Difference between revisions of "Envoyproxy sandbox"
Jump to navigation
Jump to search
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | # mtls postgres | ||
| + | |||
| + | - https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/double-proxy | ||
| + | https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing | ||
| + | |||
| + | |||
| + | https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni | ||
| + | |||
https://github.com/salrashid123/envoy_control/blob/master/bbc.yaml | https://github.com/salrashid123/envoy_control/blob/master/bbc.yaml | ||
| + | ``` | ||
curl -vvI https://gnupg.org | curl -vvI https://gnupg.org | ||
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text | echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text | ||
| + | nmap --script ssl-enum-ciphers -p 10000 localhost | ||
| + | |||
| + | ``` | ||
| + | |||
| + | envoy -c sandbox.yaml | ||
| + | |||
| + | |||
| + | sandbox.yaml | ||
| + | ``` | ||
| + | admin: | ||
| + | access_log_path: /dev/null | ||
| + | address: | ||
| + | socket_address: | ||
| + | address: 127.0.0.1 | ||
| + | port_value: 9000 | ||
| + | |||
| + | node: | ||
| + | cluster: service_greeter | ||
| + | id: test-id | ||
| + | |||
| + | static_resources: | ||
| + | listeners: | ||
| + | - name: listener_0 | ||
| + | address: | ||
| + | socket_address: { address: 0.0.0.0, port_value: 10000 } | ||
| + | filter_chains: | ||
| + | - filters: | ||
| + | - name: envoy.filters.network.http_connection_manager | ||
| + | typed_config: | ||
| + | "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
| + | stat_prefix: ingress_http | ||
| + | codec_type: AUTO | ||
| + | route_config: | ||
| + | name: local_route | ||
| + | virtual_hosts: | ||
| + | - name: local_service | ||
| + | domains: ["*"] | ||
| + | routes: | ||
| + | - match: | ||
| + | prefix: "/" | ||
| + | route: | ||
| + | cluster: service_bbc | ||
| + | prefix_rewrite: "/robots.txt" | ||
| + | host_rewrite_literal: "www.bbc.com" | ||
| + | http_filters: | ||
| + | - name: envoy.filters.http.router | ||
| + | transport_socket: | ||
| + | name: envoy.transport_sockets.tls | ||
| + | typed_config: | ||
| + | "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext | ||
| + | common_tls_context: | ||
| + | tls_certificate_sds_secret_configs: | ||
| + | - name: server_cert | ||
| + | tls_params: | ||
| + | tls_maximum_protocol_version: TLSv1_3 | ||
| + | tls_minimum_protocol_version: TLSv1_2 | ||
| + | cipher_suites: | ||
| + | - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' | ||
| + | - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' | ||
| + | - 'ECDHE-ECDSA-AES128-SHA' | ||
| + | - 'ECDHE-RSA-AES128-SHA' | ||
| + | - 'AES128-GCM-SHA256' | ||
| + | - 'AES128-SHA' | ||
| + | - 'ECDHE-ECDSA-AES256-GCM-SHA384' | ||
| + | - 'ECDHE-RSA-AES256-GCM-SHA384' | ||
| + | - 'ECDHE-ECDSA-AES256-SHA' | ||
| + | - 'ECDHE-RSA-AES256-SHA' | ||
| + | - 'AES256-GCM-SHA384' | ||
| + | - 'AES256-SHA' | ||
| + | ecdh_curves: [ | ||
| + | "P-256" | ||
| + | ] | ||
| + | |||
| + | clusters: | ||
| + | - name: service_bbc | ||
| + | connect_timeout: 0.25s | ||
| + | type: strict_dns | ||
| + | lb_policy: round_robin | ||
| + | load_assignment: | ||
| + | cluster_name: service_bbc | ||
| + | endpoints: | ||
| + | - lb_endpoints: | ||
| + | - endpoint: | ||
| + | address: | ||
| + | socket_address: | ||
| + | address: www.bbc.com | ||
| + | port_value: 443 | ||
| + | |||
| + | transport_socket: | ||
| + | name: envoy.transport_sockets.tls | ||
| + | typed_config: | ||
| + | "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
| + | |||
| + | |||
| + | # static secrets | ||
| + | secrets: | ||
| + | - name: server_cert | ||
| + | tls_certificate: | ||
| + | certificate_chain: | ||
| + | filename: certs/example.io.crt | ||
| + | private_key: | ||
| + | filename: certs/example.io.key | ||
| + | - name: client_cert | ||
| + | tls_certificate: | ||
| + | certificate_chain: | ||
| + | filename: certs/client.crt | ||
| + | private_key: | ||
| + | filename: client.key | ||
| + | - name: validation_context | ||
| + | validation_context: | ||
| + | trusted_ca: | ||
| + | filename: certs/tls-ca-chain.pem | ||
| + | ``` | ||
Latest revision as of 03:57, 31 January 2022
mtls postgres
- https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/double-proxy https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing
https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni
https://github.com/salrashid123/envoy_control/blob/master/bbc.yaml
<br />curl -vvI https://gnupg.org echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text nmap --script ssl-enum-ciphers -p 10000 localhost
envoy -c sandbox.yaml
sandbox.yaml
admin:
access_log_path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 9000
node:
cluster: service_greeter
id: test-id
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 10000 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: service_bbc
prefix_rewrite: "/robots.txt"
host_rewrite_literal: "www.bbc.com"
http_filters:
- name: envoy.filters.http.router
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificate_sds_secret_configs:
- name: server_cert
tls_params:
tls_maximum_protocol_version: TLSv1_3
tls_minimum_protocol_version: TLSv1_2
cipher_suites:
- '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
- '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
- 'ECDHE-ECDSA-AES128-SHA'
- 'ECDHE-RSA-AES128-SHA'
- 'AES128-GCM-SHA256'
- 'AES128-SHA'
- 'ECDHE-ECDSA-AES256-GCM-SHA384'
- 'ECDHE-RSA-AES256-GCM-SHA384'
- 'ECDHE-ECDSA-AES256-SHA'
- 'ECDHE-RSA-AES256-SHA'
- 'AES256-GCM-SHA384'
- 'AES256-SHA'
ecdh_curves: [
"P-256"
]
clusters:
- name: service_bbc
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: service_bbc
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.bbc.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
# static secrets
secrets:
- name: server_cert
tls_certificate:
certificate_chain:
filename: certs/example.io.crt
private_key:
filename: certs/example.io.key
- name: client_cert
tls_certificate:
certificate_chain:
filename: certs/client.crt
private_key:
filename: client.key
- name: validation_context
validation_context:
trusted_ca:
filename: certs/tls-ca-chain.pem