Related to redirect on different port

[Deepak Sharma]

Hi There,

I need some information/help in envoy configuration. We have envoy (v1.13.0) as a side car which uses static configuration, we do not have control plane like Istio. We have use case where we are using envoy to encrypt HTTP traffic and at particular port, say 9443 and then want envoy to encrypt the data (which we are able do to) and then we want to send this encrypted data to original host and port 443 but not to the original port which is 9443. 

Trying to achieve following with envoy:

http://upstream.service.1.com:9443/hello => https://upstream.service.1.com/hello

The way we are planning is to update IPTABLES nat table rule, which will redirect plain text call to envoy which will encrypt the traffic but the challenge is how do we change the port to 443. The reason we are having no iptables rule for 443 at first place is that we have another proxy running which is doing TLS for outgoing traffic for port 443. And if we have the iptable rule for port 443 then it will mess up this other proxy setup. 

# IP Rule for port 9443

iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9443 -j REDIRECT ! -s 127.0.0.1/32 --to-port 10443 -m owner --uid-owner 10000

# Configuration for the envoy.yaml containing the static listener for the upstream cluster, but this configuration is not able to change the port because of

# type that we are using which is ORIGINAL_DST

static_resources:

  listeners:

  #   This listener is called for all outbound traffic on 9443

  - address:

      socket_address:

        address: 0.0.0.0

        port_value: 10443

    filter_chains:

      - filters:

          - name: envoy.http_connection_manager

            typed_config:

              "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager

              stat_prefix: outbound_core_9443

              route_config:

                name: outbound_core_9443_rt

                virtual_hosts:

                  - name: outbound_core_9443

                    domains:

                      - "*"

                    routes:

                      - match:

                          # apply this to all routes with this prefix, / for all

                          prefix: "/"

                        route:

                          cluster: outbound_core_9443

                          timeout:

                            seconds: 0

                            nanos: 0

                          idle_timeout:

                            seconds: 0

                            nanos: 0

              http_filters:

                - name: envoy.router

                  typed_config:

                    "@type": type.googleapis.com/envoy.config.filter.http.router.v2.Router

    #                      upstream_log:

    #                        - name: envoy.file_access_log

    #                          typed_config:

    #                            "@type": type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog

    #                            path: "/home/envoy/http.txt"

    listener_filters:

      - name: envoy.listener.original_dst

        typed_config: {}

  clusters:

    - name: outbound_core_9443

      cleanup_interval: 30s

      connect_timeout: 6s

      type: ORIGINAL_DST

      lb_policy: ORIGINAL_DST_LB

      dns_lookup_family: V4_ONLY

      # This is TLS client configuration for mTLS

      tls_context:

        common_tls_context:

          validation_context:

            trusted_ca: {filename: "/etc/ca/cacerts.pem"}

            verify_subject_alt_name:

              - san1-role

              - san2-role

          tls_certificates:

            - certificate_chain: {filename: "/etc/client/certificates/client.pem"}

              private_key: {filename: "/etc/client/keys/client-key.pem"}

admin:

  access_log_path: "/dev/null"

  address:

    socket_address:

      address: 0.0.0.0

      port_value: 18081

Any help will be appreciated.