foxish · April 14, 2021 15:21
diff --git a/dynamic_fwd_http_sni.yaml b/dynamic_fwd_http_sni.yaml
 # Transparent Envoy Proxy that forwards http/https 
 # Create iptables to route 80 + 443 to 10000:
 # $ iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner envoyuser --dport 443 -j REDIRECT --to-port 10000
 # $ iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner envoyuser --dport 80 -j REDIRECT --to-port 10000
 # Run envoy
 # $ envoy -c dynamic_fwd_http_sni.yaml -l debug

 admin:
  access_log_path: /home/envoyuser/admin/admin_access.log
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
 static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    listener_filters:
      - name: envoy.filters.listener.tls_inspector
    filter_chains:
      - filter_chain_match: 
          # transport_protocol: tls
          destination_port: 443
        filters:
          # SNI forward proxy
          - name: envoy.filters.network.sni_dynamic_forward_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3alpha.FilterConfig
              port_value: 443
              dns_cache_config:
                name: dynamic_forward_proxy_cache_config
                dns_lookup_family: V4_ONLY
          - name: envoy.tcp_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
              stat_prefix: tcp
              cluster: dynamic_forward_proxy_cluster_sni

      # HTTP forward proxy
      - filter_chain_match:
          destination_port: 80
        filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              stat_prefix: ingress_http
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/force-host-rewrite"
                    route:
                      cluster: dynamic_forward_proxy_cluster_http
                    typed_per_filter_config:
                      envoy.filters.http.dynamic_forward_proxy:
                        "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
                        host_rewrite_literal: www.example.org
                  - match:
                      prefix: "/"
                    route:
                      cluster: dynamic_forward_proxy_cluster_http
              http_filters:
              - name: envoy.filters.http.dynamic_forward_proxy
                typed_config:
                  "@type": type.googleapis.com/envoy.config.filter.http.dynamic_forward_proxy.v2alpha.FilterConfig
                  dns_cache_config:
                    name: dynamic_forward_proxy_cache_config
                    dns_lookup_family: V4_ONLY
              - name: envoy.filters.http.router
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router


  clusters:
  - name: dynamic_forward_proxy_cluster_sni
    connect_timeout: 1s
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
  - name: dynamic_forward_proxy_cluster_http
    connect_timeout: 1s
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          validation_context:
            trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}
	# Transparent Envoy Proxy that forwards http/https
	# Create iptables to route 80 + 443 to 10000:
	# $ iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner envoyuser --dport 443 -j REDIRECT --to-port 10000
	# $ iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner envoyuser --dport 80 -j REDIRECT --to-port 10000
	# Run envoy
	# $ envoy -c dynamic_fwd_http_sni.yaml -l debug

	admin:
	access_log_path: /home/envoyuser/admin/admin_access.log
	address:
	socket_address:
	protocol: TCP
	address: 127.0.0.1
	port_value: 9901
	static_resources:
	listeners:
	- name: listener_0
	address:
	socket_address:
	protocol: TCP
	address: 0.0.0.0
	port_value: 10000
	listener_filters:
	- name: envoy.filters.listener.tls_inspector
	filter_chains:
	- filter_chain_match:
	# transport_protocol: tls
	destination_port: 443
	filters:
	# SNI forward proxy
	- name: envoy.filters.network.sni_dynamic_forward_proxy
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3alpha.FilterConfig
	port_value: 443
	dns_cache_config:
	name: dynamic_forward_proxy_cache_config
	dns_lookup_family: V4_ONLY
	- name: envoy.tcp_proxy
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
	stat_prefix: tcp
	cluster: dynamic_forward_proxy_cluster_sni

	# HTTP forward proxy
	- filter_chain_match:
	destination_port: 80
	filters:
	- name: envoy.filters.network.http_connection_manager
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
	stat_prefix: ingress_http
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains: ["*"]
	routes:
	- match:
	prefix: "/force-host-rewrite"
	route:
	cluster: dynamic_forward_proxy_cluster_http
	typed_per_filter_config:
	envoy.filters.http.dynamic_forward_proxy:
	"@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
	host_rewrite_literal: www.example.org
	- match:
	prefix: "/"
	route:
	cluster: dynamic_forward_proxy_cluster_http
	http_filters:
	- name: envoy.filters.http.dynamic_forward_proxy
	typed_config:
	"@type": type.googleapis.com/envoy.config.filter.http.dynamic_forward_proxy.v2alpha.FilterConfig
	dns_cache_config:
	name: dynamic_forward_proxy_cache_config
	dns_lookup_family: V4_ONLY
	- name: envoy.filters.http.router
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router


	clusters:
	- name: dynamic_forward_proxy_cluster_sni
	connect_timeout: 1s
	lb_policy: CLUSTER_PROVIDED
	cluster_type:
	name: envoy.clusters.dynamic_forward_proxy
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
	dns_cache_config:
	name: dynamic_forward_proxy_cache_config
	dns_lookup_family: V4_ONLY
	- name: dynamic_forward_proxy_cluster_http
	connect_timeout: 1s
	lb_policy: CLUSTER_PROVIDED
	cluster_type:
	name: envoy.clusters.dynamic_forward_proxy
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
	dns_cache_config:
	name: dynamic_forward_proxy_cache_config
	dns_lookup_family: V4_ONLY
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
	common_tls_context:
	validation_context:
	trusted_ca: {filename: /etc/ssl/certs/ca-certificates.crt}