Using an External HTTPS Proxy

This example shows how to enable access to an external HTTPS proxy. Since applications use the HTTP CONNECT method to establish connections with HTTPS proxies, configuring traffic to an external HTTPS proxy is different from configuring traffic to external HTTP and HTTPS services.

Setup Istio by following the instructions in the Installation guide.

The egress gateway and access logging will be enabled if you install the .
Deploy the sleep sample app to use as a test source for sending requests. If you have enabled, run the following command to deploy the sample app:

Zip

Otherwise, manually inject the sidecar before deploying the sleep application with the following command:
```
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
```
You can use any pod with curl installed as a test source.

Set the SOURCE_POD environment variable to the name of your source pod:

$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})

Enable Envoy’s access logging

To simulate a legacy proxy and only for this example, you deploy an HTTPS proxy inside your cluster. Also, to simulate a more realistic proxy that is running outside of your cluster, you will address the proxy’s pod by its IP address and not by the domain name of a Kubernetes service. This example uses Squid but you can use any HTTPS proxy that supports HTTP CONNECT.

```
$ kubectl create namespace external
```

Create a configuration file for the Squid proxy.

$ cat <<EOF > ./proxy.conf
http_port 3128
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow all
coredump_dir /var/spool/squid
EOF

Create a Kubernetes to hold the configuration of the proxy:

$ kubectl create configmap proxy-configmap -n external --from-file=squid.conf=./proxy.conf

Deploy a container with Squid:

$ kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: squid
  namespace: external
  replicas: 1
  selector:
    matchLabels:
      app: squid
    metadata:
      labels:
        app: squid
    spec:
      volumes:
      - name: proxy-config
        configMap:
          name: proxy-configmap
      containers:
      - name: squid
        image: sameersbn/squid:3.5.27
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: proxy-config
          mountPath: /etc/squid
          readOnly: true
EOF

Deploy the sleep sample in the external namespace to test traffic to the proxy without Istio traffic control.
Obtain the IP address of the proxy pod and define the PROXY_IP environment variable to store it:
```
$ export PROXY_IP="$(kubectl get pod -n external -l app=squid -o jsonpath={.items..podIP})"
```
Define the PROXY_PORT environment variable to store the port of your proxy. In this case, Squid uses port 3128.
```
$ export PROXY_PORT=3128
```

Send a request from the sleep pod in the external namespace to an external service via the proxy:

$ kubectl exec "$(kubectl get pod -n external -l app=sleep -o jsonpath={.items..metadata.name})" -n external -- sh -c "HTTPS_PROXY=$PROXY_IP:$PROXY_PORT curl https://en.wikipedia.org/wiki/Main_Page" | grep -o "<title>.*</title>"
<title>Wikipedia, the free encyclopedia</title>

Check the access log of the proxy for your request:

$ kubectl exec "$(kubectl get pod -n external -l app=squid -o jsonpath={.items..metadata.name})" -n external -- tail /var/log/squid/access.log
1544160065.248    228 172.30.109.89 TCP_TUNNEL/200 87633 CONNECT en.wikipedia.org:443 - HIER_DIRECT/91.198.174.192 -

So far, you completed the following tasks without Istio:

You deployed the HTTPS proxy.
You used curl to access the wikipedia.org external service through the proxy.

Next, you must configure the traffic from the Istio-enabled pods to use the HTTPS proxy.


kind: ServiceEntry
metadata:
  name: proxy
spec:
  hosts:
  - my-company-proxy.com # ignored
  addresses:
  - $PROXY_IP/32
  ports:
  - number: $PROXY_PORT
    name: tcp
    protocol: TCP
  location: MESH_EXTERNAL
EOF

Send a request from the sleep pod in the default namespace. Because the sleep pod has a sidecar, Istio controls its traffic.

$ kubectl exec "$SOURCE_POD" -c sleep -- sh -c "HTTPS_PROXY=$PROXY_IP:$PROXY_PORT curl https://en.wikipedia.org/wiki/Main_Page" | grep -o "<title>.*</title>"
<title>Wikipedia, the free encyclopedia</title>

Check the Istio sidecar proxy’s logs for your request:

Check the access log of the proxy for your request:

$ kubectl exec "$(kubectl get pod -n external -l app=squid -o jsonpath={.items..metadata.name})" -n external -- tail /var/log/squid/access.log
1544160065.248    228 172.30.109.89 TCP_TUNNEL/200 87633 CONNECT en.wikipedia.org:443 - HIER_DIRECT/91.198.174.192 -

In this example, you took the following steps:

Deployed an HTTPS proxy to simulate an external proxy.
Created a TCP service entry to enable Istio-controlled traffic to the external proxy.

Note that you must not create service entries for the external services you access through the external proxy, like wikipedia.org. This is because from Istio’s point of view the requests are sent to the external proxy only; Istio is not aware of the fact that the external proxy forwards the requests further.

Shutdown the service:

Zip

$ kubectl delete -f @samples/sleep/sleep.yaml@

Shutdown the service in the external namespace:

Zip

$ kubectl delete -f @samples/sleep/sleep.yaml@ -n external

Shutdown the Squid proxy, remove the ConfigMap and the configuration file:

$ kubectl delete -n external deployment squid
$ kubectl delete -n external configmap proxy-configmap
$ rm ./proxy.conf

Delete the external namespace:
```
$ kubectl delete namespace external
```