-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNI-based routing without TLS termination #1843
Comments
@rshriram FYI Useful for end-to-end mutual TLS where traffic is routed through edge without TLS termination. |
Ooh.. interesting. |
@PiotrSikora can you elaborate for the non-Istio folks? Why is the client in this scenario presenting a ClientHello if there is no TLS termination? |
The idea is that the client establishes TLS connection "directly" with the backend service, without TLS termination at the proxy, i.e. Envoy is simply doing L4 proxying of TCP packets. However, instead of making routing decisions only based on the listening and/or destination IP:port, we want to take advantage of the fact that the ClientHello (i.e. first message in the TLS handshake) is unencrypted and contains useful information (i.e. ALPN and SNI) to make routing decisions based on that as well. e.g.
In such scenario, neither the client nor the backend has to trust the proxy, which at this point is just another hop. |
Yes, this makes sense. Our team also has a need for being able to interpret the initial TCP stream prefix when proxying to extract out additional info, we should sync about this. |
@PiotrSikora @mattklein123 any estimation when this feature will be implemented? |
@vadimeisenbergibm I'm working on tests for this right now, PR should be out "soon". |
@PiotrSikora glad to hear it, good news! |
Also interested in this |
very much interested. We do this today using Apache Traffic Server proxy. |
@PiotrSikora - are you planning on supporting both SNI and ALPN? |
@mastersingh24 both SNI and ALPN are extracted from the |
any updates on this? This feature is very useful! |
Sorry, I've got side-tracked with unrelated bug hunting, but I've started working on this again today, so the PR should be out "soon" (the code for this & the rewrite of filter match selection logic has been completed for a while, but I'm still missing a few tests). |
👍 👀 |
*Risk Level*: Medium *Testing*: bazel test //test/... *Docs Changes*: Added *Release Notes*: Added Fixes envoyproxy#1843. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
…ion_requested_server_name_attribute Add connection requested server name attribute to TCP read filter
Is there an example configuration for this functionality available? I found a config at How to setup SNI but it includes a |
@davidamin yes, just remove |
I could do with a little help with the setup for SNI based routing without TLS termination. I've got the SNI setup working with the TLS termination but can't get the tcp_proxy filter to work for sni routing without tls termination. This config seems to work for SNI routing (though oddly I can only use it with v2.HttpConnectionManager and not v3) :
But what's wrong with the below additions to the config?
The existing filter_chain_matches still work but the new one doesn't. The envoy access log seems to route the connection properly but https clients report the connection as being reset.
|
@tortuoise what's running on |
172.18.0.6:8000 has a tls server running in a separate container (part of same network) with envoy as sidecar. The envoy sidecar config also uses a tcp_proxy filter which finally connects to a cluster with the tls server. This is likely where my error is because I see nothing in the access logs for this envoy.
Alternatively, I also tried to have the tls server running as a local cluster in the same container as the edge envoy (as per the config pasted in previous comment - not the one above). This also doesn't work as expected.
|
Ok got this working with the local_service without the transport_socket following @PiotrSikora's reminder that envoy doesn't tls-terminate the connection. It only works with |
@tortuoise can you please help me with the final configuration file of yours? I seems to have the similar requirement |
Pre-read TLS ClientHello and extract requested SNI, which then can be used for routing, blocked on #95.
cc @louiscryan
The text was updated successfully, but these errors were encountered: