-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External Authz filter is not rewriting Host and does not work for an Ext server behind LB #34175
Comments
Is this a bug, or a misconfiguration? |
When clientMatcher is empty, the HOST will NOT be added to client response https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc#L149-L150 You will need to configure something like allowed_client_headers\ allowed_client_headers_on_success to enable this |
My problem is that host is the client host and it is not rewrited. in route we have the possibility to set auto_host_rewrite = true. and the request to the upstream will contain the destination host. then is the upstream is behind a LB it will find the route. |
@tyxia do I explain correctly the issue? |
for grpc service there is a config to set the authority for the POST resquest to the server, probably we could add it to the http service case. and eventually copy the original :authority into another header if the server needs to use it.
|
@tyxia do you think it is a good idea to add a similar config for http server type? If you do, I can submit a PR with a proposal for that |
Title: External Authz filter is not rewriting Host and does not work for an Ext server behind LB
Description:
When the filter is doing the request to the http external auth server, it copies all the original request headers ( path is an special case, a prefix is added if it set in config)
If the external service is under a LB, Host is not rewrite and 404 is always returned.
My first though was HOST could be used during auth logic. but grpc is apparently not changing it.
Is this a miss-configuration? do I miss something, or a new config option in the filter to replace it and copy the original host in an x-original-host header or similar?
Repro steps:
Start envoy with config
make a call
Request to ext auth contains HOST: localhost:8088
server behind LB replay 404
Config:
The text was updated successfully, but these errors were encountered: