Websockets with extauth SecurityPolicy
7 views
Skip to first unread message
Daniel Podwysocki
Sep 20, 2025, 6:43:23 PM (2 days ago) Sep 20
to envoy-users
Hi all,
I did find some odd behavior where I'm unsure if I've hit a bug or misconfigured something.
First off, wanted to say Envoy Gateway is a really impressive implementation - I've been switching my old ingress-based stuff from it and I've been very impressed so far ^^
I did find some odd behavior where I'm unsure if I've hit a bug or misconfigured something.
I have a securityPolicy I use to auth an endpoint:
```
spec:
extAuth:
failOpen: false
headersToExtAuth:
- Host
- Method
- Path
- Content-Length
- Authorization
- Cookie
- Connection
- Upgrade
http:
backendRefs:
- group: ""
kind: Service
name: hubble
port: 3000
path: /api/authorization-service
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: richard-helios
```
Without it, I can use the httproute, alongside websockets on it.
```
spec:
extAuth:
failOpen: false
headersToExtAuth:
- Host
- Method
- Path
- Content-Length
- Authorization
- Cookie
- Connection
- Upgrade
http:
backendRefs:
- group: ""
kind: Service
name: hubble
port: 3000
path: /api/authorization-service
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: richard-helios
```
Without it, I can use the httproute, alongside websockets on it.
When I apply it, websockets break, even if I hardcode my authorization service to return 200.
When I curl the websocket, I can see the 200 instead of the websocket connection happening.
When I curl the websocket, I can see the 200 instead of the websocket connection happening.
Is this expected behavior and I am doing something incorrectly? Or is this a bug I should file on GitHub?
For reference, here is full curl output:
```
For reference, here is full curl output:
```
➜ templates git:(377-add-httproute-support-to-all-plugins-with-an-ingress) ✗ curl -v -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: localhost" -H "Origin: https://localhost" https://localhost/polaris/richard/websockets -k -L (⎈|kind-hubble:argocd)
* Host localhost:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:443...
* connect to ::1 port 443 from ::1 port 38106 failed: Connection refused
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=localhost; O=ORION Self-Signed
* start date: Sep 19 22:20:32 2025 GMT
* expire date: Sep 19 22:20:32 2026 GMT
* issuer: CN=localhost; O=ORION Self-Signed
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://localhost/polaris/richard/websockets
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: localhost]
* [HTTP/2] [1] [:path: /polaris/richard/websockets]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [origin: https://localhost]
> GET /polaris/richard/websockets HTTP/2
> Host: localhost
> User-Agent: curl/8.9.1
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Origin: https://localhost
>
* Request completely sent off
< HTTP/2 308
HTTP/2 308
< location: /api/authorization-service/polaris/richard/websockets/
location: /api/authorization-service/polaris/richard/websockets/
< refresh: 0;url=/api/authorization-service/polaris/richard/websockets/
refresh: 0;url=/api/authorization-service/polaris/richard/websockets/
< date: Sat, 20 Sep 2025 22:23:35 GMT
date: Sat, 20 Sep 2025 22:23:35 GMT
< x-envoy-upstream-service-time: 3
x-envoy-upstream-service-time: 3
< content-length: 54
content-length: 54
< content-type: text/plain
content-type: text/plain
* Ignoring the response-body
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'https://localhost/api/authorization-service/polaris/richard/websockets/'
* Found bundle for host: 0x61319289a510 [can multiplex]
* Re-using existing connection with host localhost
* [HTTP/2] [3] OPENED stream for https://localhost/api/authorization-service/polaris/richard/websockets/
* [HTTP/2] [3] [:method: GET]
* [HTTP/2] [3] [:scheme: https]
* [HTTP/2] [3] [:authority: localhost]
* [HTTP/2] [3] [:path: /api/authorization-service/polaris/richard/websockets/]
* [HTTP/2] [3] [user-agent: curl/8.9.1]
* [HTTP/2] [3] [accept: */*]
* [HTTP/2] [3] [origin: https://localhost]
> GET /api/authorization-service/polaris/richard/websockets/ HTTP/2
> Host: localhost
> User-Agent: curl/8.9.1
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Origin: https://localhost
>
* Request completely sent off
< HTTP/2 200
HTTP/2 200
< vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
< content-type: application/json
content-type: application/json
< date: Sat, 20 Sep 2025 22:23:35 GMT
date: Sat, 20 Sep 2025 22:23:35 GMT
<
{"status":200}* Connection #0 to host localhost left intact
```
* Host localhost:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:443...
* connect to ::1 port 443 from ::1 port 38106 failed: Connection refused
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=localhost; O=ORION Self-Signed
* start date: Sep 19 22:20:32 2025 GMT
* expire date: Sep 19 22:20:32 2026 GMT
* issuer: CN=localhost; O=ORION Self-Signed
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://localhost/polaris/richard/websockets
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: localhost]
* [HTTP/2] [1] [:path: /polaris/richard/websockets]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [origin: https://localhost]
> GET /polaris/richard/websockets HTTP/2
> Host: localhost
> User-Agent: curl/8.9.1
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Origin: https://localhost
>
* Request completely sent off
< HTTP/2 308
HTTP/2 308
< location: /api/authorization-service/polaris/richard/websockets/
location: /api/authorization-service/polaris/richard/websockets/
< refresh: 0;url=/api/authorization-service/polaris/richard/websockets/
refresh: 0;url=/api/authorization-service/polaris/richard/websockets/
< date: Sat, 20 Sep 2025 22:23:35 GMT
date: Sat, 20 Sep 2025 22:23:35 GMT
< x-envoy-upstream-service-time: 3
x-envoy-upstream-service-time: 3
< content-length: 54
content-length: 54
< content-type: text/plain
content-type: text/plain
* Ignoring the response-body
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'https://localhost/api/authorization-service/polaris/richard/websockets/'
* Found bundle for host: 0x61319289a510 [can multiplex]
* Re-using existing connection with host localhost
* [HTTP/2] [3] OPENED stream for https://localhost/api/authorization-service/polaris/richard/websockets/
* [HTTP/2] [3] [:method: GET]
* [HTTP/2] [3] [:scheme: https]
* [HTTP/2] [3] [:authority: localhost]
* [HTTP/2] [3] [:path: /api/authorization-service/polaris/richard/websockets/]
* [HTTP/2] [3] [user-agent: curl/8.9.1]
* [HTTP/2] [3] [accept: */*]
* [HTTP/2] [3] [origin: https://localhost]
> GET /api/authorization-service/polaris/richard/websockets/ HTTP/2
> Host: localhost
> User-Agent: curl/8.9.1
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Origin: https://localhost
>
* Request completely sent off
< HTTP/2 200
HTTP/2 200
< vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
< content-type: application/json
content-type: application/json
< date: Sat, 20 Sep 2025 22:23:35 GMT
date: Sat, 20 Sep 2025 22:23:35 GMT
<
{"status":200}* Connection #0 to host localhost left intact
```
Reply all
Reply to author
Forward
0 new messages