Envoyproxy sandbox

From UVOO Tech Wiki
Revision as of 22:19, 30 January 2022 by Busk (talk | contribs)
Jump to navigation Jump to search

https://github.com/salrashid123/envoy_control/blob/master/bbc.yaml

<br />curl -vvI https://gnupg.org
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
nmap --script ssl-enum-ciphers -p 10000 localhost

envoy -c sandbox.yaml

sandbox.yaml

admin:
  access_log_path: /dev/null
  address:
    socket_address:
      address: 127.0.0.1
      port_value: 9000

node:
  cluster: service_greeter
  id: test-id

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 10000 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: service_bbc
                  prefix_rewrite: "/robots.txt"
                  host_rewrite_literal: "www.bbc.com"
          http_filters:
          - name: envoy.filters.http.router
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificate_sds_secret_configs:
            - name: server_cert
            tls_params:
              tls_maximum_protocol_version: TLSv1_3
              tls_minimum_protocol_version: TLSv1_2
              cipher_suites:
                - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
                - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
                - 'ECDHE-ECDSA-AES128-SHA'
                - 'ECDHE-RSA-AES128-SHA'
                - 'AES128-GCM-SHA256'
                - 'AES128-SHA'
                - 'ECDHE-ECDSA-AES256-GCM-SHA384'
                - 'ECDHE-RSA-AES256-GCM-SHA384'
                - 'ECDHE-ECDSA-AES256-SHA'
                - 'ECDHE-RSA-AES256-SHA'
                - 'AES256-GCM-SHA384'
                - 'AES256-SHA'
              ecdh_curves: [
                "P-256"
              ]

  clusters:
  - name: service_bbc
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    load_assignment:
      cluster_name: service_bbc
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: www.bbc.com
                port_value: 443

    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext


  # static secrets
  secrets:
  - name: server_cert
    tls_certificate:
      certificate_chain:
        filename: certs/example.io.crt
      private_key:
        filename: certs/example.io.key
  - name: client_cert
    tls_certificate:
      certificate_chain:
        filename: certs/client.crt
      private_key:
        filename: client.key
  - name: validation_context
    validation_context:
      trusted_ca:
        filename: certs/tls-ca-chain.pem