Skip to content

Instantly share code, notes, and snippets.

@tonybaines

tonybaines/SSL Auth service response

Last active October 22, 2019 14:18
Show Gist options
  • Save tonybaines/e9df8b795802d0bf42523e6b42fac86a to your computer and use it in GitHub Desktop.
Save tonybaines/e9df8b795802d0bf42523e6b42fac86a to your computer and use it in GitHub Desktop.
Download ZIP
envoy.client_ssl_auth plus ext_authz
Raw
envoy.yaml
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filters:
- name: envoy.client_ssl_auth
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.client_ssl_auth.v2.ClientSSLAuth
auth_api_cluster: "authn"
stat_prefix: "authn"
refresh_delay: 5s
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
use_remote_address: false
# Don't trust clients, set 'x-forwarded-client-cert'
forward_client_cert_details: SANITIZE_SET
access_log:
name: envoy.file_access_log
config:
path: "/var/log/envoy/access.log"
http_filters:
# Authz filter must come before router
- name: envoy.ext_authz
config:
stat_prefix: authz
http_service:
server_uri:
uri: authz:8080
cluster: ext-authz
timeout: 0.25s
failure_mode_allow: false
# So that the Authz service has a trusted auth principle to work with
# (e.g. extract the 'Hash' property to use for looking up principles)
authorization_request:
allowed_headers:
patterns:
- exact: "x-forwarded-client-cert"
- name: envoy.router
typed_config: {}
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match: { prefix: "/public" }
route: { cluster: public }
- match: { prefix: "/private" }
route: { cluster: private }
tracing:
operation_name: ingress
tls_context:
common_tls_context:
alpn_protocols: "h2,http/1.1"
validation_context:
trusted_ca:
# All client certs must be in the trust chain
filename: "/etc/envoy/CA.pem"
tls_certificates:
certificate_chain:
filename: "/etc/envoy/server.pem"
private_key:
filename: "/etc/envoy/server.key"
clusters:
- name: public
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: public
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: public.api
port_value: 8080
- name: private
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: private
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: private.api
port_value: 8080
- name: ext-authz
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: authz
port_value: 8080
- name: authn
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
load_assignment:
cluster_name: authn
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: authn
port_value: 8080
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 9901
Raw
SSL Auth service response
{
"certificates": [
{
"fingerprint_sha256": "360458fd929de8b0ffc2a93fcc034f391bd78af2fdd9f071b56dc524608c3290"
},
{
"fingerprint_sha256": "204e569af575fe96f0ab570d4307cc2b4658689b83f6e336f20d367f04922b15"
}
]
}
@tonybaines
Copy link
Author

Gotchas

  • SHA256 digests for certificates MUST be lowercase and not colon-separated
  • Any client certificates must be in the trust chain of the tls_context trusted_ca or they won't get as far as envoy.client_ssl_auth
  • Envoy logging (as of 1.11.2) doesn't indicate failures, untrusted certificates result in an early termination of the SSL negotiation with no content.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment