You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This sets up a local envoy proxy which is solely for augmenting the request with
13
+
the necessary authorization headers, before it send a request to the upstream.
14
+
15
+
Here is a major issue with the dynamic proxy. Example request:
16
+
17
+
1.`curl "https://service.our.domain.com"`
18
+
2. DNS lookup on the host machine resolves this domain to `127.0.0.1`
19
+
1. This is because we have made a specific entry in our `/etc/hosts` to
20
+
ensure this is routed through the local proxy
21
+
3. Request is routed to the local envoy proxy, for the sake of this example,
22
+
lets assume it uses the dynamic proxy listener
23
+
4. The dynamic proxy checks what kind of connection it is and handles, let's
24
+
assume it's an http request
25
+
5. Envoy does TLS termination, it's SAN ext allows it to use hostname
26
+
6. Envoy augments the request before proxying it upstream, adding authentication
27
+
headers using whichever method (lua or ext authz)
28
+
7. Envoy takes the 'host' header from the original request, and attempts to
29
+
resolve that host (or use a cached entry)
30
+
1. Resolving `service.our.domain.com` may resolve to `127.0.0.1` because of
31
+
DNS resolution caching, and because of `/etc/hosts` entry
32
+
8. If resolved to `127.0.0.1` envoy attempts to intiate a connection with it's
33
+
own listener.
34
+
1. This fails because the TLS cert is not valid according to the envoy
35
+
container's CAs
36
+
9. If resolved to the proper upstream, everything works fine.
37
+
38
+
### How to diagnose this?
39
+
40
+
1. Intermittent failures
41
+
1. If this is failing occasionally it's probably because of this. It mostly
42
+
all depends on how the upstream resolves, and if the good/bad entry has
43
+
been cached or not.
44
+
2. TLS errors
45
+
1. Curls to the endpoint will result in a 503 with logs like
46
+
```
47
+
curl: (22) The requested URL returned error: 503
48
+
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end
49
+
```
50
+
2. Envoy logs like:
51
+
```
52
+
[2025-04-15 21:45:11.169][15][debug][connection] [source/common/tls/cert_validator/default_validator.cc:339] verify cert failed: X509_verify_cert: certificate verification error at depth 0: unable to get local issuer certificate
0 commit comments