My envoy version:
envoy version: d362e791eb9e4efa8d87f6d878740e72dc8330ac/1.18.2/clean-getenvoy-76c310e-envoy/RELEASE/BoringSSL
My envoy configuration is like below:
admin:
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
- name: listener_443
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 443
listener_filters:
- name: envoy.filters.listener.original_src
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.original_src.v3.OriginalSrc
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains:
- "*"
routes:
- match:
prefix: /
route:
cluster: cluster_8080
- match:
connect_matcher: {}
route:
cluster: cluster_8080
timeout: 0s
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
upgrade_configs:
- upgrade_type: CONNECT
connect_config: {}
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
inline_string: |
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
private_key:
inline_string: |
-----BEGIN PRIVATE KEY-----
cert
-----END PRIVATE KEY-----
clusters:
- name: cluster_8080
common_http_protocol_options:
idle_timeout: 30s
connect_timeout: 30s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: cluster_8080
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 100.120.15.231
port_value: 8080
transport_socket:
name: envoy.transport_sockets.upstream_proxy_protocol
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
transport_socket:
name: envoy.transport_sockets.raw_buffer
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
config:
version: V1 #$META_UPTS_PP
Listening on port 443 and cluster is on ip 100.120.15.231 port 8080 . I need to do SSL termination and i also need to carry forward the client ip in the proxy src headers when the envoy make call to VM 100.120.15.231 .
Is above configuration correct ?
Current observation is that TLS termination is working fine but in the tcpdump i see that the proxy heards has the src ip with envoy vm ip and client ip is not getting forwarded to
100.120.8.10.40738 > 100.120.15.231.8080: Flags [P.], cksum 0xe13a (incorrect -> 0xa054), seq 1:52, ack 1, win 511, options [nop,nop,TS val 1878209752 ecr 2657135603], length 51: HTTP
0x0000: 4500 0067 b98f 4000 4006 a020 6478 080a E..g..@[email protected]..
0x0010: 6478 0fe7 9f22 1f90 6528 67ee 795d c0ff dx..."..e(g.y]..
0x0020: 8018 01ff e13a 0000 0101 080a 6ff3 34d8 .....:......o.4.
0x0030: 9e60 abf3 5052 4f58 5920 5443 5034 2031 .`..PROXY.TCP4.1
0x0040: 3030 2e31 3230 2e38 2e31 3020 3130 302e 00.120.8.10.100.
0x0050: 3132 302e 3135 2e32 3331 2034 3037 3338 120.15.231.40738
0x0060: 2038 3038 300d 0a .8080