This filter is based on envoy-filter-example
It emits to the log the SNI of a connection and the SNI of the network level.
The SNI of a connection is populated by envoy.listener.tls_inspector
listener filter.
The SNI of the network level is populated by GetSNIsFilter
network filter.
- Update envoy submodule
git submodule update --init
- Replace line 5 in
envoy-get-sni-filter/envoy/ci/run_envoy_docker.sh
:
. ci/envoy_build_sha.sh
with:
SCRIPT_DIR_PATH="`dirname \"$0\"`"
. "$SCRIPT_DIR_PATH"/envoy_build_sha.sh
-
Set the output build dir path:
export ENVOY_DOCKER_BUILD_DIR=~/envoyproxy/envoy-get-snis-filter/build
-
Build the example with docker by running the script
'./ci/do_ci.sh build'
inside docker:
$ pwd
~/envoyproxy/envoy-get-snis-filter
$ ./envoy/ci/run_envoy_docker.sh './ci/do_ci.sh build'
- Set the working directory:
cd ~/envoyproxy/envoy-get-snis-filter/
- Build the image
docker build -f ci/Dockerfile-envoy-get-snis -t ronensch/envoy-get-snis-filter .
- Push the image to the hub
docker push ronensch/envoy-get-snis-filter
-
Run first instance of envoy
envoy -c ./envoy_config.json --v2-config-only
-
From a new terminal, run a second instance of envoy
envoy -c envoy_config2.json --v2-config-only --base-id 2
-
From a new terminal make a request to the first envoy
curl -Ivk https://edition.cnn.com --resolve edition.cnn.com:443:127.0.0.1
-
In the second envoy's log, one can spot the inner SNI
edition.cnn.com
while the outer SNI isenvoy2.local
[2018-08-23 17:49:26.383][28869][info][filter] get_snis.cc:12] GetSNIsFilter:onNewConnection(), connection requestedServerName: envoy2.local [*** LOG ERROR ***] [2018-08-23 17:49:26] [filter] string pointer is null [2018-08-23 17:49:26.450][28869][info][filter] get_snis.cc:18] GetSNIsFilter:onData(), connection requestedServerName: envoy2.local [2018-08-23 17:49:26.450][28869][info][filter] get_snis.cc:19] GetSNIsFilter:onData(), network level requestedServerName: edition.cnn.com [2018-08-23 17:49:26.519][28869][info][filter] get_snis.cc:18] GetSNIsFilter:onData(), connection requestedServerName: envoy2.local [2018-08-23 17:49:26.520][28869][info][filter] get_snis.cc:19] GetSNIsFilter:onData(), network level requestedServerName: edition.cnn.com [2018-08-23 17:49:26.584][28869][info][filter] get_snis.cc:18] GetSNIsFilter:onData(), connection requestedServerName: envoy2.local [2018-08-23 17:49:26.584][28869][info][filter] get_snis.cc:19] GetSNIsFilter:onData(), network level requestedServerName: edition.cnn.com [2018-08-23 17:49:26.652][28869][info][filter] get_snis.cc:18] GetSNIsFilter:onData(), connection requestedServerName: envoy2.local [2018-08-23 17:49:26.652][28869][info][filter] get_snis.cc:19] GetSNIsFilter:onData(), network level requestedServerName: edition.cnn.com [2018-08-23 17:49:26.652][28869][info][filter] get_snis.cc:18] GetSNIsFilter:onData(), connection requestedServerName: envoy2.local [2018-08-23 17:49:26.652][28869][info][filter] get_snis.cc:19] GetSNIsFilter:onData(), network level requestedServerName: edition.cnn.com [2018-08-23T14:49:26.383Z] "- - -" 0 - 783 6642 333 - "-" "-" "-" "-" "151.101.1.67:443"
The first envoy redirects its traffic to the second envoy which listens on port 15002.
The second envoy sends the traffic to cnn.com