搬瓦工 VPS 部署 Envoy Proxy 服务网格代理教程
Envoy 是由 Lyft 开发并捐赠给 CNCF 的高性能 L4/L7 代理,广泛应用于服务网格、API 网关和边缘代理等场景。Envoy 是 Istio、AWS App Mesh 等多个服务网格方案的数据平面核心组件,支持 HTTP/2、gRPC、WebSocket 代理,具备强大的可观测性和流量管理能力。本教程将介绍如何在搬瓦工 VPS 上使用 Docker 部署 Envoy Proxy,从基础的静态配置到高级的流量管理功能。部署前请确保已安装好 Docker 和 Docker Compose。
一、Envoy 核心概念
理解 Envoy 的配置需要掌握以下核心概念:
- Listener:监听器,定义 Envoy 接收入站连接的端口和协议。
- Filter Chain:过滤器链,处理连接上的数据流,如 HTTP 路由、TLS 终止等。
- Cluster:集群,定义上游服务的一组端点和负载均衡策略。
- Route:路由规则,将请求匹配到对应的 Cluster。
- Endpoint:端点,集群中的具体服务地址和端口。
二、系统要求
- 操作系统:Ubuntu 20.04+ 或 Debian 11+
- 内存:至少 512MB,推荐 1GB 以上
- Docker:已安装 Docker 和 Docker Compose
三、基础部署:前端代理模式
3.1 创建项目目录
mkdir -p /opt/envoy && cd /opt/envoy3.2 编写 Envoy 静态配置
创建 envoy.yaml 配置文件:
cat > envoy.yaml <<'EOF'
static_resources:
listeners:
- name: front_proxy
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/api/v1"
route:
cluster: api_service
timeout: 30s
- match:
prefix: "/api/v2"
route:
cluster: api_v2_service
timeout: 30s
- match:
prefix: "/"
route:
cluster: web_service
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: api_service
connect_timeout: 5s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: api_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-server
port_value: 3000
- name: api_v2_service
connect_timeout: 5s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: api_v2_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api-v2-server
port_value: 3000
- name: web_service
connect_timeout: 5s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: web_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: web-server
port_value: 80
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
EOF3.3 编写 docker-compose.yml
version: '3.8'
services:
envoy:
image: envoyproxy/envoy:v1.30-latest
container_name: envoy
restart: always
volumes:
- ./envoy.yaml:/etc/envoy/envoy.yaml:ro
ports:
- "10000:10000"
- "127.0.0.1:9901:9901"
command: envoy -c /etc/envoy/envoy.yaml --log-level info
web-server:
image: nginx:alpine
container_name: web-server
api-server:
image: hashicorp/http-echo:latest
container_name: api-server
command: ["-text=API v1 Response", "-listen=:3000"]
api-v2-server:
image: hashicorp/http-echo:latest
container_name: api-v2-server
command: ["-text=API v2 Response", "-listen=:3000"]3.4 启动并验证
cd /opt/envoy
docker compose up -d
# 测试前端代理
curl http://localhost:10000/
curl http://localhost:10000/api/v1
curl http://localhost:10000/api/v2
# 查看 Envoy 管理界面
curl http://localhost:9901/stats四、高级流量管理
4.1 加权路由(金丝雀发布)
在 route_config 中配置加权路由,实现流量的灰度发布:
routes:
- match:
prefix: "/api/v1"
route:
weighted_clusters:
clusters:
- name: api_service
weight: 90
- name: api_v2_service
weight: 104.2 重试策略
routes:
- match:
prefix: "/api"
route:
cluster: api_service
retry_policy:
retry_on: "5xx,connect-failure,reset"
num_retries: 3
per_try_timeout: 10s4.3 熔断配置
在 Cluster 配置中添加熔断参数:
clusters:
- name: api_service
connect_timeout: 5s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
circuit_breakers:
thresholds:
- priority: DEFAULT
max_connections: 100
max_pending_requests: 50
max_requests: 200
max_retries: 3
outlier_detection:
consecutive_5xx: 5
interval: 10s
base_ejection_time: 30s
max_ejection_percent: 50五、可观测性配置
5.1 访问日志
在 HTTP 连接管理器中添加访问日志配置:
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
log_format:
json_format:
time: "%START_TIME%"
method: "%REQ(:METHOD)%"
path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
status: "%RESPONSE_CODE%"
duration: "%DURATION%"
upstream: "%UPSTREAM_HOST%"5.2 Prometheus 指标
# 查看 Envoy 统计指标
curl http://localhost:9901/stats/prometheus
# 查看集群状态
curl http://localhost:9901/clusters
# 查看服务端点健康状态
curl http://localhost:9901/server_info六、TLS/SSL 配置
listeners:
- name: https_listener
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/envoy/certs/fullchain.pem
private_key:
filename: /etc/envoy/certs/privkey.pem
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_https
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: web_service
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router七、常用管理命令
# 验证配置文件语法
docker run --rm -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml \
envoyproxy/envoy:v1.30-latest \
envoy --mode validate -c /etc/envoy/envoy.yaml
# 热重启 Envoy(不中断连接)
docker exec envoy kill -HUP 1
# 查看实时日志
docker logs -f envoy
# 查看连接统计
curl -s http://localhost:9901/stats | grep downstream_cx八、常见问题
上游服务连接超时
检查 Cluster 中配置的地址是否可达,DNS 解析是否正常:
docker exec envoy curl -s api-server:3000配置文件加载失败
Envoy 对 YAML 格式要求严格,使用验证命令检查配置语法,特别注意缩进层级和 typed_config 中的 @type 字段是否正确。
总结
Envoy 是功能强大的服务代理,适合作为微服务架构的数据平面组件。其丰富的流量管理、可观测性和弹性功能使其成为构建服务网格的理想选择。如果需要完整的服务网格方案,可以参考 Istio 服务网格教程 或 Linkerd 服务网格教程。选购搬瓦工 VPS 请参考 全部方案,购买时使用优惠码 NODESEEK2026 可享受 6.77% 的折扣,购买链接:bwh81.net。