'Can Envoy encrypts raw TCP connection?
We want to encrpyt raw TCP data traffic. For example, some data is trasferred using iSCSI (over TCP) which is not encrypted.
Can we use Envoy as a middle proxy to encrypt the data when the data is going through the network?
Thanks!
Solution 1:[1]
You can encrypt data between your client and Envoy by using TcpProxy with a DownstreamTlsContext defined in the transport_socket section.
Assuming you have the root CA certificate (/certs/rootCA.crt), your server certificate (/certs/server.crt) and your private key as a PEM file (cat server.crt server.key > /certs/server.pem), the envoy config will look like this :
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 1111
filter_chains:
- filters:
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp_proxy
cluster: my_service
transport_socket:
name: tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/certs/server.crt"
private_key:
filename: "/certs/server.pem"
validation_context:
trusted_ca:
filename: "/certs/rootCA.crt"
allow_expired_certificate: false
require_client_certificate: false
clusters:
- name: my_service
connect_timeout: 15s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: my_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: my_service
port_value: 2222
You can easily check that the traffic between the client and envoy is encrypted by using a tool like wireshark or tcpdump.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | norbjd |