Skip to content

Instantly share code, notes, and snippets.

@salrashid123

salrashid123/envoy_proxy.md

Last active June 7, 2023 12:36
Show Gist options
  • Save salrashid123/e02dd59d97c898f39db9fa6d8e749ebf to your computer and use it in GitHub Desktop.
Save salrashid123/e02dd59d97c898f39db9fa6d8e749ebf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
envoy_proxy.md

https CONNECT proxy for envoy

to use download all the files below, then run

./envoy -c basic.yaml -l debug

cat /etc/hosts
127.0.0.1 squid.yourdomain.com


curl -v -x https://squid.yourdomain.com:3128 --proxy-cacert tls-ca.crt  -L https://httpbin.org/get

basic.yaml

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 127.0.0.1
        port_value: 3128
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains:
              - "*"
              routes:
              - match:
                  connect_matcher:
                    {}
                route:
                  cluster: service_httpbin
                  upgrade_configs:
                  - upgrade_type: CONNECT
                    connect_config:
                      {}
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          http2_protocol_options:
            allow_connect: true
          upgrade_configs:
          - upgrade_type: CONNECT
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificates:
            - certificate_chain:
                filename: server_crt.pem
              private_key:
                filename: server_key.pem           
  clusters:
  - name: service_httpbin
    connect_timeout: 0.25s
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_httpbin
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: httpbin.org
                port_value: 443

server_crt.pem

-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEP
MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlF
bnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIyMDEwOTIyMjcyOFoXDTI3MDcw
MjIyMjcyOFowUjELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UE
CwwKRW50ZXJwcmlzZTEdMBsGA1UEAwwUc3F1aWQueW91cmRvbWFpbi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEN5bRCAyXjDK2h9adbiGUCn1o
Cqq60MRhWEPQkayKquyPM7LCCR1F4fCb+lD9zeX8ug9XyP06IUleZwkGkgXbXvyi
H75Xdn3ZGpBqmjLzj88sX8xqZiZQbnbGfXPlsVg+Dfim6Yh4XK82x9dppULj5LQa
G32rAVfQkmxs3/mo7ud8kwaSniL1VSLXykQa70XQiSYiWs0NMuNiz8/xDCJgpMqm
4M/dyqyx/Ir08JtGMfypHtzHoAT26JseQ80eTvrbw0h3TfC//vI+H5pZohr+dL6o
/R+t+e9OIVLm0ngeCVycpgfazyVku7MJRCEstGY3hmfsCqiLErcqs7lX7BRjAgMB
AAGjggEWMIIBEjAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIwADATBgNVHSUEDDAK
BggrBgEFBQcDATAdBgNVHQ4EFgQUua27rDE2LCS3ZwnyGA4RvP6gL28wHwYDVR0j
BBgwFoAUt7qwAqHnvjTGwQVcZnjlu1NdoVQwRAYIKwYBBQUHAQEEODA2MDQGCCsG
AQUFBzAChihodHRwOi8vcGtpLmVzb2RlbW9hcHAyLmNvbS9jYS90bHMtY2EuY2Vy
MDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2Nh
L3Rscy1jYS5jcmwwHwYDVR0RBBgwFoIUc3F1aWQueW91cmRvbWFpbi5jb20wDQYJ
KoZIhvcNAQELBQADggEBAB3SAryhAD6HBUaxin6BfLPtgLpKMvqcbHwaVjkv8NGB
txTW6qm7hD41Wq/dNh3QG0iFG9GSbIv5O1/9VYzBQMOBDsRAwywH9lnCc2Q/JGqj
WBDRcmUtlP8TC8yuNQpoRjh6wweJScySIB8K3adUJjaW0xBgrRN1aVodIyETFDik
ow03zb73b9Hog5RprRr9IQAG8zbZK5kmMF/DfJTx6aCOPaU7tNDCa0vlJMTMWsmD
4Z+0yhPCavS0cu9ARBAKoXEZ/+WACl3+QM8vQnCn42YPDTwD4/IFC70w3/SYzXGz
+d8JvAi2W158PR7AQP3TVp2GofGWFZQRzvkLHGL1Yr4=
-----END CERTIFICATE-----

server_key.pem

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEN5bRCAyXjDK2
h9adbiGUCn1oCqq60MRhWEPQkayKquyPM7LCCR1F4fCb+lD9zeX8ug9XyP06IUle
ZwkGkgXbXvyiH75Xdn3ZGpBqmjLzj88sX8xqZiZQbnbGfXPlsVg+Dfim6Yh4XK82
x9dppULj5LQaG32rAVfQkmxs3/mo7ud8kwaSniL1VSLXykQa70XQiSYiWs0NMuNi
z8/xDCJgpMqm4M/dyqyx/Ir08JtGMfypHtzHoAT26JseQ80eTvrbw0h3TfC//vI+
H5pZohr+dL6o/R+t+e9OIVLm0ngeCVycpgfazyVku7MJRCEstGY3hmfsCqiLErcq
s7lX7BRjAgMBAAECggEARJVVjsyschAb7bb/KdnDvNYJzWLlGBU+fvP2CCHS2Ek0
FD2yvqWm6LU3f513z663M6XpFPr4n+fgmDGVcwl5KJtD3HsR8cpF5KunTMuHAaED
ffQiJBJ+U+C4fVp+NwvM1yvU/Kpl/AQRbildvtx3y+Y1mWaAf1Qh2JJFeayzu/rg
mXMYh+00SdP7DyIlUioSyTrsorvViEkNXAvu/XHikqcV5ipUoDec9bKPxfRwY4ID
sQlJ0j+pSa2YvOf83ndtBs01Md3gOmmK8KLMrdg30/CZIit0JJLxRQeR+V9iupHh
HVbdyp8RvkVwdu43Fp8QvYDzntbNvn5wV5a1Pa9SeQKBgQDiOuf61V7cBWSP4fX+
c8DMmMFnfQ9NTO0mfbAqI2R9CdTOek5cp/DU3JKldoxORWegG6t0sBvZu9Y4uMkU
h0QEXinjyljWdQ0ACxRVuPRYoZ7DrKce9qAuiEE28MKLFm07Wr/WJN0gJUXd2H2S
yGD2uAioWv3GHRXanZakjlcgDwKBgQDeCaA0qgRSwr4Vd8nIxe60uYVz0UnArhsB
mgUpOXTRpPqDaFNX+CAUdTr8syCPvpe+skCak8uE7Cl6zzzEEs8++SHE+aHxnxbE
DaGFU8qm4UjalDefu91WKGbJX7whQ9yvD/00DVn7thZlWhhwlp1QRFeSLG5zzH95
Del/FeeybQKBgQCd8ZhiRDONEurJlW2EL9ZsQT3N/b8ALfPoCppCYSFYNtPvL+6j
u9BlHHX5tVFxl/0oCAllV0qqcfy27zPb9DAliIRgd7YcS+4+mH2i95UIiBXq8RBg
irj8o748GE0KhCbQ6KPEY0pKlhs4LlxFbUZdGdFZkOVaOpY2Yg15Z7MmOwKBgAPD
mAKsiyw3/u7wO+x6ZoSLzJZdCuoISY7qZIIBZliTeme14gvQugJ+xkQ4aSnmqj3i
WbQFI2Maec2KK9aLFxZTNN5Y+QTWlJU4Qe+3ruzLTufdsV+02Ji4UJ3DULYjp18U
X099lnPs705Ci72E4B/XOMDSngC6i8KqmLW90lK1AoGBAKBCo+i7HiEW/L8OAVMl
epqXTYFijuuXAcSSq4A9bBCB6cMvaWSR7yW/6mU1p6zn6tdgfAAh+2FXoLVERo+d
TjpIZSJq4L1lvQ+Idfq8QUvQBkTfgilG5Fzd8De21E7hGYK1zaycMEiehKPoECwG
dazIgi3XB8PNrT3rW2O5wM9T
-----END PRIVATE KEY-----

tls-ca.crt

-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEP
MA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMRswGQYDVQQDDBJF
bnRlcnByaXNlIFJvb3QgQ0EwHhcNMjIwMTA5MjIwNTQzWhcNMzIwMTA5MjIwNTQz
WjBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRl
cnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQESuYrJ5UvVzNl6K9HL2wIjKpi1
ZmUNNlDonwIG/8Oqppv8Ll55uK5LsQnPEPjiu6dxeO7LH/YMZDIZMYSn626QKS6c
BQ67WWHp2xvb4zXIpjnwLt6FX++ps8yZNwPnT6ykzUUdTgvDPHziscqv8iBiNJv0
zsmT9syZNfXyFMMQVPvIlE7hB45xjGGnJ5zHSWrIXz0ik4Jh7IBRhM4LM7ki7uVP
q6195cB63L9HHwRzfpaGbusptEymRbnjTYEru/xIHH71JRlBJKI6s5fx1iaAzOHw
4+bQOsvfc3lr5nsyDOPukvne3rLSUPkgSYLtlEvPewp35wHiXlDsEgMs7wIDAQAB
o4HqMIHnMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
DgQWBBS3urACoee+NMbBBVxmeOW7U12hVDAfBgNVHSMEGDAWgBR8HFvoPrMzCZaS
Mth/RL/MjJOckjBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAKGKWh0dHA6Ly9w
a2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY2VyMDoGA1UdHwQzMDEwL6At
oCuGKWh0dHA6Ly9wa2kuZXNvZGVtb2FwcDIuY29tL2NhL3Jvb3QtY2EuY3JsMA0G
CSqGSIb3DQEBCwUAA4IBAQDCrrAwdeRQMovu00ws8I3reUIMEdtsFwLRShu0ggVh
GHMH1vGDpdRJoaSpCGdCcPv1IA0BkL6969df1GDUxQOWbiLajyQ5S6fVFgZ/yIbn
3SzMw7Dubig2i9xJo9laPpjjjM/gF6bBSxdhoLUKLFf0e82FCuAPXskeiW7Bc1XB
3ui4xgPNVz3THu8Ma9z/fTJRohrC8t1C/pab7TQpcQR6XkRrX5Sb/MM6TnFew7sD
5cuFT7o/DvbWT42/UP2nuNi591TIGYDJBCKBqnd0AH6Rz+VTyeRUVp4j21ExtzL0
JKmN1S+dmP5W6P1EV+ztEllKEV3N/e6r655wlDG/0y7G
-----END CERTIFICATE-----
@salrashid123
Copy link
Author 

$ curl -v -x https://squid.yourdomain.com:3128 --proxy-cacert tls-ca.crt  -L https://httpbin.org/get
*   Trying 127.0.0.1:3128...
* Connected to squid.yourdomain.com (127.0.0.1) port 3128 (#0)
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: tls-ca.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Proxy certificate:
*  subject: C=US; O=Google; OU=Enterprise; CN=squid.yourdomain.com
*  start date: Jan  9 22:27:28 2022 GMT
*  expire date: Jul  2 22:27:28 2027 GMT
*  subjectAltName: host "squid.yourdomain.com" matched cert's "squid.yourdomain.com"
*  issuer: C=US; O=Google; OU=Enterprise; CN=Enterprise Subordinate CA
*  SSL certificate verify ok.
* allocate connect buffer
* Establish HTTP proxy tunnel to httpbin.org:443
> CONNECT httpbin.org:443 HTTP/1.1
> Host: httpbin.org:443
> User-Agent: curl/7.88.1
> Proxy-Connection: Keep-Alive
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< date: Wed, 07 Jun 2023 12:00:08 GMT
< server: envoy
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=httpbin.org
*  start date: Mar  1 00:00:00 2023 GMT
*  expire date: Nov 19 23:59:59 2023 GMT
*  subjectAltName: host "httpbin.org" matched cert's "httpbin.org"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /get]
* h2h3 [:scheme: https]
* h2h3 [:authority: httpbin.org]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x555fc3f7c050)
> GET /get HTTP/2
> Host: httpbin.org
> user-agent: curl/7.88.1
> accept: */*
> 
< HTTP/2 200 
< date: Wed, 07 Jun 2023 12:00:11 GMT
< content-type: application/json
< content-length: 256
< server: gunicorn/19.9.0
< access-control-allow-origin: *
< access-control-allow-credentials: true
< 
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "httpbin.org", 
    "User-Agent": "curl/7.88.1", 
    "X-Amzn-Trace-Id": "Root=1-64807148-4985c40a521be7e73ab608ee"
  }, 
  "origin": "108.56.239.251", 
  "url": "https://httpbin.org/get"
}
* Connection #0 to host squid.yourdomain.com left intact

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment