Leverage Envoy as a reverse proxy

Since in the last six month, I mainly working on Istio that leverage envoy as the sidecar proxy and require to understand the Envoy. I decide to leverage Envoy as reverse proxy in my lab environment. Why not? Envoy as proxy is mature and already graduate from CNCF and easy to configure.

Envoy have many advantages:

  • Easy to implement in Docker
  • YAML based configuration, even you can use xDS configuration API!
  • Support HTTP/2 and gRPC
  • Have many feature and filter that can be implemented easily in the configuration

I think what is the easy way to implement Envoy? install as binary? but it will add another job to build the binary and create system daemon to run the Envoy. I decide to implement Envoy with Docker compose. Easy to manage and change the configuration.

I need reverse proxy in the first place to access my OpenStack enviroment inside the lab. Before leveraging Envoy, I always use socks tunnel to access my OpenStack. It’s stupid, since I have public IP why not impelementing reverse proxy? (I am to lazy to use socks tunnel). Sometime in the future, reverse proxy also can come in handy when trying a new stuff.

Docker compose configuration is quite clear:

version: "2"
    build: ./envoy/
    container_name: front-envoy
      - "443"
      - "5000"
      - "8001"
      - "443:443"
      - "5000:5000"
    restart: always
      - ./envoy/front-envoy.yaml:/etc/front-envoy.yaml
      - /etc/letsencrypt/archive/zufardhiyaulhaq.com/fullcert1.pem:/etc/cert.pem
      - /etc/letsencrypt/archive/zufardhiyaulhaq.com/privkey1.pem:/etc/privkey.pem

I need to build my Envoy because I need to run custom configuration located in /etc/front-envoy.yaml. I am using custom DNS server and static IP. I also using certificate that mount into /etc/. This is a letsencrypt certificate generated by this tutorial. This is Dockerfile that I use:

FROM envoyproxy/envoy:v1.14.3

LABEL maintainer="Zufar Dhiyaulhaq"

RUN apt-get update && apt-get -q install -y \

CMD /usr/local/bin/envoy -c /etc/front-envoy.yaml --service-cluster front-proxy

Envoy configuration mainly have listeners and clusters. You define what port that should be open in the listener, applying some filter and TLS certificate, and route to the specific cluster that defined in the clusters.

You also can find the documentation for reverse proxy. That’s all, it’s pretty easy to setup and reverse proxy!

Written on September 5, 2020