Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HELP!!!] Can envoy be configured to use a second http/https proxy #34136

Closed
xiaoxuanyo opened this issue May 14, 2024 · 7 comments
Closed

[HELP!!!] Can envoy be configured to use a second http/https proxy #34136

xiaoxuanyo opened this issue May 14, 2024 · 7 comments
Labels
area/http question Questions that are neither investigations, bugs, nor enhancements

Comments

@xiaoxuanyo
Copy link

Title: Can envoy be configured to use a second http/https proxy

Description:
I am using envoy as an edge proxy. There is a use case where the whole network is behind an http proxy(support HTTP over connect). Is there a way to have envoy redirect to this second proxy?

i.e. client(http/https,xxx.com)->envoy->[http proxy2]->xxx.com

Does envoy honor the HTTP_PROXY/HTTPS_PROXY/NO_PROXY environment variables? Is there another way?
@xiaoxuanyo xiaoxuanyo added the triage Issue requires triage label May 14, 2024
@ravenblackx ravenblackx added question Questions that are neither investigations, bugs, nor enhancements area/http and removed triage Issue requires triage labels May 14, 2024
@ravenblackx
Copy link
Contributor

@alyssawilk probably understands this.

@alyssawilk
Copy link
Contributor

Envoy can both forward CONNECT request, encapsulate traffic in CONNECT and terminate CONNECT.
Please check out https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/upgrades

@xiaoxuanyo
Copy link
Author

xiaoxuanyo commented May 14, 2024
edited

Envoy can both forward CONNECT request, encapsulate traffic in CONNECT and terminate CONNECT. Please check out https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/upgrades

@alyssawilk I want to achieve is that all http/https in this pod must go through my clash client proxy service before accessing the target website. , so I want to use EnvoyFilter to achieve it, but I really understand too little about this.

For example, I want to intercept all http/https export traffic of the pod labeled app, and forward this part of the traffic to my clash client proxy server (assuming the address is http://a.b.c.com:40001, supporting HTTP over connect ), but I am a complete novice on envoy-related knowledge. Can you help show me how to implement the code? I will be very grateful~~~

@xiaoxuanyo
Copy link
Author

Envoy can both forward CONNECT request, encapsulate traffic in CONNECT and terminate CONNECT. Please check out https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/upgrades

@alyssawilk I want to achieve is that all http/https in this pod must go through my clash client proxy service before accessing the target website. , so I want to use EnvoyFilter to achieve it, but I really understand too little about this.

For example, I want to intercept all http/https export traffic of the pod labeled app, and forward this part of the traffic to my clash client proxy server (assuming the address is http://a.b.c.com:40001, supporting HTTP over connect ), but I am a complete novice on envoy-related knowledge. Can you help show me how to implement the code? I will be very grateful~~~

The following is what I learned from some information I searched before:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: test
  namespace: apps
spec:
  workloadSelector:
    labels:
      app.kubernetes.io/name: app
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        context: SIDECAR_OUTBOUND
        listener:
          portNumber: 443
          filterChain:
            filter:
              name: "envoy.filters.network.tcp_proxy"
      patch:
        operation: MERGE
        value:
          name: "envoy.filters.network.tcp_proxy"
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
            stat_prefix: "outbound_tcp_443"
            cluster: proxy_cluster
            tunneling_config:
              hostname: "%REQUESTED_SERVER_NAME%:443"
    - applyTo: NETWORK_FILTER
      match:
        context: SIDECAR_OUTBOUND
        listener:
          portNumber: 80
          filterChain:
            filter:
              name: "envoy.filters.network.tcp_proxy"
      patch:
        operation: MERGE
        value:
          name: "envoy.filters.network.tcp_proxy"
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
            stat_prefix: "outbound_tcp_80"
            cluster: proxy_cluster
    - applyTo: CLUSTER
      match:
        context: SIDECAR_OUTBOUND
      patch:
        operation: ADD
        value:
          name: proxy_cluster
          type: STRICT_DNS
          lb_policy: ROUND_ROBIN
          load_assignment:
            cluster_name: proxy_cluster
            endpoints:
              - lb_endpoints:
                  - endpoint:
                      address:
                        socket_address:
                          address: a.b.c.com
                          port_value: 40001

But it doesn't work. I don't quite understand how to modify it, even though I checked a lot of information.

@xiaoxuanyo
Copy link
Author

@alyssawilk could you help me~ 0.0

@alyssawilk
Copy link
Contributor

apologies, but I think you're going to have to play around - I'm unfortunately too overloaded to dig in the way I'd need to to help out.

@xiaoxuanyo
Copy link
Author

apologies, but I think you're going to have to play around - I'm unfortunately too overloaded to dig in the way I'd need to to help out.

OK, Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/http question Questions that are neither investigations, bugs, nor enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ravenblackx @alyssawilk @xiaoxuanyo