Configuration issue to direct HTTPS_PROXY to egress gateway

[pk-vungle]

I tried setting up Egress to HTTPS proxy as per documentation

Thereafter routing the traffic to egress gateway as such:

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: proxy
spec:
hosts:

• proxy-server.com
  addresses:
• xxx.xxx.xxx.xxx/32
  ports:
• number: 80
  name: tcp
  protocol: TCP
  location: MESH_EXTERNAL
  resolution: STATIC

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: egressgw
spec:
selector:
istio: egressgateway
servers:

• port:
  number: 80
  name: tcp
  protocol: TCP
  hosts:
  • proxy-server.com

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressdr
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:

• name: proxy

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: proxy
spec:
hosts:

• proxy-server.com
  gateways:
• egressgw
• mesh
  tcp:
• match:
  • gateways:
    • mesh
      port: 80
      route:
  • destination:
    host: istio-egressgateway.istio-system.svc.cluster.local
    subset: proxy
• match:
  • gateways:
    • egressgw
      port: 80
      route:
  • destination:
    host: proxy-server.com

From my application istio-proxy, I can see the outbound traffic as such:
[2021-02-03T03:59:37.934Z] “- - -” 0 - “-” “-” 185 0 1 - “-” “-” “-” “-” “172.17.16.11:8080” outbound|80|proxy|istio-egressgateway. istio-system. svc. cluster. local 172.17.23.63:36234 xxx.xxx.xxx.xxx:80 172.17.23.63:59646 - -

From these logs, it seems like the sidecar can access egress pods. I manage to ping successfully from the application pod to the proxy server. However, I am not able to curl from application port to internet services. The error message is as follows:
sh-4.2$ curl https://www.google.com -vvv

About to connect() to proxy xxx.xxx.xxx.xxx port 80 (#0)
Trying xxx.xxx.xxx.xxx…
Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 80 (#0)
Establish HTTP proxy tunnel to www.google.com:443
Proxy auth using Basic with user ‘*****’
CONNECT www. google. com:443 HTTP/1.1
Host: www. google. com:443
Proxy-Authorization: Basic ****
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
Proxy CONNECT aborted
Connection #0 to host xxx.xxx.xxx.xxx left intact
curl: (56) Proxy CONNECT aborted

From the egress-gateway pod, I am getting UH errors:
[2021-02-03T05:08:56.376Z] “- - -” 0 UH “-” “-” 0 0 0 - “-” “-” “-” “-” “-” - - 172.17.16.11:8080 172.17.23.63:55172 - -

172.17.16.11 should be the egress-gateway pod whereas 172.17.23.63 should be application pod.

I would like to get help for this issue. Please note that the application pods only have 8443 exposed and the service to the application pods is redirected to 443.

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-02-03. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.