Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[help!] envoy forwards traffic to the tcp secondary transparent proxy through tcp_proxy, but before envoy receives the response, the tcp secondary transparent proxy sends a FIN and disconnects the connection. #34238

Closed
xiaoxuanyo opened this issue May 18, 2024 · 2 comments
Closed

[help!] envoy forwards traffic to the tcp secondary transparent proxy through tcp_proxy, but before envoy receives the response, the tcp secondary transparent proxy sends a FIN and disconnects the connection. #34238

xiaoxuanyo opened this issue May 18, 2024 · 2 comments

Comments

@xiaoxuanyo
Copy link

I want to realize the requirements of 【pod outbound -> envoy -> tcp transparent proxy -> target website】

This is my TCP packet capture information:

  1. envoy -> tcp transparent proxy
17:07:47.649719 IP 10.0.0.136.38184 > iZ7xvj2m1pwoytdowmcrjxZ.7892: Flags [S], seq 808239914, win 64860, options [mss 1410,sackOK,TS val 1842931539 ecr 0,nop,wscale 7], length 0
17:07:47.649765 IP iZ7xvj2m1pwoytdowmcrjxZ.7892 > 10.0.0.136.38184: Flags [S.], seq 490212783, ack 808239915, win 65160, options [mss 1460,sackOK,TS val 1544986883 ecr 1842931539,nop,wscale 7], length 0
17:07:47.649775 IP 10.0.0.136.38184 > iZ7xvj2m1pwoytdowmcrjxZ.7892: Flags [.], ack 1, win 507, options [nop,nop,TS val 1842931539 ecr 1544986883], length 0
17:07:47.649823 IP 10.0.0.136.38184 > iZ7xvj2m1pwoytdowmcrjxZ.7892: Flags [P.], seq 1:78, ack 1, win 507, options [nop,nop,TS val 1842931539 ecr 1544986883], length 77
17:07:47.649831 IP iZ7xvj2m1pwoytdowmcrjxZ.7892 > 10.0.0.136.38184: Flags [.], ack 78, win 509, options [nop,nop,TS val 1544986883 ecr 1842931539], length 0
17:07:50.925246 IP iZ7xvj2m1pwoytdowmcrjxZ.7892 > 10.0.0.136.38184: Flags [F.], seq 1, ack 78, win 509, options [nop,nop,TS val 1544990159 ecr 1842931539], length 0
17:07:50.925381 IP 10.0.0.136.38184 > iZ7xvj2m1pwoytdowmcrjxZ.7892: Flags [F.], seq 78, ack 2, win 507, options [nop,nop,TS val 1842934815 ecr 1544990159], length 0
17:07:50.925405 IP iZ7xvj2m1pwoytdowmcrjxZ.7892 > 10.0.0.136.38184: Flags [.], ack 79, win 509, options [nop,nop,TS val 1544990159 ecr 1842934815], length 0
  1. tcp transparent proxy -> website
17:07:47.666327 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [S], seq 635071276, win 64240, options [mss 1460,sackOK,TS val 2142505864 ecr 0,nop,wscale 7], length 0
17:07:47.671942 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [S.], seq 3847122411, ack 635071277, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
17:07:47.671965 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [.], ack 1, win 502, length 0
17:07:47.672220 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [P.], seq 1:284, ack 1, win 502, length 283
17:07:47.677818 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [.], ack 284, win 237, length 0
17:07:47.838263 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [P.], seq 1:4321, ack 284, win 237, length 4320
17:07:47.838311 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [.], ack 4321, win 491, length 0
17:07:47.838324 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [P.], seq 4321:5657, ack 284, win 237, length 1336
17:07:47.838333 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [.], ack 5657, win 485, length 0
17:07:47.839854 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [P.], seq 284:348, ack 5657, win 501, length 64
17:07:47.839900 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [P.], seq 348:438, ack 5657, win 501, length 90
17:07:47.840015 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [P.], seq 438:537, ack 5657, win 501, length 99
17:07:47.845489 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [.], ack 348, win 237, length 0
17:07:47.845527 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [.], ack 438, win 237, length 0
17:07:47.845699 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [.], ack 537, win 237, length 0
17:07:50.924939 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [P.], seq 5657:5681, ack 537, win 237, length 24
17:07:50.925007 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [.], ack 5681, win 501, length 0
17:07:50.925068 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [F.], seq 5681, ack 537, win 237, length 0
17:07:50.925160 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [P.], seq 537:561, ack 5682, win 501, length 24
17:07:50.925195 IP iZ7xvj2m1pwoytdowmcrjxZ.58672 > 183.36.43.187.21015: Flags [F.], seq 561, ack 5682, win 501, length 0
17:07:50.930819 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [R], seq 3847128093, win 0, length 0
17:07:50.930850 IP 183.36.43.187.21015 > iZ7xvj2m1pwoytdowmcrjxZ.58672: Flags [R], seq 3847128093, win 0, length 0

I don’t understand why the tcp secondary proxy disconnected from envoy before receiving a response from the target website.

17:07:50.925246 IP iZ7xvj2m1pwoytdowmcrjxZ.7892 > 10.0.0.136.38184: Flags [F.], seq 1, ack 78, win 509, options [nop,nop,TS val 1544990159 ecr 1842931539], length 0

According to my understanding, shouldn't the connection to the proxy server be disconnected after the response is returned to envoy? Is this related to the configuration of envoy?
If anyone can help me I would be grateful~
@xiaoxuanyo xiaoxuanyo added the triage Issue requires triage label May 18, 2024
@xiaoxuanyo
Copy link
Author

this is my setting:

- filters:
                - name: istio.stats
                  typed_config:
                    '@type': type.googleapis.com/stats.PluginConfig
                - name: envoy.filters.network.tcp_proxy
                  typed_config:
                    '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
                    access_log:
                      - name: envoy.access_loggers.file
                        typed_config:
                          '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                          log_format:
                            text_format_source:
                              inline_string: '[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%
                            %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS%
                            %CONNECTION_TERMINATION_DETAILS% "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
                            %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%
                            "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%"
                            "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS%
                            %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME%
                            %ROUTE_NAME% %FILTER_CHAIN_NAME%

                            '
                          path: /dev/stdout
                    cluster: ProxyCluster
                    stat_prefix: ProxyCluster
              name: proxy_outbound_0.0.0.0_443
          listener_filters_timeout: 0s
          name: 0.0.0.0_443
          traffic_direction: OUTBOUND

@zuercher
Copy link
Member

I don't think this is related to Envoy.

@zuercher zuercher removed the triage Issue requires triage label May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zuercher @xiaoxuanyo