• Using an External HTTPS Proxy
    • Before you begin
    • Deploy an HTTPS proxy
    • Configure traffic to external HTTPS proxy
    • Understanding what happened
    • Cleanup
    • See also

    Using an External HTTPS Proxy

    The Configure an Egress Gateway example shows how to directtraffic to external services from your mesh via an Istio edge component called Egress Gateway. However, somecases require an external, legacy (non-Istio) HTTPS proxy to access external services. For example, yourcompany may already have such a proxy in place and all the applications within the organization may be required todirect their traffic through it.

    This example shows how to enable access to an external HTTPS proxy. Since applications use the HTTP CONNECT method to establish connections with HTTPS proxies,configuring traffic to an external HTTPS proxy is different from configuring traffic to external HTTP and HTTPSservices.

    Before you begin

    • Setup Istio by following the instructions in the Installation guide.

    • Deploy the sleep sample app to use as a test source for sending requests.If you haveautomatic sidecar injectionenabled, run the following command to deploy the sample app:

    Zip

    1. $ kubectl apply -f @samples/sleep/sleep.yaml@

    Otherwise, manually inject the sidecar before deploying the sleep application with the following command:

    Zip

    1. $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)

    You can use any pod with curl installed as a test source.

    • Set the SOURCE_POD environment variable to the name of your source pod:
    1. $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
    • Enable Envoy’s access logging

    Deploy an HTTPS proxy

    To simulate a legacy proxy and only for this example, you deploy an HTTPS proxy inside your cluster.Also, to simulate a more realistic proxy that is running outside of your cluster, you will address the proxy’s podby its IP address and not by the domain name of a Kubernetes service.This example uses Squid but you can use any HTTPS proxy that supports HTTP CONNECT.

    • Create a namespace for the HTTPS proxy, without labeling it for sidecar injection. Without the label, sidecarinjection is disabled in the new namespace so Istio will not control the traffic there.You need this behavior to simulate the proxy being outside of the cluster.
    1. $ kubectl create namespace external
    • Create a configuration file for the Squid proxy.
    1. $ cat <<EOF > ./proxy.conf
    2. http_port 3128
    4. acl SSL_ports port 443
    5. acl CONNECT method CONNECT
    7. http_access deny CONNECT !SSL_ports
    8. http_access allow localhost manager
    9. http_access deny manager
    10. http_access allow all
    12. coredump_dir /var/spool/squid
    13. EOF
    • Create a Kubernetes ConfigMapto hold the configuration of the proxy:
    1. $ kubectl create configmap proxy-configmap -n external --from-file=squid.conf=./proxy.conf
    • Deploy a container with Squid:
    1. $ kubectl apply -f - <<EOF
    2. apiVersion: apps/v1
    3. kind: Deployment
    4. metadata:
    5.   name: squid
    6.   namespace: external
    7. spec:
    8.   replicas: 1
    9.   template:
    10.     metadata:
    11.       labels:
    12.         app: squid
    13.     spec:
    14.       volumes:
    15.       - name: proxy-config
    16.         configMap:
    17.           name: proxy-configmap
    18.       containers:
    19.       - name: squid
    20.         image: sameersbn/squid:3.5.27
    21.         imagePullPolicy: IfNotPresent
    22.         volumeMounts:
    23.         - name: proxy-config
    24.           mountPath: /etc/squid
    25.           readOnly: true
    26. EOF
    • Deploy the sleep sample in the external namespace to test traffic to theproxy without Istio traffic control.

    Zip

    1. $ kubectl apply -n external -f @samples/sleep/sleep.yaml@
    • Obtain the IP address of the proxy pod and define the PROXY_IP environment variable to store it:
    1. $ export PROXY_IP=$(kubectl get pod -n external -l app=squid -o jsonpath={.items..podIP})
    • Define the PROXY_PORT environment variable to store the port of your proxy. In this case, Squid uses port3128.
    1. $ export PROXY_PORT=3128
    • Send a request from the sleep pod in the external namespace to an external service via the proxy:
    1. $ kubectl exec -it $(kubectl get pod -n external -l app=sleep -o jsonpath={.items..metadata.name}) -n external -- sh -c "HTTPS_PROXY=$PROXY_IP:$PROXY_PORT curl https://en.wikipedia.org/wiki/Main_Page" | grep -o "<title>.*</title>"
    2. <title>Wikipedia, the free encyclopedia</title>
    • Check the access log of the proxy for your request:
    1. $ kubectl exec -it $(kubectl get pod -n external -l app=squid -o jsonpath={.items..metadata.name}) -n external -- tail -f /var/log/squid/access.log
    2. 1544160065.248    228 172.30.109.89 TCP_TUNNEL/200 87633 CONNECT en.wikipedia.org:443 - HIER_DIRECT/91.198.174.192 -

    So far, you completed the following tasks without Istio:

    • You deployed the HTTPS proxy.
    • You used curl to access the wikipedia.org external service through the proxy.

    Next, you must configure the traffic from the Istio-enabled pods to use the HTTPS proxy.

    Configure traffic to external HTTPS proxy

    • Define a TCP (not HTTP!) Service Entry for the HTTPS proxy. Although applications use the HTTP CONNECT method toestablish connections with HTTPS proxies, you must configure the proxy for TCP traffic, instead of HTTP. Once theconnection is established, the proxy simply acts as a TCP tunnel.
    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.istio.io/v1alpha3
    3. kind: ServiceEntry
    4. metadata:
    5.   name: proxy
    6. spec:
    7.   hosts:
    8.   - my-company-proxy.com # ignored
    9.   addresses:
    10.   - $PROXY_IP/32
    11.   ports:
    12.   - number: $PROXY_PORT
    13.     name: tcp
    14.     protocol: TCP
    15.   location: MESH_EXTERNAL
    16. EOF
    • Send a request from the sleep pod in the default namespace. Because the sleep pod has a sidecar,Istio controls its traffic.
    1. $ kubectl exec -it $SOURCE_POD -c sleep -- sh -c "HTTPS_PROXY=$PROXY_IP:$PROXY_PORT curl https://en.wikipedia.org/wiki/Main_Page" | grep -o "<title>.*</title>"
    2. <title>Wikipedia, the free encyclopedia</title>
    • Check the Istio sidecar proxy’s logs for your request:
    1. $ kubectl logs $SOURCE_POD -c istio-proxy
    2. [2018-12-07T10:38:02.841Z] "- - -" 0 - 702 87599 92 - "-" "-" "-" "-" "172.30.109.95:3128" outbound|3128||my-company-proxy.com 172.30.230.52:44478 172.30.109.95:3128 172.30.230.52:44476 -
    • Check the access log of the proxy for your request:
    1. $ kubectl exec -it $(kubectl get pod -n external -l app=squid -o jsonpath={.items..metadata.name}) -n external -- tail -f /var/log/squid/access.log
    2. 1544160065.248    228 172.30.109.89 TCP_TUNNEL/200 87633 CONNECT en.wikipedia.org:443 - HIER_DIRECT/91.198.174.192 -

    Understanding what happened

    In this example, you took the following steps:

    • Deployed an HTTPS proxy to simulate an external proxy.
    • Created a TCP service entry to enable Istio-controlled traffic to the external proxy.Note that you must not create service entries for the external services you access through the external proxy, likewikipedia.org. This is because from Istio’s point of view the requests are sent to the external proxy only; Istio isnot aware of the fact that the external proxy forwards the requests further.

    Cleanup

    • Shutdown the sleep service:

    Zip

    1. $ kubectl delete -f @samples/sleep/sleep.yaml@
    • Shutdown the sleep service in the external namespace:

    Zip

    1. $ kubectl delete -f @samples/sleep/sleep.yaml@ -n external
    • Shutdown the Squid proxy, remove the ConfigMap and the configuration file:
    1. $ kubectl delete -n external deployment squid
    2. $ kubectl delete -n external configmap proxy-configmap
    3. $ rm ./proxy.conf
    • Delete the external namespace:
    1. $ kubectl delete namespace external
    • Delete the Service Entry:
    1. $ kubectl delete serviceentry proxy

    See also

    Secure Control of Egress Traffic in Istio, part 3

    Comparison of alternative solutions to control egress traffic including performance considerations.

    Secure Control of Egress Traffic in Istio, part 2

    Use Istio Egress Traffic Control to prevent attacks involving egress traffic.

    Secure Control of Egress Traffic in Istio, part 1

    Attacks involving egress traffic and requirements for egress traffic control.

    Egress Gateway Performance Investigation

    Verifies the performance impact of adding an egress gateway.

    Consuming External MongoDB Services

    Describes a simple scenario based on Istio's Bookinfo example.

    Monitoring and Access Policies for HTTP Egress Traffic

    Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.