nexusistioistio-gatewaynpm-audit

Istio Virtual Service - Proxy to external HTTPS service

I'm trying to proxy HTTP requests with specified URI prefix to an external HTTPS server. The idea is to use ower internal Nexus Repository manager for NPM, but don't loosethe ability for 'npm audit' like this project does GitHub Project. It should be done with Istio instead of deploying an extra app.

I configured a virtual service and a service entry to route the traffic to the external service. So far it was not possible to convert an HTTP request to an HTTPS request. Is there any chance to do this?

Configuration:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs-nexus
spec:
  hosts:
  - "test.com"
  gateways:
  - gateway-xy
  http:
  - match:
    - uri:
        prefix: /-/npm/v1/security/audits/
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org
  - route:
    - destination:
        port:
          number: 80
        host: nexus


---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: npmjs-ext
spec:
  hosts:
    - registry.npmjs.org
  ports:
    - number: 443
      name: tls
      protocol: tls
  resolution: DNS
  location: MESH_EXTERNAL
Solution

  • Found a solution: You need to add an DestinationRule with TLS mode 'SIMPLE' to connect to an external HTTPS service.

    The whole configuration for my issue with forwarding 'npm audit' requests to public 'registry.npmjs.org', if you are using a private Nexus Repository is:

    apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs
spec:
  hosts:
  - "test.com"
  gateways:
  - gateway
  http:
  # Route to npm registry for audit
  # Like this: https://github.com/chovyy/npm-audit-proxy
  # See: https://istio.io/latest/blog/2019/proxy/
  - match:
    - uri:
        prefix: /-/npm/v1/security
    headers:
      request:
        set:
          host: "registry.npmjs.org"
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org

    # This is for custom Nexus repositories: You need to rewrite the route, that the prefix of the repository URL is not forwarded to registry.npmjs.org
  - match:
    - uri:
        prefix: /repository/npm-test-repo/-/npm/v1/security
    rewrite:
      uri: /-/npm/v1/security
    headers:
      request:
        set:
          host: "registry.npmjs.org"
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org

  - route:
    - destination:
        port:
          number: 80
        host: nexus

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: npmjs-ext
spec:
  hosts:
    - registry.npmjs.org
  ports:
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: npmjs-ext
spec:
  host: registry.npmjs.org
  trafficPolicy:
    tls:
      mode: SIMPLE