Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Help with Envoy as HTTP/HTTPS Proxy

16 views
Skip to first unread message

Zile Rehman

unread,
Nov 19, 2024, 11:22:40 AM11/19/24
to envoy-users
I am trying to set up Envoy as an HTTP/HTTPS Proxy server that originates SSL on behalf of all the internal pods in the Kubernetes cluster. 

My tester pod is running into 503 errors when it tries to 

Envoy proxy log is throwing a "CERTIFICATE_VERIFY_FAILED error when requesting https://www.google.com or any other external domain the TLS handshake."

I am running the latest version "envoyproxy/envoy:v1.32.1". I may be missing something very obvious in my envoy configuration (See attached). Can you please provide guidance? Thanks in advance.

##############
# Envoy Config
##############
static_resources:
  listeners:
  - name: forward_proxy_listener
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 8080
    listener_filters:
    - name: "envoy.filters.listener.tls_inspector"
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: dynamic_forward_proxy
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route:
                  cluster: dynamic_forward_proxy
              - match:
                  connect_matcher: {}
                route:
                  cluster: dynamic_forward_proxy
                  upgrade_configs:
                    - upgrade_type: CONNECT
                      connect_config: {}
          http_filters:
          - name: dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
              dns_cache_config:
                name: dynamic_forward_proxy_cache
                dns_lookup_family: V4_ONLY
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dynamic_forward_proxy
    connect_timeout: 5s
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
        name: envoy.clusters.dynamic_forward_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
          dns_cache_config:
            name: dynamic_forward_proxy_cache
            dns_lookup_family: V4_ONLY
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          tls_params:
            tls_minimum_protocol_version: TLSv1_2
            tls_maximum_protocol_version: TLSv1_3
          alpn_protocols: ["h2", "http/1.1"] # support both HTTP/2 and HTTP/1.1
admin:
  access_log:
  - name: envoy.access_loggers.file
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
      path: "/dev/stdout"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9901

Zile Rehman

unread,
Nov 19, 2024, 2:38:24 PM11/19/24
to envoy-users

Never mind. The trusted cert was missing in the config. I used the http://localhost:<port>/certs endpoint and did not see any entry. It's working now. I am running into a different issue but we can close this thread for now. Thanks.

validation_context:
  trusted_ca:
    filename: /etc/ssl/certs/ca-certificates.crt
Reply all
Reply to author
Forward
0 new messages