Envoy External Authorization

This repository demonstrates how to use Envoy proxy with an external authorization service.

Install, build and run

To install the project, follow these steps:

1. Clone the repository:

   git clone https://github.com/ferencsarai/envoy-auth

2. Change into the project directory:

   cd envoy-auth

3. Build the project using Docker Compose:

   docker-compose build

4. To run the project, use the following command:

   docker-compose up

Usage

Once the project is running, you can send requests to http://localhost:8000 with the User-Agent: Chrome header to get a successful response. Requests with any other User-Agent header will result in a 403 status code.

• Not allowed (403):

  curl -v -A "sfjs" http://localhost:8000

• Allowed (200) - this will return a response from the echo service http-echo:

  curl -v -A "Chrome" http://localhost:8000

How it works

The project utilizes three containers from the docker-compose file.

1. Envoy proxy
2. External authorization service (Ruby script)
3. Service (http-echo)

Request flow

1. The client sends a request to Envoy proxy.
2. Envoy proxy forwards the request to the external authorization service.
3. The external authorization service checks the User-Agent header.
   • If the User-Agent contains Chrome, it returns 200.
   • If the User-Agent does not contain Chrome, it returns 403.
4. Envoy proxy forwards the request to the service if 200 is returned. Otherwise, it returns 403 to the client without forwarding the request to the service.

Configuration

Envoy proxy configuration: envoy.yaml