如何诊断/修复Envoy代理“上游连接错误或在标头之前断开连接/重置。重置原因：连接失败”

Question

我有一个服务网格使节代理配置问题。配置基于官方特使代理站点https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/front_proxy和本ssl课程：https://www.envoyproxy.io/learn/ssl的示例。

我尝试了端口（80,443），命名，域，nginx config等的许多不同组合，但是没有用。

这是我的前置代理：

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 80
    listener_filters:
      - name: "envoy.listener.tls_inspector"
        typed_config: {}
    filter_chains:
    - filter_chain_match:
        server_names: ["example.com", "www.example.com", "api.example.com", "test.example.com"]
      tls_context:
        common_tls_context:
          tls_certificates:
            - certificate_chain:
                filename: "/etc/example-ai.pem"
              private_key:
                filename: "/etc/example-ai.key"
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          stat_prefix: ingress_http
          access_log:
            - name: envoy.file_access_log
              config:
                path: "/var/log/access.log"
          route_config:
            virtual_hosts:
            - name: services
              domains:
              - ["*.example.com","example.com"]
              routes:
              - match:
                  prefix: "/"
                redirect:
                  path_redirect: "/"
                  https_redirect: true
          http_filters:
            - name: envoy.router
              config: {}
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 443
    listener_filters:
      - name: "envoy.listener.tls_inspector"
        typed_config: {}
    filter_chains:
    - filter_chain_match:
        server_names: ["api.example.com"]
      tls_context:
        common_tls_context:
          tls_certificates:
            - certificate_chain:
                filename: "/etc/example-ai.pem"
              private_key:
                filename: "/etc/example-ai.key"
      filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            virtual_hosts:
            - name: api
              domains:
              - ["*.example.com","example.com"]
              routes:
              - match:
                  prefix: "/v1"
                route:
                  cluster: api
          http_filters:
          - name: envoy.router
            config: {}
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          access_log:
            - name: envoy.file_access_log
              config:
                path: "/var/log/access.log"
          route_config:
            name: local_route
            virtual_hosts:
            - name: services
              domains:
              - ["*.example.com","example.com"]
              routes:
              - match:
                  prefix: "/v1"
                route:
                  cluster: api
              - match:
                  prefix: "/"
                route:
                  cluster: frontend
          http_filters:
          - name: envoy.router
            config: {}
      tls_context:
        common_tls_context:
          tls_certificates:
            - certificate_chain:
                filename: "/etc/example-ai.pem"
              private_key:
                filename: "/etc/example-ai.key"

  clusters:
  - name: frontend
    connect_timeout: 1s
    type: strict_dns
    lb_policy: round_robin
    # http2_protocol_options: {}
    hosts:
    - socket_address:
        address: frontend
        port_value: 80
  - name: api
    connect_timeout: 1s
    type: strict_dns
    lb_policy: round_robin
    # http2_protocol_options: {}
    hosts:
    - socket_address:
        address: api
        port_value: 80
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8001

和连接失败的上游服务：

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 80
    filter_chains:
      tls_context:
        common_tls_context:
          tls_certificates:
            - certificate_chain:
                filename: "/etc/example-ai.pem"
              private_key:
                filename: "/etc/example-ai.key"
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: auto
          stat_prefix: ingress_http
          access_log:
            - name: envoy.file_access_log
              config:
                path: "/var/log/access.log"
          route_config:
            name: local_route
            virtual_hosts:
            - name: api
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/v1"
                route:
                  cluster: local_api
          http_filters:
          - name: envoy.router
            typed_config: {}
  clusters:
  - name: local_api
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    load_assignment:
      cluster_name: local_api
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 443
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8082

这是/etc/nginx/conf.d/default.conf：

map $http_origin $cors_header {
    default "";
    "~^https?://[^/]+\.example\.ai(:[0-9]+)?$" "$http_origin";
}

server {
    listen       80;
    server_name  example.ai;
    root /usr/share/nginx/html;
    #charset koi8-r;
    access_log  /var/log/nginx/host.access.log  main;

    index index.html;

    location / {


      add_header 'Access-Control-Allow-Origin' 'api.example.ai' always;
      add_header 'Access-Control-Allow-Credentials' 'true' always;
      add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
      add_header 'Access-Control-Allow-Headers' 'Accept,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
      add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
      # required to be able to read Authorization header in frontend
      #add_header 'Access-Control-Expose-Headers' 'Authorization' always;


      if ($request_method = 'OPTIONS') {
          # Tell client that this pre-flight info is valid for 20 days
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
      }

      # render react page refreshes
      if (!-e $request_filename){
        rewrite ^(.*)$ /index.html break;
      }

      try_files $uri $uri/ =404;
      error_log /var/log/nginx/error.log debug;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

感谢任何故障排除提示！