Using an External HTTPS Proxy
The Configure an Egress Gateway6 example shows how to direct traffic to external services from your mesh via an Istio edge component called Egress Gateway. However, some cases require an external, legacy (non-Istio) HTTPS proxy to access external services. For example, your company may already have such a proxy in place and all the applications within the organization may be required to direct their traffic through it.
This example shows how to enable access to an external HTTPS proxy. Since applications use the HTTP CONNECT7 method to establish connections with HTTPS proxies, configuring traffic to an external HTTPS proxy is different from configuring traffic to external HTTP and HTTPS services.
Before you begin
Setup Istio by following the instructions in the Installation guide8.
Deploy the sleep10 sample app to use as a test source for sending requests. If you have automatic sidecar injection enabled, run the following command to deploy the sample app:
Otherwise, manually inject the sidecar before deploying the
sleep
application with the following command:Set the
SOURCE_POD
environment variable to the name of your source pod:
Deploy an HTTPS proxy
To simulate a legacy proxy and only for this example, you deploy an HTTPS proxy inside your cluster. Also, to simulate a more realistic proxy that is running outside of your cluster, you will address the proxy’s pod by its IP address and not by the domain name of a Kubernetes service. This example uses Squid12 but you can use any HTTPS proxy that supports HTTP CONNECT.
Create a namespace for the HTTPS proxy, without labeling it for sidecar injection. Without the label, sidecar injection is disabled in the new namespace so Istio will not control the traffic there. You need this behavior to simulate the proxy being outside of the cluster.
Create a configuration file for the Squid proxy.
Create a Kubernetes ConfigMap13 to hold the configuration of the proxy:
Deploy a container with Squid:
Deploy the sleep10 sample in the
external
namespace to test traffic to the proxy without Istio traffic control.Obtain the IP address of the proxy pod and define the
PROXY_IP
environment variable to store it:Define the
PROXY_PORT
environment variable to store the port of your proxy. In this case, Squid uses port 3128.Send a request from the
sleep
pod in theexternal
namespace to an external service via the proxy:Check the access log of the proxy for your request:
So far, you completed the following tasks without Istio:
- You deployed the HTTPS proxy.
- You used
curl
to access thewikipedia.org
external service through the proxy.
Next, you must configure the traffic from the Istio-enabled pods to use the HTTPS proxy.
Configure traffic to external HTTPS proxy
Define a TCP (not HTTP!) Service Entry for the HTTPS proxy. Although applications use the HTTP CONNECT method to establish connections with HTTPS proxies, you must configure the proxy for TCP traffic, instead of HTTP. Once the connection is established, the proxy simply acts as a TCP tunnel.
Send a request from the
sleep
pod in thedefault
namespace. Because thesleep
pod has a sidecar, Istio controls its traffic.Check the Istio sidecar proxy’s logs for your request:
Check the access log of the proxy for your request:
Understanding what happened
In this example, you took the following steps:
- Deployed an HTTPS proxy to simulate an external proxy.
- Created a TCP service entry to enable Istio-controlled traffic to the external proxy.
Note that you must not create service entries for the external services you access through the external proxy, like
wikipedia.org
. This is because from Istio’s point of view the requests are sent to the external proxy only; Istio is
not aware of the fact that the external proxy forwards the requests further.