Does Envoy Gateway Support Forward Proxy? Certificate Error When Using curl -x

[lideheng6379-del]

Question: Does Envoy Gateway support forward proxy? Here is my configuration:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: httpbin-route
namespace: test
spec:
parentRefs:
- name: gw
hostnames:
- "httpbin.org"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: httpbin-backend
kind: Backend
group: gateway.envoyproxy.io

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
name: httpbin-backend
namespace: test
spec:
type: DynamicResolver
tls:
wellKnownCACertificates: System

When I run this request, it works fine:

curl -v --cert client.example.com.crt --key client.example.com.key --cacert example.com.crt -H "Host: httpbin.org" https://www.example.com/get

But when I try to use Envoy Gateway as a forward proxy:

curl -v --cert client.example.com.crt --key client.example.com.key --cacert example.com.crt -x https://www.example.com https://httpbin.org/get
I get the following error:

• Trying xxxx:443...
• Connected to www.example.com (xxxx) port 443
• ALPN: curl offers http/1.1
• (304) (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/cert.pem
• CApath: none
• (304) (IN), TLS handshake, Server hello (2):
• (304) (IN), TLS handshake, Unknown (8):
• (304) (IN), TLS handshake, Request CERT (13):
• (304) (IN), TLS handshake, Certificate (11):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection
  curl: (60) SSL certificate problem: unable to get local issuer certificate

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
What is the cause of this? Is it a certificate issue, or does Envoy Gateway not support forward proxy?

[arkodg]

you'll need to configure a BackendTLSPolicy https://gateway.envoyproxy.io/docs/tasks/security/backend-tls/

[lideheng6379-del]

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gw
namespace: test
spec:
gatewayClassName: gwc
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: example-cert
allowedRoutes:
namespaces:
from: Same

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: enable-mtls
namespace: test
spec:
targetRefs:

• group: gateway.networking.k8s.io
  kind: Gateway
  name: gw
  headers:
  xForwardedClientCert:
  mode: AppendForward
  certDetailsToAdd:
  - Subject
  - Cert
  - DNS
  - URI
  tls:
  minVersion: "1.0"
  maxVersion: "1.3"
  ciphers:
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
    clientValidation:
    caCertificateRefs:
  • kind: "Secret"
    group: ""
    name: "example-ca-cert"

---

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: llm-platform-route
namespace: test
spec:
parentRefs:
- name: gw
hostnames:
- "httpbin.org"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: httpbin-backend
kind: Backend
group: gateway.envoyproxy.io

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
name: httpbin-backend
namespace: test
spec:
type: DynamicResolver
tls:
wellKnownCACertificates: System

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: enable-backend-tls
namespace: test
spec:
targetRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: httpbin-backend
validation:
wellKnownCACertificates: System
hostname: httpbin.org

-------------

Does a forward proxy also need to configure BackendTLSPolicy? I configured it, but it doesn't seem to have any effect—the requests are still failing.

curl -v --cert client.example.com.crt --key client.example.com.key --cacert example.com.crt -x https://www.example.com https://httpbin.org/get

• Trying xxxx:443...
• Connected to www.example.com (xxxx) port 443
• ALPN: curl offers http/1.1
• (304) (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/cert.pem
• CApath: none
• (304) (IN), TLS handshake, Server hello (2):
• (304) (IN), TLS handshake, Unknown (8):
• (304) (IN), TLS handshake, Request CERT (13):
• (304) (IN), TLS handshake, Certificate (11):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.