Search code examples
envoyproxy

how to configure envoy as forward (egress) proxy

I am trying to configure envoy as Egress proxy. I am using below configuration

static_resources:

  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 10000 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          access_log:
          - name: envoy.access_loggers.stdout
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
          http_filters:
          - name: envoy.filters.http.router
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route: { cluster: http_default }

  clusters:
  - name: http_default
    connect_timeout: 6s
    type: ORIGINAL_DST
    lb_policy: CLUSTER_PROVIDED

I am testing it on my local laptop ( OSX 11.6.1).

I ran envoy using the above configuration:

envoy -c test.yaml

and envoy started listening to 10000 port

netstat -an | grep 10000

tcp4       0      0  *.10000                *.*                    LISTEN

I am trying the curl command

curl -x http://127.0.0.1:10000 http://proton4.eng.vmware.com
no healthy upstream%

http://proton4.eng.vmware.com is up and running.

curl -v http://proton4.eng.vmware.com

*   Trying 10.20.119.220...
* TCP_NODELAY set
* Connected to proton4.eng.vmware.com (10.20.119.220) port 80 (#0)
> GET / HTTP/1.1
> Host: proton4.eng.vmware.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Wed, 17 Nov 2021 03:30:57 GMT
< Content-Type: text/html
< Content-Length: 1456
< Last-Modified: Thu, 21 Jan 2021 00:38:26 GMT
< Connection: keep-alive
< ETag: "6008cd02-5b0"
< Accept-Ranges: bytes

Can anyone please help me with the configuration of envoy?

Solution

  • below config worked for http proxy.

    admin:
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/force-host-rewrite"
                route:
                  cluster: dynamic_forward_proxy_cluster
                typed_per_filter_config:
                  envoy.filters.http.dynamic_forward_proxy:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
                    host_rewrite_literal: www.example.org
              - match:
                  prefix: "/"
                route:
                  cluster: dynamic_forward_proxy_cluster
          http_filters:
          - name: envoy.filters.http.dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
              dns_cache_config:
                name: dynamic_forward_proxy_cache_config
                dns_lookup_family: V4_ONLY
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dynamic_forward_proxy_cluster
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          validation_context:
            trusted_ca: {filename: /usr/local/Cellar/ca-certificates/2021-10-26/share/ca-certificates/cacert.pem}

    I am using osx 11.6.1 and

    envoy  version: 96701cb24611b0f3aac1cc0dd8bf8589fbdf8e9e/1.20.0/Modified/RELEASE/BoringSSL

    We to install ca-certificate on mac.

    brew install ca-certificate

    now try proxying www.example.com

    curl -x http://127.0.0.1:10000 http://example.com
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {