I want to setup an envoy proxy in front of a backend service to only allow authenticated requests. The authentication is done via a separate auth service with an endpoint /api/v1/authenticate
.
Now my questions:
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
- name: main
address:
socket_address:
address: 0.0.0.0
port_value: 8099
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: service
virtual_hosts:
- name: service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: service
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
uri: localhost:8080/api/v1/authenticate
cluster: auth
timeout: 5s
failure_mode_allow: false
include_peer_certificate: true
transport_api_version: V3
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: service
connect_timeout: 10s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: httpbin.org
port_value: 80
- name: auth
connect_timeout: 10s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: auth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: localhost
port_value: 8080
I am using envoy proxy version 1.23.1
.
Currently, the only way to us a certain path is to configure the path_prefix
. This means, that an auth endpoint need to handle all requests with the path_prefix
. The original request path will be appended to the path_prefix
value.
When calling a service with http://service/foo/bar
then the auth request looks like http://auth/foo/bar
. When the path_prefix
is configured with value api/v1/authenticate
then the auth request looks like http://auth/api/v1/authenticate/foo/bar
.
path_prefix
can be configured like this:
...
http_service:
server_uri:
uri: http://auth-service:8080/api/v1/authenticate # is not used
cluster: auth-service
timeout: 5s
path_prefix: /api/v1/authenticate
...