Search code examples
envoyproxy

Envoy proxy external authorization with sub path

I want to setup an envoy proxy in front of a backend service to only allow authenticated requests. The authentication is done via a separate auth service with an endpoint /api/v1/authenticate.

Now my questions:

  • How do I configure envoy so that all requests to the backend service are checked for authentication?
  • Is it possible to configure the auth service to be called with a certain path?
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9901
static_resources:
  listeners:
    - name: main
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8099
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                route_config:
                  name: service
                  virtual_hosts:
                    - name: service
                      domains: ["*"]
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: service
                http_filters:
                  - name: envoy.filters.http.ext_authz
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                      http_service:
                        server_uri:
                          uri: localhost:8080/api/v1/authenticate
                          cluster: auth
                          timeout: 5s
                      failure_mode_allow: false
                      include_peer_certificate: true
                      transport_api_version: V3
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
    - name: service
      connect_timeout: 10s
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: httpbin.org
                      port_value: 80
    - name: auth
      connect_timeout: 10s
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: auth
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: localhost
                      port_value: 8080

I am using envoy proxy version 1.23.1.

Solution

  • Currently, the only way to us a certain path is to configure the path_prefix. This means, that an auth endpoint need to handle all requests with the path_prefix. The original request path will be appended to the path_prefix value.

    When calling a service with http://service/foo/bar then the auth request looks like http://auth/foo/bar. When the path_prefix is configured with value api/v1/authenticate then the auth request looks like http://auth/api/v1/authenticate/foo/bar.

    path_prefix can be configured like this:

    ...
http_service:
    server_uri:
    uri: http://auth-service:8080/api/v1/authenticate # is not used
    cluster: auth-service
    timeout: 5s
  path_prefix: /api/v1/authenticate
...