blog

12021-04-08

SEAN K.H. LIAO

envoy

envoy has somehow made its way to become the foundational L7 proxy for cloud native stuff. It shines when it's dynamically configured (usually remotely), but sometimes a static config is all you need.

Anyway, I need a reverse proxy, so why not try it out. (I would have used k8s and an ingress but it kills a GCP f1-micro instance).

I have 2 static upstreams listening on localhost, and a wildcard cert through acme.sh --yes-I-know-dns-manual-mode-enough-go-ahead-please. No, I don't plan on keeping this server around long enough to need to renew it.

Anyway, the config is YAML with way too many levels on indentation, but fairly understandable. There's a wildcard http->https redirect, and 2 virtual hosts.

note: I was originally looking at the latest docs (1.18-rc) which had new stdout logging... it doesn't work on 1.17 (because it's new).

static_resources:
  listeners:
    - name: http
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 80
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                codec_type: AUTO
                access_log:
                  - name: envoy.access_loggers.file
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      path: /var/log//envoy
                http_filters:
                  - name: envoy.filters.http.router
                route_config:
                  name: default_route
                  virtual_hosts:
                    - name: redirect
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: "/"
                          redirect:
                            https_redirect: true
    - name: https
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 443
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                codec_type: AUTO
                access_log:
                  - name: envoy.access_loggers.file
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      path: /var/log//envoy
                http_filters:
                  - name: envoy.filters.http.router
                route_config:
                  name: default_route
                  virtual_hosts:
                    - name: paste
                      domains:
                        - "p.seankhliao.com"
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: paste_cluster
                    - name: feed-agg
                      domains:
                        - "feed-agg.seankhliao.com"
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: feed-agg_cluster
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      filename: /etc/certs/*.seankhliao.com.cer
                    private_key:
                      filename: /etc/certs/*.seankhliao.com.key

  clusters:
    - name: feed-agg_cluster
      connect_timeout: 0.25s
      type: STATIC
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: feed-agg_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 127.0.0.1
                      port_value: 28003
    - name: paste_cluster
      connect_timeout: 0.25s
      type: STATIC
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: paste_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 127.0.0.1
                      port_value: 28002