Dynamic Forward Proxy - How To Handle Mixed TLS Requirements (Internal & Public Endpoints)
KonyTech
We're using Envoy's dynamic forward proxy cluster to route requests to both internal endpoints (requiring mTLS) and public endpoints (like Quicknode). Our setup uses an ext_authz gRPC service to validate requests and set the upstream host via x-dynamic-host.
Current ConfigurationOur dynamic forward proxy cluster is configured with mTLS:
- Works: Requests to our internal endpoints that use our specified trusted_ca
- Fails: Requests to public endpoints (e.g. Quicknode) with error:
We believe this is because we're specifying a trusted_ca that works for our internal endpoints but fails for public ones.
Current Architecture- Client requests come in and are validated by our ext_authz gRPC service
- On successful validation, the service sets x-dynamic-host header for the dynamic forward proxy
- The proxy routes to the upstream host using a single dynamic forward proxy cluster
What's the recommended way to handle mixed TLS requirements in this scenario? We considered using transport_socket_matches to specify trusted_ca only for our internal hosts, but it seems this doesn't apply to dynamic forward proxy clusters.
We'd like to maintain the ability to dynamically set upstream hosts via our ext_authz service using x-dynamic-host. While we currently use a single dynamic forward proxy cluster for simplicity, we're open to alternative approaches if that's not the recommended pattern.
Any guidance on the best way to structure this would be appreciated. Thanks!
NB: I also opened a GitHub issue on this topic but wasn’t sure where to post, so I wanted to ask here as well. If this discussion resolves the question, I’ll close the GitHub issue accordingly. Thanks for your understanding