bit
,但如果我将设备配置为使用istio网关作为代理,则此设置不起作用(如果我欺骗设备上的dns,认为edition.cnn.com ip地址是istios ip地址,则此设置有效)。但我仍然有一个问题,许多不同的东西(css\javascript\etc)都是绕过istio直接从网上下载的。
this
然而,我对Istio是否有可能做到这一点几乎一无所知。我可以复制过滤器的一部分
envoyfilter
,我不确定集群?A.
serviceentry
应该是一个集群,但我认为它不接受*变量?
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: yandex
namespace: kube-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 36003
name: TCP
protocol: TCP
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: yandex
namespace: kube-system
spec:
hosts:
- '*.yandex.ru'
- yandex.ru
ports:
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: yandex
namespace: kube-system
spec:
hosts:
- '*.yandex.ru'
- yandex.ru
gateways:
- yandex
tls:
- match:
- gateways:
- yandex
route:
- destination:
port:
number: 443
编辑:使用AKS 1.19.13和Istio 1.11.2
编辑:这是我试图替换的配置
user nobody nogroup;
worker_processes auto;
events { }
error_log /var/log/nginx/error.log warn;
http {
# The format below needs to match the format defined in the start.sh file
log_format compression '$remote_addr - $remote_user [$time_local] '
'$scheme $host "$request" $request_time $status $body_bytes_sent '
'"$http_referer" "$http_x_forwarded_for" "$http_user_agent"';
access_log /var/log/nginx/access.log compression;
server_names_hash_bucket_size 128;
server {
gzip on;
# if we do not match either of the below - reject the request
if ($http_host ~ "^((?!(domain1|domain2)).)*$") {
return 403;
break;
}
listen {{ .Values.service.port }} ;
server_name ~.+;
proxy_connect;
proxy_max_temp_file_size 0;
resolver 8.8.8.8;
location / {
proxy_pass http://$http_host;
proxy_set_header Host $http_host;
}
}
}
