envoyproxy
ext_authz: Get Basic Authorization for filters.network.ext_authz
Title: How to get Basic Authorization info from request parameter when handling Check?
Description: When using the filter envoy.filters.http.ext_authz, I'm able to Basic Authorization from the Headers to authenticate.
Request parameter sent for envoy.filters.network.ext_authz differs and does not include the Headers. How would I get the info to do authentication?
here's the configuration file.
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
address: 0.0.0.0
protocol: TCP
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
protocol: TCP
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
stat_prefix: ext_authz
grpc_service:
envoy_grpc:
cluster_name: ext-authz
include_peer_certificate: true
transport_api_version: V3
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
cluster: proxy
stat_prefix: https_passthrough
clusters:
- name: ext-authz
type: STRICT_DNS
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options: {}
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: ext_authz
port_value: 5000
- name: proxy
connect_timeout: 1s
type: STRICT_DNS
load_assignment:
cluster_name: proxy
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: someproxy
port_value: 8080
Example used for auth. https://github.com/envoyproxy/envoy/blob/main/examples/ext_authz/auth/grpc-service/pkg/auth/v3/auth.go
Sorry, could you expand on your use case? ext_authz Network filter works on TCP connections. the check request sends "connection" information, such as source and destination peers, and TLS information if it is being asked.
Sorry, could you expand on your use case?
ext_authzNetwork filter works on TCP connections. the check request sends "connection" information, such as source and destination peers, and TLS information if it is being asked.
The use case is to provide Basic Authentication for the Proxy
re: "Basic Authentication" Do you mean https://datatracker.ietf.org/doc/html/rfc7617? I think that requires HTTP to work.
If your "traffic" is "TCP" (e.g. if you put envoy in front of a postgres server), then when you add network ext_authz you have a handful of "parameters" that can be checked: https://github.com/envoyproxy/envoy/blob/e19476d62956b60688de2b6109de1cf4dea6ae19/api/envoy/service/auth/v3/attribute_context.proto#L157-L177
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.