istio: httpproxy fail when use istio

(This is used to report product bugs, please visit https://discuss.istio.io for questions on using Istio)

Bug description I have a app writed in java, and the app access X site use a proxy http://www.myproxy.com:8080. I start the app use “java -Dhttps.proxyHost=www.myproxy.com -Dhttps.proxyPort=8080 -jar myapp”. It runs well in k8s without istio. when i inject the istio sidecar into the app (without any serviceEntry), then it can not access X site by proxy http://www.myproxy.com:8080, it’s response status is 404.

Expected behavior the app can access external site by specify proxy

Version (include the output of istioctl version --remote and kubectl version) kubectl version: Client Version: version.Info{Major:“1”, Minor:“14”, GitVersion:“v1.14.1”, GitCommit:“b7394102d6ef778017f2ca4046abbaa23b88c290”, GitTreeState:“clean”, BuildDate:“2019-04-08T17:11:31Z”, GoVersion:“go1.12.1”, Compiler:“gc”, Platform:“linux/amd64”} Server Version: version.Info{Major:“1”, Minor:“14”, GitVersion:“v1.14.1”, GitCommit:“b7394102d6ef778017f2ca4046abbaa23b88c290”, GitTreeState:“clean”, BuildDate:“2019-04-08T17:02:58Z”, GoVersion:“go1.12.1”, Compiler:“gc”, Platform:“linux/amd64”}

istioctl version --remote: client version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Clean”, GitTag:“1.1.4-10-g9b6d31b”} citadel version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Modified”, GitTag:“1.1.4-10-g9b6d31b”} galley version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Modified”, GitTag:“1.1.4-10-g9b6d31b”} ingressgateway version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Clean”, GitTag:“1.1.4-10-g9b6d31b”} pilot version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Modified”, GitTag:“1.1.4-10-g9b6d31b”} policy version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Modified”, GitTag:“1.1.4-10-g9b6d31b”} sidecar-injector version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Modified”, GitTag:“1.1.4-10-g9b6d31b”} telemetry version: version.BuildInfo{Version:“1.1.5”, GitRevision:“9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty”, User:“root”, Host:“3e29fde4-6c3f-11e9-b00d-0a580a2c0205”, GolangVersion:“go1.10.4”, DockerHub:“docker.io/istio”, BuildStatus:“Modified”, GitTag:“1.1.4-10-g9b6d31b”}

How was Istio installed? install use helm

Environment where bug was observed (cloud vendor, OS, etc) CentOS Linux release 7.6.1810 (Core)

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (1 by maintainers)

Most upvoted comments

@g-p-n , thanks for your reply. I also test use a curl pod, the image from https://hub.docker.com/r/appropriate/curl, and be injected the istio sidecar with --proxyLogLevel=trace. Then i sue cmd: curl -x http://hkproxy.global.test.com:8080 https://www.google.com and the response is curl: (56) Received HTTP code 404 from proxy after CONNECT

the istio-proxy trace log file is here I can see the envoy add some headers in http connect, i don’t know if it is the cause `[2019-06-25 07:12:48.248][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:363] [C5] parsing 120 bytes [2019-06-25 07:12:48.248][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:476] [C5] message begin [2019-06-25 07:12:48.249][26][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:243] [C5] new stream [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:331] [C5] completed header: key=Host value=www.google.com:443 [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:331] [C5] completed header: key=User-Agent value=curl/7.59.0 [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:442] [C5] headers complete [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:331] [C5] completed header: key=Proxy-Connection value=Keep-Alive [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:463] [C5] message complete [2019-06-25 07:12:48.249][26][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:580] [C5][S5680453476879491337] request headers complete (end_stream=true): ‘:authority’, ‘www.google.com:443’ ‘:path’, ‘www.google.com:443’ ‘:method’, ‘CONNECT’ ‘user-agent’, ‘curl/7.59.0’ ‘proxy-connection’, ‘Keep-Alive’

[2019-06-25 07:12:48.249][26][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1040] [C5][S5680453476879491337] request end stream [2019-06-25 07:12:48.249][26][debug][filter] [src/envoy/http/mixer/filter.cc:39] Called Mixer::Filter : Filter [2019-06-25 07:12:48.249][26][debug][filter] [src/envoy/http/mixer/filter.cc:146] Called Mixer::Filter : setDecoderFilterCallbacks [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:1200] [C5][S5680453476879491337] encode headers called: filter=0x2ecfd60 status=0 [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:1200] [C5][S5680453476879491337] encode headers called: filter=0x2ecfcc0 status=0 [2019-06-25 07:12:48.249][26][debug][filter] [src/envoy/http/mixer/filter.cc:133] Called Mixer::Filter : encodeHeaders 0 [2019-06-25 07:12:48.249][26][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:1200] [C5][S5680453476879491337] encode headers called: filter=0x2ecfa40 status=0 [2019-06-25 07:12:48.249][26][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1305] [C5][S5680453476879491337] encoding headers via codec (end_stream=true): ‘:status’, ‘404’ ‘date’, ‘Tue, 25 Jun 2019 07:12:48 GMT’ ‘server’, ‘envoy’ `

+1
mofee on Jun 25, 2019
Read more comments on GitHub
← istio: http2 requests fail with "protocol error: The user callback function failed"
istio: HTTPS outgoing requests blocked on fresh installation helm chart >= `1.3.0` because of outbound protocol sniffing →