-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
examples: Add double proxy sandbox #13748
Conversation
Signed-off-by: Ryan Northey <ryan@synca.io>
@mattklein123 not sure how useful this is or if this is what is meant in docs etc by "double proxy" its the pattern i was most interested in when i first looked at envoy - kinda like subnet (rather than pod/container) sidecars, that can be used as a bridge/router to upstream services not sure if encrypting traffic in the middle proxies is possible, but it would make for a much better sandbox if it is, and would remove the need to use vpns etc in this kind of set up, esp if we could do client authentication |
Yeah this is an example of a double proxy scenario. The most common example is in POPs, something like We can definitely encrypt across the hops. This is typically done using mTLS but it depends on the scenario. I think we could do this with a self-signed cert and make for a pretty interesting sandbox. Let me know how you want to proceed on this one. /wait |
Signed-off-by: Ryan Northey <ryan@synca.io>
d97698d
to
344e364
Compare
ive added mtls and all appears to work - just ironing out wrinkles with the example i still need to add some docs one question im now wondering is whether we could/should add compression to the mtls filling |
Signed-off-by: Ryan Northey <ryan@synca.io>
afaict compression wont work as its http/hcm based and in this example the middle proxies arent using http |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks also super awesome. @ggreenway or @PiotrSikora would one of you be willing to do a quick review of the TLS setup here? Thank you!
/wait
@mattklein123 if we can land the securing quick-start page first, ill update this and tie them together |
Signed-off-by: Ryan Northey <ryan@synca.io>
Yeah I think dropping SNI from this one makes sense. /wait |
great, updating... |
Signed-off-by: Ryan Northey <ryan@synca.io>
latest render is here https://storage.googleapis.com/envoy-pr/075c570/docs/start/sandboxes/double-proxy.html |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Signed-off-by: Ryan Northey ryan@synca.io
Commit Message: examples: Add double proxy sandbox
Additional Description:
this provides a sandbox with the following setup:
envoy (front)
->flask-app
->envoy (postgres-front)
->envoy(postgres-back)
->postgres
essentially it demonstrates using Envoy in a situation where a frontend app is not on the same subnet as its db, and uses a proxy in each of the subnets to transport traffic between.
ideally, the traffic between
envoy (postgres-front)
->envoy (postgres-back)
should be encrypted (and perhaps authenticated) to show a situation of the traffic travelling over insecure/public networksRisk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]