Envoy forward proxy - man in the middle with ssl termination

[batistado]

Hi
I wanted to check if envoy supports Man in the middle with SSL termination as a forward proxy?
If so can you link me to any documentation or example config how to do it?

[daixiang0]

May be cluster filter or custom HTTP conn pool helps. 🤔

[batistado]

How? Care to elaborate?

[daixiang0]

@soulxu maybe you know details.

[soulxu]

@soulxu maybe you know details.

@batistado not sure you are asking a normal tls termination or something like what @LuyaoZhong is doing here #18928

[batistado]

@soulxu No we don't want to envoy to generate a copied cert from upstream service's cert (like www.google.com). My use case is this:

Current setup:
internal service ----> External service

External service presents our org's self signed cert to internal service and internal service verifies it via our org's root CA cert.

Want setup:
internal service ----> Envoy (as forward proxy) ----> External service

We want to able to install our org's self signed cert and root CA to envoy so envoy can mimic External service to internal service and then to external service it behaves like internal service.

[LuyaoZhong]

@batistado I think it is indeed what we are doing with #18928 . We have a workable PR to mimic the server certificate, which might satisfy your requirement.

There are limitations if we don't have the real server cert as reference to mimic cert, for instance we will lose TLS extensions, etc. That's why we are discussing the new workflow on #18928.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[vorishirne]

@LuyaoZhong I want to test your changes.

So the traffic has to be routed to envoy via iptable rules or some other way, in your example config attached in PR?

[LuyaoZhong]

@vorishirne Yes, you need to route traffic to Envoy with proper iptables rule set.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[vorishirne]

@LuyaoZhong is this feature still under development

[LuyaoZhong]

@vorishirne Yes, see the issue TLS bumping .

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

[kmushegi]

This video could be useful? just watched it myself, looking for similar things https://www.youtube.com/watch?v=B8nTc08CeRQ