0

I've followed the entire subject of Using an External HTTPS Proxy that pointed out that it's a VIP based example not k8s service approach. But in my case Squid is accessible via k8s service and I would like to use FQDN not VIP address.

I've changed the config removing addresses part:

Squid Istio Service Entry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: proxy
spec:
  hosts:
  - squid.external.svc.cluster.local
  location: MESH_EXTERNAL
  exportTo: 
  - "."
  ports:
  - number: 3128
    name: tcp
    protocol: TCP

Mesh External Squid parts in external ns:

Squid Pod:

  ports:
  - containerPort: 3128
    name: http
    protocol: TCP

Squid k8s Service:

  ports:
  - name: http
    port: 3128
    protocol: TCP
    targetPort: http

Curling from sleep cointaner:

HTTPS_PROXY=http://squid.external:3128 curl https://en.wikipedia.org/wiki/Main_Page

gives the result on the sleep sidecar:

[2021-07-21T06:46:23.938Z] "CONNECT - HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - "-" "curl/7.77.0-DEV" "424a0870-af92-4a59-a3af-c8dc91b31512" "en.wikipedia.org:443" "-" - - 192.168.101.185:3128 10.10.2.8:39744 - -

where 192.168.101.185 is the squid service IP.

Envoy error says that there is no route, but it found the service. What is missing and what is wrong? I appreciate any help or suggestion.

Maciek Leks
  • 1,288
  • 11
  • 21

1 Answers1

0

I've struggled with that until I found CONNECT - HTTP/1.1" 404 NR route_not_found. And finally I've solved that issue by bypassing istio sidecar for my outbound traffic on SQUID port:

Sample proxy client POD with istio sidecar:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deb
spec:
  replicas: 1
  selector:
    matchLabels:
      app: deb
  template:
    metadata:
      labels:
        app: deb
      annotations: 
        traffic.sidecar.istio.io/excludeOutboundPorts: '3128' # A comma separated list of outbound ports to be excluded from redirection to Envoy.
    spec:
      terminationGracePeriodSeconds: 0
      containers:
      - name: debian
        image: debian:buster
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent

Now I can use my private k8s proxy without adding any ServiceEntry with IP addresses.

$ HTTPS_PROXY=squid.external:3128 curl https://something

Of course I cannot track my outbound traffic to that proxy in istio-sider.

Maciek Leks
  • 1,288
  • 11
  • 21