{"id":13644766,"url":"https://github.com/BenderScript/envoybigbook","last_synced_at":"2025-04-21T10:34:21.639Z","repository":{"id":41378611,"uuid":"200344390","full_name":"BenderScript/envoybigbook","owner":"BenderScript","description":"Envoy Proxy Big Book of Examples","archived":false,"fork":false,"pushed_at":"2023-07-05T20:52:12.000Z","size":24615,"stargazers_count":180,"open_issues_count":4,"forks_count":25,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-29T22:31:39.361Z","etag":null,"topics":["aws","envoy","envoyproxy","identity","iptables","istio","kubernetes","linux","tcpproxy","tproxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BenderScript.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-08-03T07:08:45.000Z","updated_at":"2025-03-18T06:42:59.000Z","dependencies_parsed_at":"2022-09-05T07:00:42.977Z","dependency_job_id":"8fce2d14-96f6-472d-a876-0860f23b62c7","html_url":"https://github.com/BenderScript/envoybigbook","commit_stats":null,"previous_names":["benderscript/envoybigbook","repenno/envoybigbook"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenderScript%2Fenvoybigbook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenderScript%2Fenvoybigbook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenderScript%2Fenvoybigbook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenderScript%2Fenvoybigbook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BenderScript","download_url":"https://codeload.github.com/BenderScript/envoybigbook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250040777,"owners_count":21365163,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","envoy","envoyproxy","identity","iptables","istio","kubernetes","linux","tcpproxy","tproxy"],"created_at":"2024-08-02T01:02:13.019Z","updated_at":"2025-04-21T10:34:16.624Z","avatar_url":"https://github.com/BenderScript.png","language":"Go","readme":"# Envoy Proxy Big Book of Examples\n\nI had a dream! I tried to understand Kubernetes/Istio's data plane in detail...unsuccessfully. Every time I would ask a deeper question the answer would inevitably be \"oh, this is done by Envoy and IPTables, but I do not know what goes under the hood\". \n\nTherefore it became clear that understanding Envoy and the IPTables associated with each scenario was key to understanding data plane and provisioning in Kubernetes. During this journey it dawned on me how amazing is Envoy Proxy.\n\nI decide to compile each example as best as I could to help others going through the same pains since documentation is at times fragmented and incomplete. \n\nPlease be aware that all these examples were tested on **AWS Ubuntu 18.04.03**\n\n## Envoy Resources\n\nStarted a new document on Envoy Resources such as [videos](resources.md)\n\n*Notice: Updating Examples for Envoy 1.13.0*\n\n## 1. Examples:\n\n### 1.1 [Forward Proxy](./forward-proxy)\n\nIn this example of we run a [Forward Envoy Proxy](https://www.envoyproxy.io/docs/envoy/v1.13.0/configuration/http/http_filters/dynamic_forward_proxy_filter) that listens on port 4999 and directs requests to their original destination. \n\nThe practical use-case is to confine applications running on the same host as the envoy proxy by using a combination of forward proxy and IPTables rules.\n\n### 1.2 [Explicit Proxy Config](./explicit-proxy-config)\n\nThis example uses the same container as the Envoy Forward Proxy example but instead of using IPTables to redirect packets, we explicitly set HTTP Proxy environment variables.\n\n### 1.3 [Original Destination](./original-dst)\n\nThis tutorial is one of the most interesting to me because it lays the ground work to understand workload identification and policy by creating an administrative boundary around an application\n\nThis tutorial shows how to use a [original destination cluster](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#arch-overview-service-discovery-types-original-destination) to run Envoy Proxy as a forward proxy. There is no need to explicitly configure cluster IP addresses and ports since Envoy will proxy connections to the original destination IP:port  \n\n\n### 1.4 [Transparent Proxy (TPROXY)](./tproxy-outgoing)\n\nCertainly the more challenging example but one that does not require changes to client applications. \n\nThis tutorial shows how to use Envoy in [Transparent Proxy](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/lds.proto#envoy-api-field-listener-transparent) mode. The distinguishing feature in this scenario is that **there is no NAT**.\n\nTransparent Proxy or TPROXY is a Linux Kernel feature without a lot of documentation. The common referenced documentation is the [original feature write-up](https://www.kernel.org/doc/Documentation/networking/tproxy.txt)\n\n### 1.5 [Simple Front Proxy](./simple-front-proxy)\n\nIn this example of we run a Envoy Proxy on that listens on port 4999 and directs to a server running on port 5000.\n \n The web server runs as a separate container from Envoy so any web server will do as long as it is listening on port 5000. \n\n### 1.6 [External Authorization](./ext-authz-proxy)\n \n This example shows Envoy proxy using an external authorization server to decide whether requests should be forwarded. This has quite a few practical applications such as:\n \n * Client Identity (JWT)\n * Workload Identity\n * Policy Enforcement\n * In-depth statistics\n\nThis is example is based on the [rate limit example](https://github.com/jbarratt/envoy_ratelimit_example) \n\n\n### 1.7 [Custom HTTP Headers](./custom-headers)\n \n This example shows Envoy proxy adding custom HTTP headers to a request. I wanted to understand how to add more than one header and also append to an existing header. It turns out Envoy appends by adding a copy of the header with a different value.\n \n My goal is to use this setup in the external authz with workload identity.\n \n### 1.8 [Workload-Identity](./workload-identity)\n\nThis example demonstrates how to use Envoy Proxy and Authz server to create a soft boundary around an **existing** application in order to create or provide **workload identity**. The operative word here is **existing**. There are many practical applications such as:\n\n* Policy\n* Telemetry\n* Audit\n* Security\n\n### 1.9 [Workload-Identity-AWS](./workload-identity-aws)\n\nThis example demonstrates how to use Envoy Proxy and Authz server to create a soft boundary around an application in order to create or provide **workload identity** within an AWS EC2 deployment.\n\nMore specifically, it integrates AWS EC2 instance and user metadata into the application identity. It seems clear to me that any serious workload identity solution needs to incorporate a cloud provider's information in order to be deployed seamlessly and provide useful information.\n\n### 1.10 [Transparent Proxy (TPROXY) AWS Identity](./tproxy-aws-identity)\n\nWIP\n\n### 1.11 [TCP-Proxy](./tcp-proxy)\n\nThis example demonstrates just a plain TCP Proxy. Interestingly I could not find official documentation on how to configure it, but managed to dig an example from a [github issue](https://github.com/envoyproxy/envoy/issues/2891).\n\nEven more interesting is that a simple TCP Proxy can be used for HTTP traffic if there is no interest in HTTP specific functionality. Based on the logs we can see the amount of processing is much lower and therefore performance should be much higher.","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBenderScript%2Fenvoybigbook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBenderScript%2Fenvoybigbook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBenderScript%2Fenvoybigbook/lists"}