在特使的基于SNI的路由
我正在处理用例,以在不执行TLS终止
方案的情况下在Envoy中进行基于SNI的路由: 客户提出https请求域名dd-server_name-zion-zorfy.com
我需要使用SNI提取域名,然后将请求转发到DNS名称wd-server_name- zion-zorfy.com
server_name本质上是动态的,可以具有不同的值。基本上,我需要用dd主机名中的前缀wd,然后将请求路由到该目的地,而无需在Envoy中进行TLS终止。
我具有以下特使配置,当我提出HTTPS请求时,我会收到连接超时错误,
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9002
listener_filters:
- name: envoy.filters.listener.tls_inspector
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filters:
- name: envoy.filters.network.sni_dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
port_value: 443
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
host = string.match(request_handle:headers():get("host"), "dd%-(.*)")
target = "wd-" .. host
REQUESTED_SERVER_NAME = target
end
- name: envoy.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp
cluster: dynamic_forward_proxy_cluster
tunneling_config:
hostname: "%REQUESTED_SERVER_NAME%:443"
clusters:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
有人可以帮助我在特使配置中需要进行的更改才能使此工作。这甚至可行吗?
I am working on a use case to do SNI based routing in envoy without doing TLS termination
Scenario:
Customer makes a HTTPS request for domain name dd-server_name-zion-zorfy.com
I need to extract the domain name using SNI and forward the request to the upstream with DNS name wd-server_name-zion-zorfy.com
The server_name is dynamic in nature and can have different values. Basically, I need to replace dd prefix in the host name with wd and route the request to this destination without doing the TLS termination in envoy.
I have the below envoy configuration and when I make a HTTPS request, I am getting connection timeout error
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9002
listener_filters:
- name: envoy.filters.listener.tls_inspector
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filters:
- name: envoy.filters.network.sni_dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
port_value: 443
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
host = string.match(request_handle:headers():get("host"), "dd%-(.*)")
target = "wd-" .. host
REQUESTED_SERVER_NAME = target
end
- name: envoy.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp
cluster: dynamic_forward_proxy_cluster
tunneling_config:
hostname: "%REQUESTED_SERVER_NAME%:443"
clusters:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
Can someone help me what changes I need to make in the envoy configuration to get this working. Is this even doable?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论