Setting up an envoy proxy can help websites scale, especially in a dockerized world of micro-services. As websites grow, routing traffic becomes increasingly complicated. Different subdomains, domains, and paths might need to be routed to different backend servers. TLS (https) certificates need to be managed, monitoring/observability becomes important, and things like WebSockets, GRPC, statelessness, and Kubernetes might play a role.
Check out the open-source Switchboard project on Github. You can pull it from
Envoy Proxy + LetsEncrypt + Docker
Switchboard resembles a Kubernetes ingress controller, but is more powerful and more portable. For example, it manages SSL certificate generation and renewal while still achieving statelessness. The docker container may be configured with any combination of mounted config directories and environment variables. This makes it easy to set up via docker-compose, Kubernetes, or any system which can deploy containers.
- TLS termination (https)
- Web Sockets
- HTTP->HTTPS redirection
- Domain name redirection
- Sharding (different subdomains for different environments)
- Automatic certificate generation via CertBot/LetsEncrypt
- Stateless (certificate backup via S3)
Envoy Kubernetes Ingress
This example assumes
kube2iam for AWS authentication in order to achieve the S3 backup-and-restore of certbot-generated certifiactes. It also tweaks the default logging formats to structured JSON, making it well suited for a variety of ingestion pipelines. Finally, it provides samples of readiness and liveness checks.
I have this deployed on AWS in order to keep costs low (as an alternative to using ELBs):