Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Envoy secured stats endpoint example
{
"listeners": [
{
"address": "tcp://0.0.0.0:80",
"filters": [
{
"type": "read",
"name": "http_connection_manager",
"config": {
"codec_type": "auto",
"stat_prefix": "ingress_http",
"route_config": {
"virtual_hosts": [
{
"name": "backend",
"domains": ["*"],
"routes": [
{
"timeout_ms": 0,
"prefix": "/stats",
"cluster": "service_stats"
}
]
}
]
},
"filters": [
{
"type": "decoder",
"name": "router",
"config": {}
}
]
}
}
]
}
],
"admin": {
"access_log_path": "/dev/null",
"address": "tcp://127.0.0.1:8001"
},
"cluster_manager": {
"clusters": [
{
"name": "service_stats",
"connect_timeout_ms": 250,
"type": "logical_dns",
"lb_type": "round_robin",
"hosts": [
{
"url": "tcp://127.0.0.1:8001"
}
]
}
]
}
}
@ofek

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Problem: Currently, if you want to allow a non-localhost scraper to access /stats, you also give it access to other admin things like /quitquitquit.

Solution (from a Slack discussion):

Idea courtesy of @ggreenway
Config courtesy of @bndw

Create a listener/vhost that routes to the admin endpoint (Envoy connecting to itself), but only has a route for /stats; all other routes get a static/error response. Additionally, this allows nice integration with L3 filters for auth, for example.

@jmarantz

This comment has been minimized.

Copy link

commented Mar 13, 2018

I like the idea of splitting off read-only vs read-write access to admin. I am not convinced that restricting r/w access to localhost is sufficient however.

@ofek

This comment has been minimized.

Copy link
Owner Author

commented Apr 20, 2018

@junr03 has converted this to the v2 format

admin:
  access_log_path: /dev/null
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 8081
static_resources:
  listeners:
    - address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 80
      filter_chains:
        - filters:
            - name: envoy.http_connection_manager
              config:
                codec_type: AUTO
                stat_prefix: ingress_http
                route_config:
                  virtual_hosts:
                    - name: backend
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: /stats
                          route:
                            cluster: service_stats
                http_filters:
                  - name: envoy.router
                    config:
  clusters:
    - name: service_stats
      connect_timeout: 0.250s
      type: LOGICAL_DNS
      lb_policy: ROUND_ROBIN
      hosts:
        - socket_address:
            protocol: TCP
            address: 127.0.0.1
            port_value: 8001
@justinlarose

This comment has been minimized.

Copy link

commented Nov 30, 2018

thanks for sharing the config! I tried it out and works as expected! @ofek is the last line suppose to be port 8081, if I'm not mistaken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.