envoy has somehow made its way to become the foundational L7 proxy for cloud native stuff. It shines when it's dynamically configured (usually remotely), but sometimes a static config is all you need.
Anyway, I need a reverse proxy, so why not try it out.
(I would have used k8s and an ingress but it kills a GCP f1-micro instance).
I have 2 static upstreams listening on localhost,
and a wildcard cert through acme.sh
--yes-I-know-dns-manual-mode-enough-go-ahead-please.
No, I don't plan on keeping this server around long enough to need to renew it.
Anyway, the config is YAML with way too many levels on indentation, but fairly understandable. There's a wildcard http->https redirect, and 2 virtual hosts.
note: I was originally looking at the latest docs (1.18-rc) which had new stdout logging... it doesn't work on 1.17 (because it's new).
1static_resources:
2 listeners:
3 - name: http
4 address:
5 socket_address:
6 address: 0.0.0.0
7 port_value: 80
8 filter_chains:
9 - filters:
10 - name: envoy.filters.network.http_connection_manager
11 typed_config:
12 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
13 stat_prefix: ingress_http
14 codec_type: AUTO
15 access_log:
16 - name: envoy.access_loggers.file
17 typed_config:
18 "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
19 path: /var/log//envoy
20 http_filters:
21 - name: envoy.filters.http.router
22 route_config:
23 name: default_route
24 virtual_hosts:
25 - name: redirect
26 domains:
27 - "*"
28 routes:
29 - match:
30 prefix: "/"
31 redirect:
32 https_redirect: true
33 - name: https
34 address:
35 socket_address:
36 address: 0.0.0.0
37 port_value: 443
38 filter_chains:
39 - filters:
40 - name: envoy.filters.network.http_connection_manager
41 typed_config:
42 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
43 stat_prefix: ingress_http
44 codec_type: AUTO
45 access_log:
46 - name: envoy.access_loggers.file
47 typed_config:
48 "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
49 path: /var/log//envoy
50 http_filters:
51 - name: envoy.filters.http.router
52 route_config:
53 name: default_route
54 virtual_hosts:
55 - name: paste
56 domains:
57 - "p.seankhliao.com"
58 routes:
59 - match:
60 prefix: "/"
61 route:
62 cluster: paste_cluster
63 - name: feed-agg
64 domains:
65 - "feed-agg.seankhliao.com"
66 routes:
67 - match:
68 prefix: "/"
69 route:
70 cluster: feed-agg_cluster
71 transport_socket:
72 name: envoy.transport_sockets.tls
73 typed_config:
74 "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
75 common_tls_context:
76 tls_certificates:
77 - certificate_chain:
78 filename: /etc/certs/*.seankhliao.com.cer
79 private_key:
80 filename: /etc/certs/*.seankhliao.com.key
81
82 clusters:
83 - name: feed-agg_cluster
84 connect_timeout: 0.25s
85 type: STATIC
86 lb_policy: ROUND_ROBIN
87 load_assignment:
88 cluster_name: feed-agg_service
89 endpoints:
90 - lb_endpoints:
91 - endpoint:
92 address:
93 socket_address:
94 address: 127.0.0.1
95 port_value: 28003
96 - name: paste_cluster
97 connect_timeout: 0.25s
98 type: STATIC
99 lb_policy: ROUND_ROBIN
100 load_assignment:
101 cluster_name: paste_service
102 endpoints:
103 - lb_endpoints:
104 - endpoint:
105 address:
106 socket_address:
107 address: 127.0.0.1
108 port_value: 28002