本文主要演示客户端请求envoy，以及envoy转发请求后端服务的流程。

客户端——> envoy 使用的是http协议

envoy ——> 后端服务 使用的是https协议，【此处演示使用的后端服务是nginx的一个虚拟服务】

先看envoy的配置，如下：

static_resources:  listeners:  - name: listener_0    address:      socket_address:        address: 0.0.0.0        port_value: 10000    filter_chains:    - filters:      - name: envoy.filters.network.http_connection_manager        typed_config:          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager          stat_prefix: ingress_http          access_log:          - name: envoy.access_loggers.stdout            typed_config:              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog          http_filters:          - name: envoy.filters.http.router            typed_config:              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router          route_config:            name: local_route            virtual_hosts:            - name: local_service              domains: ["*"]              routes:              - match:                  prefix: "/"                route:                  cluster: nginx_https  clusters:  - name: nginx_https    type: STRICT_DNS    dns_lookup_family: V4_ONLY    load_assignment:      cluster_name: nginx_https      endpoints:      - lb_endpoints:        - endpoint:            address:              socket_address:                address: bluesky.com                port_value: 443    transport_socket:      name: envoy.transport_sockets.tls      typed_config:        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext        sni: bluesky.com

再看nginx server配置：

server {    listen       443 ssl;    server_name  bluesky.com;	# 以下证书的生成命令：	# openssl req -x509 -newkey rsa:2048 -keyout envoy-proxy-downstream.key -out envoy-proxy-downstream.crt -days 3650 -nodes -subj '/CN=bluesky.com'    ssl_certificate      /usr/local/openresty/nginx/conf/ssl/envoy/envoy-proxy-downstream.crt;    ssl_certificate_key  /usr/local/openresty/nginx/conf/ssl/envoy/envoy-proxy-downstream.key;    ssl_ciphers  ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256;    location /mall {        proxy_pass ;    }}

结果如下：

[root@hadoopslave131 conf]# curl -v * About to connect() to 192.168.18.132 port 10000 (#0)*   Trying 192.168.18.132...* Connected to 192.168.18.132 (192.168.18.132) port 10000 (#0)> GET /mall/useroper/qryUserById?userId=1688310684033 HTTP/1.1> User-Agent: curl/7.29.0> Host: 192.168.18.132:10000> Accept: */*> < HTTP/1.1 200 OK< server: envoy< date: Mon, 04 Dec 2023 06:51:07 GMT< content-type: application/json< x-envoy-upstream-service-time: 50< transfer-encoding: chunked< * Connection #0 to host 192.168.18.132 left intact{"statusCode":"100001","data":null,"desc":"登录已失效"}

注意点：

1、因为使用了域名，所以需要把域名映射设置到 envoy容器中的/etc/hosts，这里在使用docker启动envoy时指定--host-name="domain:ip"即可，本文的envoy镜像启动命令：docker run -dit --rm --name envoy -p 9901:9901 -p 10000:10000 -v /software/envoy/http-https-envoy.yaml:/etc/envoy/envoy.yaml --add-host="bluesky.com:192.168.18.132" envoyproxy/envoy:v1.28-latest

2、如果出现 SSLV3_ALERT_HANDSHAKE_FAILURE 异常错误，可以抓包查看下原因，本文出现该异常的原因是因为——nginx配置的ssl中加密套件不齐全，只有SSL3的加密套件，没有ssl2的

tcpdump抓到的异常

nginx正确的加密套件(含ssl3\ssl2)

envoy中显示的错误日志 503 UF (UPSTREAM FAILURE)

可以使用openssl ciphers -v 查看所有协议的加密套件，选择需要的进行配置

3、envoy中ssl常见的异常:

Secret is not supplied by SDS: Envoy 等待 SDS 下发 key/cert 或 root CA.SSLV3_ALERT_CERTIFICATE_EXPIRED: 证书已过期SSLV3_ALERT_CERTIFICATE_UNKNOWN: 对端证书不在配置指定的SPKI中SSLV3_ALERT_HANDSHAKE_FAILURE: Handshake失败，通常是服务器需要证书而客户端没有传，本文是nginx服务器上SSL协议加密套件不齐全TLSV1_ALERT_PROTOCOL_VERSION: TLS 协议版本不匹配.TLSV1_ALERT_UNKNOWN_CA: 对端证书CA 与 受信CA不一致