Skip to content

Support dynamic host rewrite and Proxy-Authorization Header injection via SDS in TCPProxy tunneling #13809

Closed
#38398
Closed
Support dynamic host rewrite and Proxy-Authorization Header injection via SDS in TCPProxy tunneling#13809
#38398
Assignees
lambdai
Labels
area/tcp_proxyenhancementFeature requests. Not bugs or questions.stalestalebot believes this issue/PR has not been touched recently
@larryrun

Description

@larryrun
larryrun
opened on Oct 29, 2020

Hi team,

We use the TCPProxy filter to tunneling TCP traffic to upstream services. The upstream service is also an Envoy, it does the authn/authz check and then forward the packets to the real port.

When a client calls a service, the traffic flow looks like :
[Client(call 2.2.2.2:80)] -> [Iptables redirect to :8000] -> [ClientSide Envoy TCPProxy (listens on 8000, Will do tunneling based on the client request: 2.2.2.2:80)] -> [Iptables redirect to :9000] -> [ServiceSide Envoy(listens on 9000, forwards to 2.2.2.2:80)] -> [Service(listens on 80)]

Problems we are facing:

  • The TCPProxy tunneling config only supports a hard coded host, but in our case the upstream endpoint is depending on the client request. so it will be helpful if this host field can be configured to a dynamic value, like %DOWNSTREAM_LOCAL_ADDRESS%
  • An additional Proxy-Authorization header need to be injected

To address the above difficulties. we configured a second listener(just like this example in the offical doc) in the client side Envoy with HTTP filters, and redirect the packets sent from TCPProxy filter to this listener. And use

  • request_headers_to_add=%DOWNSTREAM_LOCAL_ADDRESS% to add the Host(:authority) Header;
  • ext_authz filter to inject the Proxy-Authorization header (the value is a token).

So we are wondering, is this the right way to achieve our requirement in your opinion? We see there are some improvements can be made:

  • As the second listener is needed, extra unnecessary packets are generated, this seems to impact the TCP performance.
  • The token injection is implemented by using an ext_authz filter, not via an SDS which looks like a more appropriate way of handling token values

One option that came to my mind is that, allowing an HTTP filter chain to be configured for the TCPProxy Tunneling's HTTP CONNECT request, so that we can add more sophisticated HTTP logic.

For the token injection, I found another helpful feature request#6654 that was created long time ago. Is there any plan for it?

What do you guys think?
Thanks for your hard working and this great project!

Metadata

Metadata

Assignees

Labels

area/tcp_proxyenhancementFeature requests. Not bugs or questions.stalestalebot believes this issue/PR has not been touched recently

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions