1

I've read this article about TLS Origination problem in istio. Let me quote it here:

There is a caveat to this story. In HTTPS, all the HTTP details (hostname, path, headers etc.) are encrypted, so Istio cannot know the destination domain of the encrypted requests. Well, Istio could know the destination domain by the SNI (Server Name Indication) field. This feature, however, is not yet implemented in Istio. Therefore, currently Istio cannot perform filtering of HTTPS requests based on the destination domains.

I want to understand, what does the bold statement really mean? Because, I've tried this:

  • Downloaded the istio-1.0.0 here to get the samples yaml code.

  • kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml)

apiVersion: v1
kind: Service
metadata:
    name: sleep
    labels:
    app: sleep
spec:
    ports:
    - port: 80
    name: http
    selector:
    app: sleep
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
    name: sleep
spec:
    replicas: 1
    template:
    metadata:
        labels:
        app: sleep
    spec:
        containers:
        - name: sleep
        image: tutum/curl
        command: ["/bin/sleep","infinity"]
        imagePullPolicy: IfNotPresent
  • And apply this ServiceEntry
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
    name: cnn
spec:
    hosts:
    - "*.cnn.com"
    ports:
    - number: 80
    name: http-port
    protocol: HTTP
    - number: 443
    name: https-port
    protocol: HTTPS
    resolution: NONE
  • And exec this curl command inside the pod
export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
kubectl exec -it $SOURCE_POD -c sleep -- curl -s -o /dev/null -D - https://edition.cnn.com/politics
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
x-servedByHost: ::ffff:172.17.128.31
access-control-allow-origin: *
cache-control: max-age=60
content-security-policy: default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; script-src 'unsafe-eval' 'unsafe-inline' 'self' *; style-src 'unsafe-inline' 'self' blob: *; child-src 'self' blob: *; frame-src 'self' *; object-src 'self' *; img-src 'self' data: blob: *; media-src 'self' data: blob: *; font-src 'self' data: *; connect-src 'self' *; frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
Via: 1.1 varnish
Content-Length: 1554561
Accept-Ranges: bytes
Date: Wed, 08 Aug 2018 04:59:07 GMT
Via: 1.1 varnish
Age: 105
Connection: keep-alive
Set-Cookie: countryCode=US; Domain=.cnn.com; Path=/
Set-Cookie: geoData=mountain view|CA|94043|US|NA; Domain=.cnn.com; Path=/
Set-Cookie: tryThing00=3860; Domain=.cnn.com; Path=/; Expires=Mon Jul 01 2019 00:00:00 GMT
Set-Cookie: tryThing01=4349; Domain=.cnn.com; Path=/; Expires=Fri Mar 01 2019 00:00:00 GMT
Set-Cookie: tryThing02=4896; Domain=.cnn.com; Path=/; Expires=Wed Jan 01 2020 00:00:00 GMT
X-Served-By: cache-iad2150-IAD, cache-sin18022-SIN
X-Cache: HIT, MISS
X-Cache-Hits: 1, 0
X-Timer: S1533704347.303019,VS0,VE299
Vary: Accept-Encoding

As you can see, I can access the edition.cnn.com with HTTPS (ssl) protocol. Am I misunderstand the bold statement meaning?

4

2 回答 2

3

引用的博客文章来自 2018 年 1 月 31 日,当时的说法是正确的。现在 (1.0) Istio 支持通过 SNI 进行流量路由,请参阅https://istio.io/docs/tasks/traffic-management/egress/

这提醒我更新该博客文章,将在本周末完成。很抱歉造成混乱,感谢您指出问题。

于 2018-08-08T07:15:59.803 回答
0

您在此处显示的是 https 连接/请求,没有理由不工作。在这种情况下,过滤意味着根据 http 术语中的目标主机(使在同一服务器 IP 上托管多个站点成为可能)采取特定操作(即拒绝访问),这就是该语句所指的内容。

SNI 是在建立 TLS 连接之前识别您正在连接的主机的方法。

于 2018-08-08T06:15:59.257 回答