envoyproxy

Safe Regex not working for External Authorization Filter in Envoy


I do not want to apply external authorization filter for routes starting with /css, /img, /assets. While it is working fine if I put 3 entries using prefix but its not working with safe_regex.

static_resources:
    
      listeners:
      - name: listener_0
        address:
          socket_address:
            address: 0.0.0.0
            port_value: 10000
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              stat_prefix: ingress_http
              access_log:
              - name: envoy.access_loggers.stdout
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: ["*"]
                  typed_per_filter_config:
                    envoy.filters.http.ext_authz:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
                      check_settings:
                        context_extensions:
                          virtual_host: local_service
                  routes:
                  - match:
                      safe_regex:
                        google_re2: {}
                        regex: "^/(css|img|assets)/"
                    route:
                      host_rewrite_literal: www.envoyproxy.io
                      cluster: service_envoyproxy_io
                    typed_per_filter_config:
                      envoy.filters.http.ext_authz:
                        "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
                        disabled: true
                  - match:
                      prefix: "/"
                    route:
                      host_rewrite_literal: www.envoyproxy.io
                      cluster: service_envoyproxy_io    
              http_filters:
              - name: envoy.filters.http.ext_authz
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                  grpc_service:
                    envoy_grpc:
                      cluster_name: ext_authz-grpc-service
                    timeout: 0.250s
                  transport_api_version: V3
              - name: envoy.filters.http.router
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
    
      clusters:
      - name: service_envoyproxy_io
        type: LOGICAL_DNS
        # Comment out the following line to test on v6 networks
        dns_lookup_family: V4_ONLY
        load_assignment:
          cluster_name: service_envoyproxy_io
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: www.envoyproxy.io
                    port_value: 443
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
            sni: www.envoyproxy.io
    
      - name: ext_authz-grpc-service
        type: STRICT_DNS
        lb_policy: ROUND_ROBIN
        typed_extension_protocol_options:
          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
            explicit_http_config:
              http2_protocol_options: {}
        load_assignment:
          cluster_name: ext_authz-grpc-service
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: 0.0.0.0
                    port_value: 7058    

Solution

  • Full match is used by the safe_regex matching here. So, ^/(css|img|assets)/.* should be used here.