-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nginx reverse proxy - upstream name must match the service or it fails to route #14450
Comments
sorry but how is this related to istio? |
@linsun this problem occurs when istio-proxy is injected, normally this flow is totally fine but when the envoy proxy is present I get this behaviour. |
I get a bunch of PassthroughCluster in istio-proxy logs when I try to visit an endpoint that is proxied to another service. (This is the third party cloudendpoints esp with predefined nginx config) The same thing was happening in my own nginx reverse proxy, but when I changed the upstream name to match the server name of the service I try to proxy to, I see this: |
My guess is that nginx registers the upstream with the name I provide and when I call is using proxy_pass it would normally go to the server I specified but istio-proxy intercepts the local call as well and decides it is out of cluster. I am not that familiar with the inner working of the proxy but this is my guess. |
Might be related to #14443 |
Hey, I'd suggest using the
What this does is ensure that nginx doesn't resolve the upstream address to an ip, and maintains the correct I recommend using this project because I use it, with Istio, with a 240 odd service deployment. If you're not using ingress-nginx, I think you can set
Hope this helps but as I say, it's an nginx configuration rather than an istio problem. |
@Stono Thanks I will investigate these options. I do use ingress-nginx and I want to change all my ingresses to istio gateways+virtualservices, the reason I use an nginx is for my api-gateway. ESP proxy (Google Cloud Endpoints) -> Nginx API-gateway -> My Application |
@Mr-Linus yeah gateways would be one way to do it but then you're managing certs on envoy. Then you have:
And Can you close this issue of as it's not an istio issue, it is a great topic of conversation however so probably more one for the istio-users groups. I'll write up a blog post over over the next few days detailing our setup too. |
Yes I'll close it and thanks! |
Sorry, my fault, I found the true reason is that there are some health checkers failed after injected sidecar, and finally I have already fixed them. |
If I have a service called
foo-bar
and I create an upstream block like this:Then I proxy the request to this upstream like this:
It will cause an infinite loop with istio, but if I change the name of the upstream to
foo-bar
instead offoo
so it matches the name of the service it works fine.This is quite a headache when I am using third party solutions like cloudendpoints esp proxy.
EDIT:
It seems like it is not an infinite loop (maybe just some retry logic?). I believe the problem is that istio-proxy intercepts the local calls and decides the upstream that I configured with nginx must be out of istio's scope so it tries to redirect it outside of the mesh.
The text was updated successfully, but these errors were encountered: