我的书签
添加书签
移除书签Double proxy (with mTLS encryption)
Setup your sandbox environment with Docker and Docker Compose, and clone the Envoy repository with Git.
Used to make HTTP requests.
Generate SSL keys and certificates.
This sandbox demonstrates a basic “double proxy” configuration, in which a simple Flask app connects to a PostgreSQL database, with two Envoy proxies in between.
Envoy (front) -> Flask -> Envoy (postgres-front) -> Envoy (postgres-back) -> PostgreSQL
This type of setup is common in a service mesh where Envoy acts as a “sidecar” between individual services.
It can also be useful as a way of providing access for application servers to upstream services or databases that may be in a different location or subnet, outside of a service mesh or sidecar-based setup.
This example encrypts the transmission of data between the two middle proxies and provides mutual authentication using mTLS.
This can be useful if the proxies are physically separated or transmit data over untrusted networks.
In order to use the sandbox you will first need to generate the necessary SSL keys and certificates.
This example walks through creating a certificate authority, and using it to create a domain key and sign certificates for the proxies.
Change to the examples/double-proxy directory.
First create a key for the certificate authority:
Now use the key to generate a certificate authority certificate.
If you wish, you can interactively alter the fields in the certificate.
For the purpose of this example, the defaults should be sufficient.
$ openssl req -x509 -new -nodes -key certs/ca.key -sha256 -days 1024 -out certs/ca.crtYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.For some fields there will be a default value,-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:
Step 2: Create a domain key
Create a key for the example domain:
$ openssl req -new -sha256 \-key certs/example.com.key \-subj "/C=US/ST=CA/O=MyExample, Inc./CN=proxy-postgres-frontend.example.com" \-out certs/proxy-postgres-frontend.example.com.csr$ openssl req -new -sha256 \-out certs/proxy-postgres-backend.example.com.csr
Step 4: Sign the proxy certificates
You can now use the certificate authority that you created to sign the certificate requests.
Note the subjectAltName. This is used for reciprocally matching and validating the certificates.
At this point you should have the necessary keys and certificates to secure the connection between the proxies.
The keys and certificates are stored in the certs/ directory.
Build and start the containers.
This will load the required keys and certificates into the frontend and backend proxies.
$ pwdenvoy/examples/double-proxy$ docker-compose build --pull$ docker-compose up -d$ docker-compose psName Command State Ports--------------------------------------------------------------------------------------------------------double-proxy_app_1 python3 /code/service.py Updouble-proxy_postgres_1 docker-entrypoint.sh postgres Up 5432/tcpdouble-proxy_proxy-frontend_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10000->10000/tcpdouble-proxy_proxy-postgres-frontend_1 /docker-entrypoint.sh /usr ... Up 10000/tcp
Step 6: Check the flask app can connect to the database
Checking the response at http://localhost:10000, you should see the output from the Flask app:
See also
Outline of key concepts for securing Envoy.
Examples of various termination patterns with Envoy.
