Migrate to istio/envoy from nginx with sub_filter

Question

Wondering if I can migrate a nginx configuration like this to istio.

The undelying problem statement how to expose aws's vpc elasticsearch over a public loadbalancer. The aws-es instance is protected using a cognito endpoint. While I can get cognito redirect work, it constructs a redirect url like

https:/mydomain.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=6rn9ch5reoehhle1gmfgv238k0&redirect_uri=https://vpc-mykibana-111xxx.us-east1.es.amazonaws.com/_plugin/kibana/app/kibana&state=7781cfab-838b-4473-9b7f-3ba2b3238528. This redirect url is not configurable in cognito and probably coming out of es configuration out of box.

This is from the guide https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-nginx-elasticsearch/.

server {
    listen 443;
    server_name $host;

    location ^~ /_plugin/kibana {
        # Forward requests to Kibana -> done using route
        proxy_pass https://vpc-mykibana-111xxx.us-east1.es.amazonaws.com/_plugin/kibana;

        # Handle redirects to Amazon Cognito -> seems working out of box
        proxy_redirect https://mydomain.auth.us-east-1.amazoncognito.com https://$host;

        # Update cookie domain and path
        proxy_cookie_domain vpc-mykibana-111xxx.us-east1.es.amazonaws.com $host;

        proxy_set_header Accept-Encoding "";
        sub_filter_types *;
        sub_filter vpc-mykibana-111xxx.us-east1.es.amazonaws.com $host;  <- main reason why the redirects are not correct for us
        sub_filter_once off;

        # Response buffer settings <- not important
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    location ~ \/(log|sign|error|fav|forgot|change|confirm) {
        # Forward requests to Cognito
        proxy_pass https://mydomain.auth.us-east-1.amazoncognito.com;

        # Handle redirects to Kibana
        proxy_redirect https://vpc-mykibana-111xxx.us-east1.es.amazonaws.com https://$host;

        # Handle redirects to Amazon Cognito
        proxy_redirect https://mydomain.auth.us-east-1.amazoncognito.com https://$host;

        # Update cookie domain
        proxy_cookie_domain mydomain.auth.us-east-1.amazoncognito.com $host;
    }
}

Tried with simple virtual service but no idea how to move next

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: siem-route
  namespace: siem
spec:
  hosts:
    - siem.jupiter.money
  gateways:
    - istio-system/http-gateway
  http:
    - match:
      - uri:
          match: /_plugin/kibana
      route:
        - destination:
            host: vpc-mykibana-111xxx.us-east1.es.amazonaws.com

Answer 1

Wondering if I can migrate a nginx configuration like this to istio.

As I mentioned in the comments you should rather use them together, it's not possible to do things like proxy_pass in virtual service.

As mentioned here

Shouldn’t it be possible to let ISTIO do the reverse proxy thing, so that no one needs a webserver (httpd/nginx/ lighthttpd/…) to do the reverse proxy job?

And the answer.

The job of the Istio control plane is to configure a fleet of reverse proxies. The purpose of the webserver is to serve content, not reverse proxy. The reverse proxy technology at the heart of Istio is Envoy, and Envoy can be use as a replacement for HAProxy, nginx, Apache, F5, or any other component that is being used as a reverse proxy.

---

Instead you could create nginx pod with your configuration and create virtual service with nginx as a route host.

So it would look like in below example.

EXAMPLE

ingress gateway -> gateway -> Virtual Service -> nginx ( reverse proxy and other stuff configured on nginx) -> kibana,cognito

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test
spec:
  hosts:
    - siem.jupiter.money
  gateways:
    - gateway_test
  http:
    - match:
      - uri:
          match: /_plugin/kibana
      route:
        - destination:
            host: nginx.default.svc.cluster.local