dio/basic_auth.yaml

## basic_auth.yaml
admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/cookies"
                route:
                  host_rewrite: httpbin.org
                  cluster: service_bin
                metadata:
                  filter_metadata:
                    envoy.lua:
                      credentials:
                      - "Basic b2s6dGVzdDE=" # btoa(ok:test1)
                      - "Basic b2s6dGVzdDI=" # btoa(ok:test2)
              - match:
                  prefix: "/uuid"
                route:
                  host_rewrite: httpbin.org
                  cluster: service_bin
                metadata:
                  filter_metadata:
                    envoy.lua:
                      credentials:
                      - "Basic b2s6dGVzdDE=" # btoa(ok:test1)
                      - "Basic b2s6dGVzdDI=" # btoa(ok:test2)
          http_filters:
          - name: envoy.lua
            config:
              inline_code: |
                function envoy_on_request(request_handle)
                  if request_handle:headers():get(":path") == "/cookies"
                  or request_handle:headers():get(":path") == "/uuid"
                  then
                    -- Surely you have to check if request_handle:metadata():get("credentials") has
                    -- nothing then you need to decide what to do.
                    for _, credential in pairs(request_handle:metadata():get("credentials")) do
                      if request_handle:headers():get("authorization") == credential
                      then
                        return
                      end
                    end
                    request_handle:respond(
                      {[":status"] = "401", ["WWW-Authenticate"] = "Basic realm=\"Unknown\""}, "Unauthorized"
                    )
                  end
                end
          - name: envoy.router
  clusters:
  - name: service_bin
    connect_timeout: 25s
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_bin
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: httpbin.org
                port_value: 80
	admin:
	access_log_path: /tmp/admin_access.log
	address:
	socket_address:
	protocol: TCP
	address: 127.0.0.1
	port_value: 9901
	static_resources:
	listeners:
	- name: listener_0
	address:
	socket_address:
	protocol: TCP
	address: 0.0.0.0
	port_value: 10000
	filter_chains:
	- filters:
	- name: envoy.http_connection_manager
	typed_config:
	"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
	stat_prefix: ingress_http
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains: ["*"]
	routes:
	- match:
	prefix: "/cookies"
	route:
	host_rewrite: httpbin.org
	cluster: service_bin
	metadata:
	filter_metadata:
	envoy.lua:
	credentials:
	- "Basic b2s6dGVzdDE=" # btoa(ok:test1)
	- "Basic b2s6dGVzdDI=" # btoa(ok:test2)
	- match:
	prefix: "/uuid"
	route:
	host_rewrite: httpbin.org
	cluster: service_bin
	metadata:
	filter_metadata:
	envoy.lua:
	credentials:
	- "Basic b2s6dGVzdDE=" # btoa(ok:test1)
	- "Basic b2s6dGVzdDI=" # btoa(ok:test2)
	http_filters:
	- name: envoy.lua
	config:
	inline_code: \|
	function envoy_on_request(request_handle)
	if request_handle:headers():get(":path") == "/cookies"
	or request_handle:headers():get(":path") == "/uuid"
	then
	-- Surely you have to check if request_handle:metadata():get("credentials") has
	-- nothing then you need to decide what to do.
	for _, credential in pairs(request_handle:metadata():get("credentials")) do
	if request_handle:headers():get("authorization") == credential
	then
	return
	end
	end
	request_handle:respond(
	{[":status"] = "401", ["WWW-Authenticate"] = "Basic realm=\"Unknown\""}, "Unauthorized"
	)
	end
	end
	- name: envoy.router
	clusters:
	- name: service_bin
	connect_timeout: 25s
	type: LOGICAL_DNS
	# Comment out the following line to test on v6 networks
	dns_lookup_family: V4_ONLY
	lb_policy: ROUND_ROBIN
	load_assignment:
	cluster_name: service_bin
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	socket_address:
	address: httpbin.org
	port_value: 80