-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathenvoy.yaml
More file actions
104 lines (100 loc) · 4.32 KB
/
envoy.yaml
File metadata and controls
104 lines (100 loc) · 4.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
static_resources:
listeners:
- name: egress_listener
address:
socket_address:
address: 0.0.0.0
port_value: 8443
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: egress_http
route_config:
name: egress_route
virtual_hosts:
- name: egress_service
domains: ['*']
routes:
- match:
prefix: '/'
route:
cluster: dynamic_forward_proxy_cluster
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
sandbox_jwt:
issuer: 'secure-egress-control'
audiences:
- 'egress-proxy'
local_jwks:
inline_string: |
{
"keys": [
{
"kty": "EC",
"crv": "P-256",
"x": "replace-with-your-key-x",
"y": "replace-with-your-key-y",
"kid": "your-ecdsa-key-id"
}
]
}
forward: true
from_headers:
- name: 'Proxy-Authorization'
value_prefix: 'Basic '
rules:
- match:
prefix: '/'
requires:
provider_name: 'sandbox_jwt'
- name: envoy.filters.http.lua
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local jwt_payload = request_handle:headers():get("x-jwt-payload")
if not jwt_payload then
request_handle:respond(
{[":status"] = "403"},
"Missing JWT"
)
return
end
local json = require("cjson")
local payload = json.decode(jwt_payload)
local allowed_hosts = {}
for host in string.gmatch(payload.allowed_hosts, "[^,]+") do
allowed_hosts[host] = true
end
local target_host = request_handle:headers():get(":authority")
if not allowed_hosts[target_host] then
request_handle:respond(
{[":status"] = "403", ["x-deny-reason"] = "host_not_allowed"},
"Host not in whitelist"
)
return
end
end
- name: envoy.filters.http.router
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
'@type': type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 9901