Configuration issue to direct HTTPS_PROXY to egress gateway #30606
Labels
lifecycle/automatically-closed
Indicates a PR or issue that has been closed automatically.
lifecycle/stale
Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
I tried setting up Egress to HTTPS proxy as per documentation
Thereafter routing the traffic to egress gateway as such:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: proxy
spec:
hosts:
addresses:
ports:
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: STATIC
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: egressgw
spec:
selector:
istio: egressgateway
servers:
number: 80
name: tcp
protocol: TCP
hosts:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressdr
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: proxy
spec:
hosts:
gateways:
tcp:
port: 80
route:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: proxy
port: 80
route:
host: proxy-server.com
From my application istio-proxy, I can see the outbound traffic as such:
[2021-02-03T03:59:37.934Z] “- - -” 0 - “-” “-” 185 0 1 - “-” “-” “-” “-” “172.17.16.11:8080” outbound|80|proxy|istio-egressgateway. istio-system. svc. cluster. local 172.17.23.63:36234 xxx.xxx.xxx.xxx:80 172.17.23.63:59646 - -
From these logs, it seems like the sidecar can access egress pods. I manage to ping successfully from the application pod to the proxy server. However, I am not able to curl from application port to internet services. The error message is as follows:
sh-4.2$ curl https://www.google.com -vvv
About to connect() to proxy xxx.xxx.xxx.xxx port 80 (#0)
Trying xxx.xxx.xxx.xxx…
Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 80 (#0)
Establish HTTP proxy tunnel to www.google.com:443
Proxy auth using Basic with user ‘*****’
CONNECT www. google. com:443 HTTP/1.1
Host: www. google. com:443
Proxy-Authorization: Basic ****
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
Proxy CONNECT aborted
Connection #0 to host xxx.xxx.xxx.xxx left intact
curl: (56) Proxy CONNECT aborted
From the egress-gateway pod, I am getting UH errors:
[2021-02-03T05:08:56.376Z] “- - -” 0 UH “-” “-” 0 0 0 - “-” “-” “-” “-” “-” - - 172.17.16.11:8080 172.17.23.63:55172 - -
172.17.16.11 should be the egress-gateway pod whereas 172.17.23.63 should be application pod.
I would like to get help for this issue. Please note that the application pods only have 8443 exposed and the service to the application pods is redirected to 443.
The text was updated successfully, but these errors were encountered: