 2018 at 3:02 AM, <sum...@apporbit.com> wrote:

Hi,

I was looking at how Istio uses Envoy as sidecar proxies in its service mesh by redirecting all incoming and outgoing traffic of an app to Envoy on a particular port using iptables REDIRECT. The corresponding Envoy listener then hands off the connection to the listener for the original destination since "use_original_dst" is enabled. 

Is a similar behavior available for the "use_proxy_proto" option? From the docs, it seems that the PROXY protocol is used only to determine the remote address of the connection. But would the connection be handed off to the appropriate listener based on the original destination communicated via the PROXY protocol as in the case of SO_ORIGINAL_DST above?

Thanks,

Sumeet

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.

To post to this group, send email to envoy...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/e0008d71-a282-48a3-9435-8a1b941a9342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matt Klein]

There is a lot of work being done on this right now, but I'm not sure if Piotr is planning on also working on destination matching (I think he is but not sure). Assuming he is, probably a few weeks it will be done.

To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users+unsubscribe@googlegroups.com.

To post to this group, send email to envoy...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/cb6c8c4e-8e55-4ea0-bf4e-96572ae98288%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.