Hi There,
I need some information/help in envoy configuration. We have envoy (v1.13.0) as a side car which uses static configuration, we do not have control plane like Istio. We have use case where we are using envoy to encrypt HTTP traffic and at particular port, say 9443 and then want envoy to encrypt the data (which we are able do to) and then we want to send this encrypted data to original host and port 443 but not to the original port which is 9443.
Trying to achieve following with envoy:
The way we are planning is to update IPTABLES nat table rule, which will redirect plain text call to envoy which will encrypt the traffic but the challenge is how do we change the port to 443. The reason we are having no iptables rule for 443 at first place is that we have another proxy running which is doing TLS for outgoing traffic for port 443. And if we have the iptable rule for port 443 then it will mess up this other proxy setup.
# IP Rule for port 9443
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9443 -j REDIRECT ! -s
127.0.0.1/32 --to-port 10443 -m owner --uid-owner 10000
# Configuration for the envoy.yaml containing the static listener for the upstream cluster, but this configuration is not able to change the port because of
# type that we are using which is ORIGINAL_DST
static_resources:
listeners:
# This listener is called for all outbound traffic on 9443
- address:
socket_address:
address: 0.0.0.0
port_value: 10443
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
stat_prefix: outbound_core_9443
route_config:
name: outbound_core_9443_rt
virtual_hosts:
- name: outbound_core_9443
domains:
- "*"
routes:
- match:
# apply this to all routes with this prefix, / for all
prefix: "/"
route:
cluster: outbound_core_9443
timeout:
seconds: 0
nanos: 0
idle_timeout:
seconds: 0
nanos: 0
http_filters:
- name: envoy.router
typed_config:
# upstream_log:
# - name: envoy.file_access_log
# typed_config:
# path: "/home/envoy/http.txt"
listener_filters:
- name: envoy.listener.original_dst
typed_config: {}
clusters:
- name: outbound_core_9443
cleanup_interval: 30s
connect_timeout: 6s
type: ORIGINAL_DST
lb_policy: ORIGINAL_DST_LB
dns_lookup_family: V4_ONLY
# This is TLS client configuration for mTLS
tls_context:
common_tls_context:
validation_context:
trusted_ca: {filename: "/etc/ca/cacerts.pem"}
verify_subject_alt_name:
- san1-role
- san2-role
tls_certificates:
- certificate_chain: {filename: "/etc/client/certificates/client.pem"}
private_key: {filename: "/etc/client/keys/client-key.pem"}
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 18081
Any help will be appreciated.