Support proxy to external domain

[johnzheng1975]

(This is used to request new product features, please visit https://github.com/istio/istio/discussions for questions on using Istio)

Describe the feature request
I want to use istio as an api gateway, not only proxy services inside cluster, but also proxy external server. Then add jwt verify(ra/ authorationpolicy), ratelimit, whitelist, CORS and so on...

However, error raise when proxy the requests to external domain.

Describe alternatives you've considered
No

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context

[johnzheng1975]

The error is as: #50997

[johnzheng1975]

Thanks @hzxuzhonghu
After insecureSkipVerify set to false, it works.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: originate-tls
  namespace: istio-system
spec:
  host: httpbin.org
  trafficPolicy:
    tls:
      mode: SIMPLE
      insecureSkipVerify: true

[johnzheng1975]

Just want to discuss more, whether set insecureSkipVerify is true is safe enough for production usage.
Let us say, is it possible for some hacker to manipulate our cluster external request to a fake server without server certificate.

• If verify ssl certificate, it is secure to find this, and we will cancel the request.
• If not verify ssl certificate, you may send your token/info to it. The fake server will get all info.

Just FYI. Thanks very much for discussion.

[hzxuzhonghu]

Not always, think about your browser, if you are accessing a website that has no cacertin your local host, it will warn.

This is to verify the server you access is really the true one. Not a pretending one

[johnzheng1975]

Thanks @hzxuzhonghu , closed this.