No route found when proxying HTTPS requests with Dynamic Proxy

[Hagai Eliaz]

Hi all,

I am testing envoy as a dynamic forward proxy, but I cannot seem to get the config right, as I get 404 whenever I try to proxy requests to HTTPS hosts.
```

import httpx
with httpx.Client(http2=True, verify=False, proxies={"all://": "https://localhost:8181"}) as client:
    r = client.get("https://www.google.com/")
   
with httpx.Client(http2=True, verify=False, proxies={"all://": "https://localhost:8181"}) as client:
    r = client.get("http://www.google.com/")

```

This also happens without configuring envoy to listen on HTTPS. Can anybody point me on teh right direction?

[Dean Liu]

You're likely after SNI fwd proxy with https.  The dynamic fwd proxy uses the host header to route, and this isn't available with TLS

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/sni_dynamic_forward_proxy_filter

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/39f7d8b9-4dd4-4acb-9df9-bb073a5ba6a3n%40googlegroups.com.

[Yan Avlasov]

You can also enable access logging or even debug or trace logging to get insight on why request proxying fails.

To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/CAJN6H8GS_jb9OEDG-urdMMANYyPe1ZC5jp%2B9wAn%2BW4DbyV%3Di1A%40mail.gmail.com.

[Drew Thompson]

Dean, 

Why do you say this user is likely after SNI fwd proxy with https? I found this thread as I have the same problem. All of my HTTP requests to google.com and example.org are proxied but no route is found for HTTPS. 
I can get HTML replies to BOTH these requests in squid but not envoy.  Envoy returns a 404
curl  http://www.google.com --proxy http://fwd-proxy:10000
curl  https://www.google.com --proxy http://fwd-proxy:10000

I, like the OP started from the dynamic forward proxy example config and also receive 404 no route found for https requests.   The suggestion to use SNI did not get me anywhere as the examples in the sandbox are doing something completely different than what I'm attempting and the documentation states SNI is in alpha and not production ready either.  

[Dean Liu]

On closer inspection of the original author and your curl example, you're after a CONNECT proxy.  In plaintext HTTP calls there's no reason to establish CONNECT because the host-header is visible to the proxy to route on.  With https, host headers (google.com) are not visible to route on due to the nature of TLS encryption of headers+payloads.  You'll need to route on SNI or use CONNECT.  There's two steps that are occurring with an https vs an http request in your CONNECT curl example:

1. CONNECT is an instruction to open a TCP connection to the upstream server (google).
2. After the CONNECT tunnel (TCP connection) is established, the request is then sent through the TCP connection.

You'll need a filter to terminate the CONNECT at envoy first before sending it to the dynamic forward proxy cluster.  

client https request -> CONNECT termination -> dynamic forward proxy

To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/42c71e8e-86d0-405c-afa1-e9039a2aeb3cn%40googlegroups.com.

[Dean Liu]

I've modified Hagai's the original author of this email thread's attachment with a working example of the CONNECT upgrade statement + termination, for ease of reference.

curl https://www.google.com --proxy http://localhost:8181

More info in docs here: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/upgrades#connect-support