http CONNECT forward proxy filtering by domain names works with wildcard domain but not individual domain

[Joe-Zhou-Pub]

If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.

Title: One line description

Description:
http CONNECT forward proxy works with wildcard domain but not individual domain for filtering purpose. Help please.

[optional Relevant Links:]
The working config with wildcard only:

`static_resources:
listeners:

• name: listener_0
  address:
  socket_address:
  protocol: TCP
  address: 127.0.0.1
  port_value: 10001
  filter_chains:
  • filters:
    • name: envoy.filters.network.http_connection_manager
      typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
      stat_prefix: ingress_http
      route_config:
      name: local_route
      virtual_hosts:
      - name: local_service
      domains:
      - "*"
      routes:
      - match:
      connect_matcher:
      {}
      route:
      cluster: service_google
      upgrade_configs:
      - upgrade_type: CONNECT
      connect_config:
      {}
      http_filters:
      • name: envoy.filters.http.router
        typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
        http2_protocol_options:
        allow_connect: true
        upgrade_configs:
      • upgrade_type: CONNECT
        clusters:
• name: service_google
  connect_timeout: 0.25s
  type: LOGICAL_DNS
  dns_lookup_family: V4_ONLY
  lb_policy: ROUND_ROBIN
  load_assignment:
  cluster_name: service_google
  endpoints:
  • lb_endpoints:
    • endpoint:
      address:
      socket_address:
      address: www.google.com
      port_value: 443`

Trying to filter traffic by domain, the config below:

`static_resources:
listeners:

• name: listener_0
  address:
  socket_address:
  protocol: TCP
  address: 127.0.0.1
  port_value: 10001
  filter_chains:
  • filters:
    • name: envoy.filters.network.http_connection_manager
      typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
      stat_prefix: ingress_http
      route_config:
      name: local_route
      virtual_hosts:
      - name: google_service
      domains:
      - "www.google.com"
      routes:
      - match:
      connect_matcher:
      {}
      route:
      cluster: service_google
      upgrade_configs:
      - upgrade_type: CONNECT
      connect_config:
      {}
      • name: yahoo_service
        domains:
        • "www.yahoo.com"
          routes:
        • match:
          connect_matcher:
          {}
          route:
          cluster: service_yahoo
          upgrade_configs:
          • upgrade_type: CONNECT
            connect_config:
            {}
            http_filters:
      • name: envoy.filters.http.router
        typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
        http2_protocol_options:
        allow_connect: true
        upgrade_configs:
      • upgrade_type: CONNECT

clusters:

• name: service_google
  connect_timeout: 0.25s
  type: LOGICAL_DNS
  dns_lookup_family: V4_ONLY
  lb_policy: ROUND_ROBIN
  load_assignment:
  cluster_name: service_google
  endpoints:

  • lb_endpoints:
    • endpoint:
      address:
      socket_address:
      address: www.google.com
      port_value: 443

• name: service_yahoo
  connect_timeout: 0.25s
  type: LOGICAL_DNS
  dns_lookup_family: V4_ONLY
  lb_policy: ROUND_ROBIN
  load_assignment:
  cluster_name: service_google
  endpoints:

  • lb_endpoints:
    • endpoint:
      address:
      socket_address:
      address: www.yahoo.com
      port_value: 443`

However got below error:

`root@ip-10-97-127-86:/etc/envoy# curl -kv -x 127.0.0.1:10001 https://www.google.com

• Trying 127.0.0.1:10001...
• Connected to 127.0.0.1 (127.0.0.1) port 10001
• CONNECT tunnel: HTTP/1.1 negotiated
• allocate connect buffer
• Establish HTTP proxy tunnel to www.google.com:443

CONNECT www.google.com:443 HTTP/1.1
Host: www.google.com:443
User-Agent: curl/8.5.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 404 Not Found
< date: Wed, 15 Jan 2025 04:35:08 GMT
< server: envoy
< connection: close
< content-length: 0
<

• CONNECT tunnel failed, response 404
• Closing connection
  curl: (56) CONNECT tunnel failed, response 404`

The debug log:

[2025-01-15 04:35:08.183][19128][debug][http] [source/common/http/conn_manager_impl.cc:1183] [Tags: "ConnectionId":"0","StreamId":"7017064017471523855"] request headers complete (end_stream=false):
':authority', 'www.google.com:443'
':method', 'CONNECT'
'user-agent', 'curl/8.5.0'
'proxy-connection', 'Keep-Alive'

[2025-01-15 04:35:08.183][19128][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"0"] current connecting state: false
[2025-01-15 04:35:08.183][19128][debug][router] [source/common/router/router.cc:459] [Tags: "ConnectionId":"0","StreamId":"7017064017471523855"] no route match for URL ''
[2025-01-15 04:35:08.183][19128][debug][http] [source/common/http/filter_manager.cc:1034] [Tags: "ConnectionId":"0","StreamId":"7017064017471523855"] Preparing local reply with details route_not_found
[2025-01-15 04:35:08.184][19128][debug][http] [source/common/http/filter_manager.cc:1076] [Tags: "ConnectionId":"0","StreamId":"7017064017471523855"] Executing sending local reply.
[2025-01-15 04:35:08.184][19128][debug][http] [source/common/http/conn_manager_impl.cc:1878] [Tags: "ConnectionId":"0","StreamId":"7017064017471523855"] encoding headers via codec (end_stream=true):
':status', '404'
'date', 'Wed, 15 Jan 2025 04:35:08 GMT'
'server', 'envoy'
'connection', 'close'

[Joe-Zhou-Pub]

found the fix, the port number has to be added.