blog

SEAN K.H. LIAO

envoy

envoy has somehow made its way to become the foundational L7 proxy for cloud native stuff. It shines when it's dynamically configured (usually remotely), but sometimes a static config is all you need.

Anyway, I need a reverse proxy, so why not try it out. (I would have used k8s and an ingress but it kills a GCP f1-micro instance).

I have 2 static upstreams listening on localhost, and a wildcard cert through acme.sh --yes-I-know-dns-manual-mode-enough-go-ahead-please. No, I don't plan on keeping this server around long enough to need to renew it.

Anyway, the config is YAML with way too many levels on indentation, but fairly understandable. There's a wildcard http->https redirect, and 2 virtual hosts.

note: I was originally looking at the latest docs (1.18-rc) which had new stdout logging... it doesn't work on 1.17 (because it's new).

static_resources:
  listeners:
    - name: http
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 80
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                codec_type: AUTO
                access_log:
                  - name: envoy.access_loggers.file
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      path: /var/log//envoy
                http_filters:
                  - name: envoy.filters.http.router
                route_config:
                  name: default_route
                  virtual_hosts:
                    - name: redirect
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: "/"
                          redirect:
                            https_redirect: true
    - name: https
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 443
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                codec_type: AUTO
                access_log:
                  - name: envoy.access_loggers.file
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      path: /var/log//envoy
                http_filters:
                  - name: envoy.filters.http.router
                route_config:
                  name: default_route
                  virtual_hosts:
                    - name: paste
                      domains:
                        - "p.seankhliao.com"
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: paste_cluster
                    - name: feed-agg
                      domains:
                        - "feed-agg.seankhliao.com"
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: feed-agg_cluster
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      filename: /etc/certs/*.seankhliao.com.cer
                    private_key:
                      filename: /etc/certs/*.seankhliao.com.key

  clusters:
    - name: feed-agg_cluster
      connect_timeout: 0.25s
      type: STATIC
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: feed-agg_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 127.0.0.1
                      port_value: 28003
    - name: paste_cluster
      connect_timeout: 0.25s
      type: STATIC
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: paste_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 127.0.0.1
                      port_value: 28002