Envoy with websocket + OPA
311 views
Skip to first unread message
khennedy bacule
Feb 28, 2023, 9:57:58 AM2/28/23
to envoy-dev
Hi folks, I am using Envoy as proxy to a websocket application, and I use the upgrade_configs to this and works well. But I want use the OPA to allow or deny requests, when I start the handshake this works, I am using the ExtAuthz on http filter, but after the connection is stablished this filter is never call again, and I want for every message on my websocket session call the OPA. Anybody have an ideia how can I do this?
Yan Avlasov
Feb 28, 2023, 10:20:30 AM2/28/23
to khennedy bacule, envoy-dev
Ext_authz does not support authorization of HTTP bodies. But you can possibly make it work with the ext_proc filter.
On Tue, Feb 28, 2023 at 9:58 AM khennedy bacule <khenned...@gmail.com> wrote:
Hi folks, I am using Envoy as proxy to a websocket application, and I use the upgrade_configs to this and works well. But I want use the OPA to allow or deny requests, when I start the handshake this works, I am using the ExtAuthz on http filter, but after the connection is stablished this filter is never call again, and I want for every message on my websocket session call the OPA. Anybody have an ideia how can I do this?
--
You received this message because you are subscribed to the Google Groups "envoy-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-dev/96a8b092-6302-4675-b9a2-db6ef01de406n%40googlegroups.com.
Message has been deleted
khennedy bacule
Feb 28, 2023, 11:19:48 AM2/28/23
to envoy-dev
Hello Yan, I did this but nothing happened, when I send a message on websocket session the filter ext_proc is not called. Bellow is my yaml config to envoy.
admin:
access_log_path: "/tmp/admin_access.log"
address:
socket_address:
address: "0.0.0.0"
port_value: 9901
static_resources:
listeners:
- name: "pdv-envoy"
address:
socket_address:
address: "0.0.0.0"
port_value: 8081
traffic_direction: INBOUND
filter_chains:
- filters:
- name: "envoy.filters.network.http_connection_manager"
typed_config:
upgrade_configs:
- upgrade_type: "websocket"
- filters:
- name: envoy.filters.http.ext_proc
typed_config:
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
timeout: 1.5s
- name: "envoy.filters.http.router"
stat_prefix: "ingress"
generate_request_id: true
codec_type: "auto"
route_config:
name: "pdv-route-ingress"
virtual_hosts:
- name: "pdv-service-ingress"
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: "app"
cors:
allow_origin_string_match:
prefix: "*"
allow_methods: "GET, PUT, DELETE, POST, PATCH, OPTIONS"
allow_headers: "authorization, keep-alive, user-agent, cache-control, content-type, content-transfer-encoding, x-accept-content-transfer-encoding, x-accept-response-streaming, x-user-agent, x-grpc-web, referer"
expose_headers: "grpc-status, grpc-message, x-envoy-upstream-service-time"
http_filters:
- name: envoy.filters.http.cors
- name: envoy.filters.http.jwt_authn
typed_config:
providers:
jwt_provider:
payload_in_metadata: jwt_payload
remote_jwks:
http_uri:
cluster: jwt_certs
timeout: 5s
cache_duration:
seconds: 300
rules:
- match:
safe_regex:
google_re2: {}
regex: ^\/((health)|(ws\/.*)|(docs)|(redoc)|(openapi.json)|(service/metrics))(\/){0,1}$
- match:
prefix: "/"
requires:
provider_name: jwt_provider
- name: envoy.filters.http.ext_authz
typed_config:
with_request_body:
max_request_bytes: 8192
allow_partial_message: true
failure_mode_allow: false
transport_api_version: "v3"
grpc_service:
google_grpc:
target_uri: 127.0.0.1:9191
stat_prefix: ext_authz
timeout: 1.5s
- name: envoy.filters.http.lua
typed_config:
inline_code: |
function envoy_on_request(request_handle)
request_handle:logErr("ENNNVOOOYYY")
local meta = request_handle:streamInfo():dynamicMetadata()
for key, value in pairs(meta) do
request_handle:headers():add("client-id", value.jwt_payload.client_id)
end
end
- name: "envoy.filters.http.router"
clusters:
- name: "jwt_certs"
connect_timeout: "5s"
type: LOGICAL_DNS
dns_lookup_family: "V4_PREFERRED"
load_assignment:
cluster_name: "jwt_certs"
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "cognito-idp.us-east-1.amazonaws.com"
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
- name: "cluster_http"
connect_timeout: "0.25s"
type: STRICT_DNS
load_assignment:
cluster_name: "cluster_http"
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "127.0.0.1"
port_value: 8081
- name: "app"
connect_timeout: "0.25s"
type: STRICT_DNS
load_assignment:
cluster_name: "app"
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "127.0.0.1"
port_value: 8281
Yan Avlasov
Feb 28, 2023, 11:54:36 AM2/28/23
to khennedy bacule, envoy-dev
By default ext_proc does not stream body. You need to enable it in configuration.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-dev/ac546321-efe3-4efc-bec8-8ccca3a21674n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages