Envoy Proxy 치트시트
Envoy Proxy 치트시트
설치
| 플랫폼 | 명령어 |
|---|---|
| Ubuntu/Debian | `curl -sL ‘https://deb.dl.getenvoy.io/public/gpg.8115BA8E629CC074.key’ \ |
| macOS | brew install envoy |
| Docker | docker pull envoyproxy/envoy:v1.28-latest |
| Binary (Linux) | curl -L https://github.com/envoyproxy/envoy/releases/download/v1.28.0/envoy-1.28.0-linux-x86_64 -o envoy && chmod +x envoy && sudo mv envoy /usr/local/bin/ |
| RHEL/CentOS | `curl -sL ‘https://rpm.dl.getenvoy.io/public/gpg.CF716AF503183491.key’ \ |
| Kubernetes (Helm) | helm repo add bitnami https://charts.bitnami.com/bitnami && helm install my-envoy bitnami/envoy |
| Verify Installation | envoy --version |
기본 명령어
| 명령어 | 설명 |
|---|---|
envoy -c envoy.yaml | 지정된 구성 파일로 Envoy 시작 |
envoy --version | Envoy 버전 정보 표시 |
envoy --help | 사용 가능한 모든 명령줄 옵션 표시 |
envoy --mode validate -c envoy.yaml | 구성 파일을 시작하지 않고 검증하기 |
envoy -c envoy.yaml --log-level info | 특정 로그 레벨(trace, debug, info, warn, error, critical)로 시작하세요 |
envoy -c envoy.yaml --component-log-level upstream:debug | 특정 구성 요소에 대한 로그 레벨 설정 |
envoy -c envoy.yaml --service-cluster my-cluster | 서비스 클러스터 식별자로 시작 |
envoy -c envoy.yaml --service-node node-1 | 서비스 노드 식별자로 시작하기 |
envoy -c envoy.yaml --base-id 0 | 핫 리스타트 기능을 위한 기본 ID 설정 |
envoy -c envoy.yaml --restart-epoch 1 | epoch 번호로 핫 리스타트 수행 |
envoy -c envoy.yaml --drain-time-s 60 | 정상 종료를 위한 드레인 시간 설정 (초) |
envoy -c envoy.yaml --parent-shutdown-time-s 90 | 핫 리스타트 중 상위 셧다운 시간 설정 |
envoy -c envoy.yaml --concurrency 4 | 작업자 스레드 수 설정 |
envoy -c envoy.yaml --disable-hot-restart | 핫 리스타트 기능 비활성화 |
envoy --help-hidden | 숨겨진/고급 명령줄 옵션 표시 |
관리 인터페이스 명령어
| 명령어 | 설명 |
|---|---|
curl http://localhost:9901/server_info | 서버 정보 및 현재 상태 가져오기 |
curl http://localhost:9901/stats | 일반 텍스트 형식으로 모든 통계 검색하기 |
curl http://localhost:9901/stats/prometheus | Prometheus 형식의 내보내기 통계 |
curl http://localhost:9901/stats?format=json | JSON 형식으로 통계 가져오기 |
curl http://localhost:9901/stats?filter=cluster.outbound | 접두사로 통계 필터링 |
curl http://localhost:9901/stats?usedonly | 0이 아닌 값만 있는 통계 표시 |
curl http://localhost:9901/config_dump | 현재 구성 전체 덤프 완료 |
curl http://localhost:9901/config_dump?resource=bootstrap | 부트스트랩 구성만 덤프 |
curl http://localhost:9901/config_dump?resource=dynamic_listeners | 동적 리스너 구성 덤프 |
curl http://localhost:9901/config_dump?resource=dynamic_clusters | 동적 클러스터 구성 덤프 |
curl http://localhost:9901/clusters | 클러스터의 상세 정보 및 상태 확인 |
curl http://localhost:9901/listeners | 상세한 리스너 정보 가져오기 |
curl http://localhost:9901/ready | Envoy가 트래픽을 서비스할 준비가 되었는지 확인 |
curl -X POST http://localhost:9901/healthcheck/fail | 상태 확인에서 서버를 실패로 표시 |
curl -X POST http://localhost:9901/healthcheck/ok | 상태 확인을 위해 서버를 정상 상태로 표시 |
curl -X POST http://localhost:9901/reset_counters | 모든 통계 카운터를 0으로 초기화 |
curl -X POST http://localhost:9901/drain_listeners | 우아한 종료를 위한 리스너 드레인 |
curl -X POST http://localhost:9901/logging?level=debug | 런타임 시 전역 로그 레벨 변경 |
curl -X POST http://localhost:9901/logging?upstream=debug | 구성 요소별 로그 레벨 변경 |
curl -X POST http://localhost:9901/runtime_modify?key=value | 런타임 구성 값 수정 |
고급 사용법
| 명령어 | 설명 |
|---|---|
| `curl http://localhost:9901/stats \ | grep circuit_breakers` |
| `curl http://localhost:9901/stats \ | grep outlier_detection` |
| `curl http://localhost:9901/stats \ | grep ratelimit` |
| `curl http://localhost:9901/stats \ | grep upstream_rq_retry` |
| `curl http://localhost:9901/stats \ | grep ssl` |
| `curl http://localhost:9901/stats \ | grep http.ingress.downstream_rq` |
| `curl http://localhost:9901/clusters \ | grep health_flags` |
| `curl http://localhost:9901/config_dump \ | jq ‘.configs[].bootstrap.tracing’` |
| `curl http://localhost:9901/config_dump \ | jq ‘.configs[].dynamic_active_clusters’` |
| `curl http://localhost:9901/stats?format=json \ | jq ‘.stats[] \ |
| `curl http://localhost:9901/listeners \ | grep -A 5 “address”` |
| `curl http://localhost:9901/stats/prometheus \ | grep envoy_cluster_upstream_rq_total` |
docker run -d -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml -p 9901:9901 -p 10000:10000 envoyproxy/envoy:v1.28-latest | Docker에서 마운트된 구성으로 Envoy 실행 |
kubectl create configmap envoy-config --from-file=envoy.yaml | Envoy 구성을 위한 Kubernetes ConfigMap 생성 |
kubectl logs -f deployment/envoy | Kubernetes에서 Envoy 로그 추적하기 |
envoy -c envoy.yaml --log-format '[%Y-%m-%d %T.%e][%t][%l] %v' | 사용자 정의 로그 형식으로 시작하기 |
curl http://localhost:9901/certs | 로드된 TLS 인증서 정보 표시 |
curl http://localhost:9901/memory | 메모리 할당 통계 표시 |
curl http://localhost:9901/contention | 뮤텍스 경합 통계 표시 (활성화된 경우) |
curl -X POST http://localhost:9901/cpuprofiler?enable=y | CPU 프로파일링 활성화 (프로파일링으로 컴파일된 경우) |
구성
기본 구성 구조
# envoy.yaml - Minimal configuration
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: service_backend
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: service_backend
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: service_backend
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: backend-service
port_value: 8080
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901동적 구성 (xDS)
# envoy-dynamic.yaml - Control plane configuration
node:
cluster: my-cluster
id: node-1
dynamic_resources:
lds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
cds_config:
resource_api_version: V3
api_config_source:
api_type: GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
static_resources:
clusters:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
load_assignment:
cluster_name: xds_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: control-plane
port_value: 18000
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901고급 기능 구성
# Circuit breaker and outlier detection
clusters:
- name: backend_service
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
circuit_breakers:
thresholds:
- priority: DEFAULT
max_connections: 1024
max_pending_requests: 1024
max_requests: 1024
max_retries: 3
outlier_detection:
consecutive_5xx: 5
interval: 30s
base_ejection_time: 30s
max_ejection_percent: 50
enforcing_consecutive_5xx: 100
load_assignment:
cluster_name: backend_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: backend
port_value: 8080
health_check_config:
port_value: 8081TLS 구성
# TLS termination
listeners:
- name: https_listener
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_https
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: backend_service
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/ssl/certs/server.crt
private_key:
filename: /etc/ssl/private/server.key일반적인 사용 사례
사용 사례: 기본 HTTP 프록시
Envoy를 백엔드 서비스로 트래픽을 전달하는 간단한 HTTP 프록시로 설정합니다.
# Create configuration file
cat > envoy.yaml << EOF
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: backend_cluster
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: backend_cluster
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: backend_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: localhost
port_value: 3000
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
EOF
# Start Envoy
envoy -c envoy.yaml
# Test the proxy
curl http://localhost:8080
# Monitor statistics
curl http://localhost:9901/stats | grep http사용 사례: 다중 백엔드 로드 밸런싱
상태 확인과 함께 여러 백엔드 인스턴스 간에 로드 밸런싱하도록 Envoy를 구성합니다.
# Create load balancing configuration
cat > envoy-lb.yaml << EOF
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: backend_cluster
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: backend_cluster
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
health_checks:
- timeout: 1s
interval: 10s
unhealthy_threshold: 2
healthy_threshold: 2
http_health_check:
path: /health
load_assignment:
cluster_name: backend_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: backend1.example.com
port_value: 8080
- endpoint:
address:
socket_address:
address: backend2.example.com
port_value: 8080
- endpoint:
address:
socket_address:
address: backend3.example.com
port_value: 8080
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
EOF
# Start Envoy with load balancing
envoy -c envoy-lb.yaml
# Check cluster health status
curl http://localhost:9901/clusters
# Monitor load distribution
watch -n 1 'curl -s http://localhost:9901/stats | grep backend_cluster.upstream_rq_total'사용 사례: TLS 종료 및 재암호화
클라이언트로부터 TLS를 종료하고 백엔드로 재암호화하도록 Envoy를 구성합니다.
# Generate self-signed certificates for testing
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes -subj "/CN=localhost"
# Create TLS configuration
cat > envoy-tls.yaml << EOF
static_resources:
listeners:
- name: https_listener
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_https
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: secure_backend
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: server.crt
private_key:
filename: server.key
clusters:
- name: secure_backend
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
load_assignment:
cluster_name: secure_backend
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: backend.example.com
port_value: 443
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
EOF
# Start Envoy with TLS
envoy -c envoy-tls.yaml
# Test TLS connection
curl -k https://localhost
# Check TLS statistics
curl http://localhost:9901/stats | grep ssl사용 사례: 속도 제한 및 회로 차단
복원력 있는 서비스 통신을 위해 속도 제한 및 회로 차단을 구현합니다.
# Create resilience configuration
cat > envoy-resilience.yaml << EOF
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: protected_backend
retry_policy:
retry_on: "5xx"
num_retries: 3
per_try_timeout: 1s
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: protected_backend
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
circuit_breakers:
thresholds:
- priority: DEFAULT
max_connections: 100
max_pending_requests: 100
max_requests: 100
max_retries: 3
outlier_detection:
consecutive_5xx: 5
interval: 10s
base_ejection_time: 30s
max_ejection_percent: 50
load_assignment:
cluster_name: protected_backend
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: backend.example.com
port_value: 8080
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
EOF
# Start Envoy with resilience features
envoy -c envoy-resilience.yaml
# Monitor circuit breaker status
curl http://localhost:9901/stats | grep circuit_breakers
# Check outlier detection events
curl http://localhost:9901/stats | grep outlier_detection
# View retry statistics
curl http://localhost:9901/stats | grep retry사용 사례: 분산 추적을 통한 관찰 가능성
마이크로서비스 관찰 가능성을 위해 분산 추적으로 Envoy를 구성합니다.
# 추적 구성 생성
cat > envoy-tracing.yaml << EOF
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix