envoy
envoy copied to clipboard
envoyproxy
rbac HTTP filter with metadata principal provided by jwt_authn HTTP filter is not working on HTTP CONNECT request
Title: rbac HTTP filter with metadata principal provided by jwt_authn HTTP filter is not working on HTTP CONNECT request
Description:
I would like to use envoy to achieve the following
- HTTP forwarding proxy with CONNECT method (RFC7231: 4.3.6. CONNECT)
- Authorization for payload of JWT granted in the
Authorizationheader of the requests to proxy (RFC7523)
I tried to compare the value of the JWT payload using the metadata principal of the RBAC filter to satisfy the above. (ref. https://github.com/envoyproxy/envoy/issues/7913)
However, only when connecting to envoy with the CONNECT method, the dynamicMetadata does not contain the jwt payload and the authorization by the RBAC filter fails.
Repro steps:
When I request Authorization header and CONNECT method (= target server listens HTTPS) to envoy, which runs as HTTP forwarding proxy, and envoy rejected the request.
$ curl -x http://${PROXY_HOSTNAME}:10000/ --proxy-header "Authorization: Bearer $JWT" https://google.com
curl: (56) CONNECT tunnel failed, response 403
Note that when I request Authorization header and GET method (= target server listens HTTP) to envoy, which runs as HTTP forwarding proxy, and envoy forwarded the request intendedly.
$ curl -x http://${PROXY_HOSTNAME}:10000/ --proxy-header "Authorization: Bearer $JWT" http://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
Admin and Stats Output:
I omitted it because It isn't necessary I thought. Please let me know if you need it.
Config:
The following values are masked
<AUDIENCE_NAME><SUBJECT_NAME>
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
address: 0.0.0.0
port_value: 9902
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: forward_proxy
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
# in case that target server listens HTTPS
- match: {connect_matcher: {}}
route:
cluster: destination_https
upgrade_configs:
- upgrade_type: CONNECT
connect_config: {}
# in case that target server listens HTTP
- match: {prefix: "/"}
route:
cluster: destination_http
upgrade_configs:
- upgrade_type: CONNECT
connect_config: {}
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
provider1:
payload_in_metadata: payload
remote_jwks:
http_uri:
uri: http://localhost:4443
cluster: jwks_cluster
timeout: 3s
cache_duration:
seconds: 300
rules:
- match:
prefix: "/"
requires:
provider_name: provider1
- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
rules:
action: ALLOW
policies:
"jwt":
permissions:
- any: true
principals:
and_ids:
ids:
- metadata:
filter: envoy.filters.http.jwt_authn
path:
- key: payload
- key: aud
value:
string_match:
exact: "<AUDIENCE_NAME>"
- metadata:
filter: envoy.filters.http.jwt_authn
path:
- key: payload
- key: sub
value:
string_match:
exact: "<SUBJECT_NAME>"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: destination_https
connect_timeout: 3s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
dns_refresh_rate: 60s
load_assignment:
cluster_name: destination
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: google.com
port_value: 443
- name: destination_http
connect_timeout: 3s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
dns_refresh_rate: 60s
load_assignment:
cluster_name: destination
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: google.com
port_value: 80
- name: jwks_cluster
connect_timeout: 3s
type: STATIC
load_assignment:
cluster_name: jwks_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 4443
Logs:
The following values are masked
<JWT><AUDIENCE_NAME><ISSUER_URL><JWT_ID><SUBJECT_NAME>
In case target server listens HTTPS, requests from cilent was rejected.
envoy | [2024-07-01 04:11:05.661][22][debug][conn_handler] [source/common/listener_manager/active_tcp_listener.cc:160] [Tags: "ConnectionId":"1"] new connection from 127.0.0.1:36618
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:398] [Tags: "ConnectionId":"1"] new stream
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1147] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] request headers complete (end_stream=false):
envoy | ':authority', 'google.com:443'
envoy | ':method', 'CONNECT'
envoy | 'user-agent', 'curl/7.52.0'
envoy | 'proxy-connection', 'Keep-Alive'
envoy | 'authorization', 'Bearer <JWT>'
envoy |
envoy | [2024-07-01 04:11:05.661][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"1"] current connecting state: false
envoy | [2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:159] Called Filter : setDecoderFilterCallbacks
envoy | [2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:53] Called Filter : decodeHeaders
envoy | [2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: OK
envoy | [2024-07-01 04:11:05.661][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:131] checking request: requestedServerName: , sourceIP: 127.0.0.1:36618, directRemoteIP: 127.0.0.1:36618, remoteIP: 127.0.0.1:36618,localAddress: 127.0.0.1:10000, ssl: none, headers: ':authority', 'google.com:443'
envoy | ':method', 'CONNECT'
envoy | ':scheme', 'http'
envoy | 'user-agent', 'curl/7.52.0'
envoy | 'authorization', 'Bearer <JWT>'
envoy | 'x-forwarded-proto', 'http'
envoy | 'x-request-id', '0819640b-0861-4f90-bf5c-5c892ca64e9e'
envoy | , dynamicMetadata:
envoy | [2024-07-01 04:11:05.661][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:185] enforced denied, matched policy none
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/filter_manager.cc:1027] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] Preparing local reply with details rbac_access_denied_matched_policy[none]
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/filter_manager.cc:1069] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] Executing sending local reply.
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1838] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] encoding headers via codec (end_stream=false):
envoy | ':status', '403'
envoy | 'content-length', '19'
envoy | 'content-type', 'text/plain'
envoy | 'date', 'Mon, 01 Jul 2024 04:11:05 GMT'
envoy | 'server', 'envoy'
envoy | 'connection', 'close'
envoy |
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1950] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] Codec completed encoding stream.
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:252] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] doEndStream() resetting stream
envoy | [2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1907] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] stream reset: reset reason: local reset, response details: -
envoy | [2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy
envoy | [2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl.cc:149] [Tags: "ConnectionId":"1"] closing data_to_write=162 type=2
envoy | [2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl_base.cc:53] [Tags: "ConnectionId":"1"] setting delayed close timer with timeout 1000 ms
envoy | [2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl.cc:149] [Tags: "ConnectionId":"1"] closing data_to_write=162 type=2
envoy | [2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl.cc:793] [Tags: "ConnectionId":"1"] write flush complete
envoy | [2024-07-01 04:11:05.662][22][debug][connection] [source/common/network/connection_impl.cc:793] [Tags: "ConnectionId":"1"] write flush complete
In case target server listens HTTP, requests from cilent succeeded.
envoy | [2024-07-01 03:03:41.525][22][debug][conn_handler] [source/common/listener_manager/active_tcp_listener.cc:160] [Tags: "ConnectionId":"4"] new connection from 127.0.0.1:60228
envoy | [2024-07-01 03:03:41.525][22][debug][http] [source/common/http/conn_manager_impl.cc:398] [Tags: "ConnectionId":"4"] new stream
envoy | [2024-07-01 03:03:41.525][22][debug][http] [source/common/http/conn_manager_impl.cc:1147] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] request headers complete (end_stream=true):
envoy | ':authority', 'google.com'
envoy | ':scheme', 'http'
envoy | ':path', '/'
envoy | ':method', 'GET'
envoy | 'user-agent', 'curl/7.52.0'
envoy | 'accept', '*/*'
envoy | 'proxy-connection', 'Keep-Alive'
envoy | 'authorization', 'Bearer <JWT>'
envoy |
envoy | [2024-07-01 03:03:41.525][22][debug][http] [source/common/http/conn_manager_impl.cc:1130] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] request end stream
envoy | [2024-07-01 03:03:41.525][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"4"] current connecting state: false
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:159] Called Filter : setDecoderFilterCallbacks
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:53] Called Filter : decodeHeaders
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/matcher.cc:73] Prefix requirement '/' matched.
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/extractor.cc:255] extract authorizationBearer
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:163] provider1: JWT authentication starts (allow_failed=false), tokens size=1
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:174] provider1: startVerify: tokens size 1
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:192] provider1: Parse Jwt <JWT>
envoy | [2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:203] provider1: Verifying JWT token of issuer https://apj.zts.athenz.yahoo.co.jp:4443/zts/v1
envoy | [2024-07-01 03:03:41.525][22][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:60] fetch pubkey from [uri = http://localhost:4443]: start
envoy | [2024-07-01 03:03:41.526][22][debug][router] [source/common/router/router.cc:515] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] cluster 'jwks_cluster' match for URL '/'
envoy | [2024-07-01 03:03:41.526][22][debug][router] [source/common/router/router.cc:738] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] router decoding headers:
envoy | ':path', '/'
envoy | ':authority', 'localhost:4443'
envoy | ':method', 'GET'
envoy | ':scheme', 'http'
envoy | 'x-envoy-internal', 'true'
envoy | 'x-forwarded-for', '192.168.0.1'
envoy | 'x-envoy-expected-rq-timeout-ms', '3000'
envoy |
envoy | [2024-07-01 03:03:41.526][22][debug][pool] [source/common/http/conn_pool_base.cc:78] queueing stream due to no available connections (ready=0 busy=0 connecting=0)
envoy | [2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:291] trying to create new connection
envoy | [2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:145] creating a new connection (connecting=0)
envoy | [2024-07-01 03:03:41.526][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"5"] current connecting state: true
envoy | [2024-07-01 03:03:41.526][22][debug][client] [source/common/http/codec_client.cc:57] [Tags: "ConnectionId":"5"] connecting
envoy | [2024-07-01 03:03:41.526][22][debug][connection] [source/common/network/connection_impl.cc:1021] [Tags: "ConnectionId":"5"] connecting to 127.0.0.1:4443
envoy | [2024-07-01 03:03:41.526][22][debug][connection] [source/common/network/connection_impl.cc:1040] [Tags: "ConnectionId":"5"] connection in progress
envoy | [2024-07-01 03:03:41.526][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:97] Called Filter : decodeHeaders Stop
envoy | [2024-07-01 03:03:41.526][22][debug][connection] [source/common/network/connection_impl.cc:751] [Tags: "ConnectionId":"5"] connected
envoy | [2024-07-01 03:03:41.526][22][debug][client] [source/common/http/codec_client.cc:88] [Tags: "ConnectionId":"5"] connected
envoy | [2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:328] [Tags: "ConnectionId":"5"] attaching to next stream
envoy | [2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:182] [Tags: "ConnectionId":"5"] creating stream
envoy | [2024-07-01 03:03:41.526][22][debug][router] [source/common/router/upstream_request.cc:588] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] pool ready
envoy | [2024-07-01 03:03:41.526][22][debug][client] [source/common/http/codec_client.cc:142] [Tags: "ConnectionId":"5"] encode complete
envoy | [2024-07-01 03:03:41.610][22][debug][router] [source/common/router/router.cc:1529] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] upstream headers complete: end_stream=false
envoy | [2024-07-01 03:03:41.611][22][debug][http] [source/common/http/async_client_impl.cc:129] async http request response headers (end_stream=false):
envoy | ':status', '200'
envoy | 'content-length', '1806'
envoy | 'content-type', 'application/json'
envoy | 'date', 'Mon, 01 Jul 2024 03:03:41 GMT'
envoy | 'x-envoy-upstream-service-time', '84'
envoy |
envoy | [2024-07-01 03:03:41.611][22][debug][client] [source/common/http/codec_client.cc:129] [Tags: "ConnectionId":"5"] response complete
envoy | [2024-07-01 03:03:41.611][22][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:85] onSuccess: fetch pubkey [uri = http://localhost:4443]: success
envoy | [2024-07-01 03:03:41.611][22][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:91] onSuccess: fetch pubkey [uri = http://localhost:4443]: succeeded
envoy | [2024-07-01 03:03:41.611][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:448] provider1: JWT token verification completed with: OK
envoy | [2024-07-01 03:03:41.611][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: OK
envoy | [2024-07-01 03:03:41.611][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:131] checking request: requestedServerName: , sourceIP: 127.0.0.1:60228, directRemoteIP: 127.0.0.1:60228, remoteIP: 127.0.0.1:60228,localAddress: 127.0.0.1:10000, ssl: none, headers: ':authority', 'google.com'
envoy | ':scheme', 'http'
envoy | ':path', '/'
envoy | ':method', 'GET'
envoy | 'user-agent', 'curl/7.52.0'
envoy | 'accept', '*/*'
envoy | 'x-forwarded-proto', 'http'
envoy | 'x-request-id', '6fa6b59e-d4fd-4b2c-aa8a-93313448fb55'
envoy | , dynamicMetadata: filter_metadata {
envoy | key: "envoy.filters.http.jwt_authn"
envoy | value {
envoy | fields {
envoy | key: "payload"
envoy | value {
envoy | struct_value {
envoy | fields {
envoy | key: "aud"
envoy | value {
envoy | string_value: "<AUDIENCE_NAME>"
envoy | }
envoy | }
envoy | fields {
envoy | key: "exp"
envoy | value {
envoy | number_value: 1719813855
envoy | }
envoy | }
envoy | fields {
envoy | key: "iat"
envoy | value {
envoy | number_value: 1719799455
envoy | }
envoy | }
envoy | fields {
envoy | key: "iss"
envoy | value {
envoy | string_value: "<ISSUER_URL>"
envoy | }
envoy | }
envoy | fields {
envoy | key: "jti"
envoy | value {
envoy | string_value: "<JWT_ID>"
envoy | }
envoy | }
envoy | fields {
envoy | key: "sub"
envoy | value {
envoy | string_value: "<SUBJECT_NAME>"
envoy | }
envoy | }
envoy | }
envoy | }
envoy | }
envoy | }
envoy | }
envoy |
envoy | [2024-07-01 03:03:41.611][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:178] enforced allowed, matched policy jwt
envoy | [2024-07-01 03:03:41.611][22][debug][router] [source/common/router/router.cc:515] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] cluster 'destination_http' match for URL '/'
envoy | [2024-07-01 03:03:41.611][22][debug][router] [source/common/router/router.cc:738] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] router decoding headers:
envoy | ':authority', 'google.com'
envoy | ':scheme', 'http'
envoy | ':path', '/'
envoy | ':method', 'GET'
envoy | 'user-agent', 'curl/7.52.0'
envoy | 'accept', '*/*'
envoy | 'x-forwarded-proto', 'http'
envoy | 'x-request-id', '6fa6b59e-d4fd-4b2c-aa8a-93313448fb55'
envoy | 'x-envoy-expected-rq-timeout-ms', '15000'
envoy |
envoy | [2024-07-01 03:03:41.611][22][debug][pool] [source/common/http/conn_pool_base.cc:78] queueing stream due to no available connections (ready=0 busy=0 connecting=0)
envoy | [2024-07-01 03:03:41.611][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:291] trying to create new connection
envoy | [2024-07-01 03:03:41.611][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:145] creating a new connection (connecting=0)
envoy | [2024-07-01 03:03:41.611][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"6"] current connecting state: true
envoy | [2024-07-01 03:03:41.611][22][debug][client] [source/common/http/codec_client.cc:57] [Tags: "ConnectionId":"6"] connecting
envoy | [2024-07-01 03:03:41.611][22][debug][connection] [source/common/network/connection_impl.cc:1021] [Tags: "ConnectionId":"6"] connecting to 142.251.42.174:80
envoy | [2024-07-01 03:03:41.611][22][debug][connection] [source/common/network/connection_impl.cc:1040] [Tags: "ConnectionId":"6"] connection in progress
envoy | [2024-07-01 03:03:41.611][22][debug][pool] [source/common/http/http1/conn_pool.cc:53] [Tags: "ConnectionId":"5"] response complete
envoy | [2024-07-01 03:03:41.611][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:215] [Tags: "ConnectionId":"5"] destroying stream: 0 remaining
envoy | [2024-07-01 03:03:41.613][22][debug][connection] [source/common/network/connection_impl.cc:751] [Tags: "ConnectionId":"6"] connected
envoy | [2024-07-01 03:03:41.613][22][debug][client] [source/common/http/codec_client.cc:88] [Tags: "ConnectionId":"6"] connected
envoy | [2024-07-01 03:03:41.613][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:328] [Tags: "ConnectionId":"6"] attaching to next stream
envoy | [2024-07-01 03:03:41.613][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:182] [Tags: "ConnectionId":"6"] creating stream
envoy | [2024-07-01 03:03:41.613][22][debug][router] [source/common/router/upstream_request.cc:588] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] pool ready
envoy | [2024-07-01 03:03:41.613][22][debug][client] [source/common/http/codec_client.cc:142] [Tags: "ConnectionId":"6"] encode complete
envoy | [2024-07-01 03:03:41.658][22][debug][router] [source/common/router/router.cc:1529] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] upstream headers complete: end_stream=false
envoy | [2024-07-01 03:03:41.658][22][debug][http] [source/common/http/conn_manager_impl.cc:1838] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] encoding headers via codec (end_stream=false):
envoy | ':status', '301'
envoy | 'location', 'http://www.google.com/'
envoy | 'content-type', 'text/html; charset=UTF-8'
envoy | 'content-security-policy-report-only', 'object-src 'none';base-uri 'self';script-src 'nonce-MHTAL8RQHAKCMw3ImZNLfg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp'
envoy | 'date', 'Mon, 01 Jul 2024 03:03:41 GMT'
envoy | 'expires', 'Wed, 31 Jul 2024 03:03:41 GMT'
envoy | 'cache-control', 'public, max-age=2592000'
envoy | 'server', 'envoy'
envoy | 'content-length', '219'
envoy | 'x-xss-protection', '0'
envoy | 'x-frame-options', 'SAMEORIGIN'
envoy | 'x-envoy-upstream-service-time', '46'
envoy |
envoy | [2024-07-01 03:03:41.658][22][debug][client] [source/common/http/codec_client.cc:129] [Tags: "ConnectionId":"6"] response complete
envoy | [2024-07-01 03:03:41.658][22][debug][http] [source/common/http/conn_manager_impl.cc:1950] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] Codec completed encoding stream.
envoy | [2024-07-01 03:03:41.658][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy
envoy | [2024-07-01 03:03:41.658][22][debug][pool] [source/common/http/http1/conn_pool.cc:53] [Tags: "ConnectionId":"6"] response complete
envoy | [2024-07-01 03:03:41.658][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:215] [Tags: "ConnectionId":"6"] destroying stream: 0 remaining
envoy | [2024-07-01 03:03:41.658][22][debug][connection] [source/common/network/connection_impl.cc:719] [Tags: "ConnectionId":"4"] remote close
envoy | [2024-07-01 03:03:41.658][22][debug][connection] [source/common/network/connection_impl.cc:281] [Tags: "ConnectionId":"4"] closing socket: 0
envoy | [2024-07-01 03:03:41.658][22][debug][conn_handler] [source/common/listener_manager/active_stream_listener_base.cc:136] [Tags: "ConnectionId":"4"] adding to cleanup list
